ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2018, Vol. 55 ›› Issue (10): 2256-2268.doi: 10.7544/issn1000-1239.2018.20180447

所属专题: 2018分布式安全与区块链技术研究专题

• 信息安全 • 上一篇    下一篇

面向SDN的脆弱性扩散形式化建模与扩散因素分析

王健1,赵国生2,赵中楠1,李可1   

  1. 1(哈尔滨理工大学计算机科学与技术学院 哈尔滨 150080);2(哈尔滨师范大学计算机科学与信息工程学院 哈尔滨 150025) (wangjianlydia@163.com)
  • 出版日期: 2018-10-01
  • 基金资助: 
    国家自然科学基金项目(61403109, 61202458);高等学校博士学科点专项科研基金项目(20112303120007);黑龙江省自然科学基金项目(F2017021);黑龙江省教育厅科研基金项目(12541169);哈尔滨市科技创新人才研究专项资金项目(2016RAQXJ036)

Formal Modeling and Factor Analysis for Vulnerability Propagation Oriented to SDN

Wang Jian1, Zhao Guosheng2, Zhao Zhongnan1, Li Ke1   

  1. 1(College of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150080);2(College of Computer Science and Information Engineering, Harbin Normal University, Harbin 150025)
  • Online: 2018-10-01

摘要: SDN将传统网络控制面与转发面解耦,在实施集中化管控的同时引入诸多新的安全和管理问题.脆弱点类型在SDN各层及南北向接口存在差异性,且传播趋势不同.针对脆弱性在SDN层内及层间的扩散效果及抑制策略问题,提出了一种基于Bio-PEPA的SDN脆弱性扩散形式化模型.1)对Bio-PEPA基础语义进行讨论,阐明其适用于具有明显分层架构的SDN及具有动态性的脆弱性扩散过程;2)探讨SDN中各层存在的脆弱性问题,并对SDN中存在的脆弱性以层为单位进行建模,通过对SDN层内及层间脆弱性扩散过程构建形式化模型,进而分析SDN内脆弱性在水平(层内)及垂直(层间)2个维度内的扩散机理,从而更好地抑制脆弱性在SDN内的扩散;3)通过仿真实验得出可以通过降低连接转化率、提升检测转化率及修复转化率来有效抑制SDN的脆弱性扩散.

关键词: 软件定义网络, Bio-PEPA, 形式化建模, 脆弱性扩散, 抑制策略

Abstract: Software defined network (SDN) is one of the most popular network technologies nowadays. SDN decouples the traditional control plane from the forwarding plane, resulting in many new security and management issues while performing centralized control. Meanwhile, the types of vulnerabilities are diverse in each layer and north-south trending interfaces of SDN, and the spread trend is quite different. Aiming at the effect of vulnerability propagation in/between layers of SDN as well as its suppression strategy, a formal model of vulnerability propagation for SDN based on Bio-PEPA is proposed in this paper. First of all, the basic syntax of Bio-PEPA is discussed, and its applicability to SDN with obvious hierarchical structure and the vulnerability propagation process with dynamic characteristic is illustrated. Then, the vulnerabilities existing in each layer of SDN are explored and modeled in terms of layers. Besides, by constructing a formal model for the process of vulnerability propagation in/between layers of SDN, the mechanism of vulnerability propagation is analyzed in two levels, horizontal (in layers) and vertical (between layers). In this way, the vulnerability propagation of SDN can be better suppressed. Finally, the simulation results show that the vulnerability propagation of SDN can be effectively retained by reducing the connection conversion rate, improving the detection conversion rate and repairing conversion rate. Our works provide a reference for the law of vulnerability propagation of SDN, so as to improve the security of SDN.

Key words: software defined network (SDN), Bio-PEPA, formal modeling, vulnerability propagation, suppression strategy

中图分类号: