摘要:
SDN将传统网络控制面与转发面解耦,在实施集中化管控的同时引入诸多新的安全和管理问题.脆弱点类型在SDN各层及南北向接口存在差异性,且传播趋势不同.针对脆弱性在SDN层内及层间的扩散效果及抑制策略问题,提出了一种基于Bio-PEPA的SDN脆弱性扩散形式化模型.1)对Bio-PEPA基础语义进行讨论,阐明其适用于具有明显分层架构的SDN及具有动态性的脆弱性扩散过程;2)探讨SDN中各层存在的脆弱性问题,并对SDN中存在的脆弱性以层为单位进行建模,通过对SDN层内及层间脆弱性扩散过程构建形式化模型,进而分析SDN内脆弱性在水平(层内)及垂直(层间)2个维度内的扩散机理,从而更好地抑制脆弱性在SDN内的扩散;3)通过仿真实验得出可以通过降低连接转化率、提升检测转化率及修复转化率来有效抑制SDN的脆弱性扩散.
Abstract:
Software defined network (SDN) is one of the most popular network technologies nowadays. SDN decouples the traditional control plane from the forwarding plane, resulting in many new security and management issues while performing centralized control. Meanwhile, the types of vulnerabilities are diverse in each layer and north-south trending interfaces of SDN, and the spread trend is quite different. Aiming at the effect of vulnerability propagation in/between layers of SDN as well as its suppression strategy, a formal model of vulnerability propagation for SDN based on Bio-PEPA is proposed in this paper. First of all, the basic syntax of Bio-PEPA is discussed, and its applicability to SDN with obvious hierarchical structure and the vulnerability propagation process with dynamic characteristic is illustrated. Then, the vulnerabilities existing in each layer of SDN are explored and modeled in terms of layers. Besides, by constructing a formal model for the process of vulnerability propagation in/between layers of SDN, the mechanism of vulnerability propagation is analyzed in two levels, horizontal (in layers) and vertical (between layers). In this way, the vulnerability propagation of SDN can be better suppressed. Finally, the simulation results show that the vulnerability propagation of SDN can be effectively retained by reducing the connection conversion rate, improving the detection conversion rate and repairing conversion rate. Our works provide a reference for the law of vulnerability propagation of SDN, so as to improve the security of SDN.
百度学术
下载:
