摘要
针对软件定义网络(SDN)网络控制器流规则篡改攻击等单点脆弱性威胁,传统安全解决方案如备份、容错机制等存在被动防御缺陷,无法从根本上解决控制层安全问题。结合目前移动目标防御、网络空间拟态防御等主动防御技术研究现状,提出一种基于异构冗余结构的动态安全调度机制。建立控制器执行体与调度体调度模型,根据系统攻击异常、异构度等指标,以安全性为原则设计动态调度策略;同时考虑系统负载因素,通过设计调度算法LASSA将调度问题转化为动态双目标优化问题,以实现优化的调度方案。仿真结果表明,对比静态结构,动态调度机制在累积异常值、输出安全率等指标上有明显优势,说明安全调度机制中的动态性与多样性能够显著提高系统抵御攻击能力,LA-SSA机制负载方差较安全优先调度更平稳,在实现安全调度的同时避免了负载失衡问题,验证了安全调度机制的有效性。
Concerning the flow rule tampering attacks and other single point vulnerability threats towards Software Defined Network (SDN) controller, traditional security solutions such as backup and fault-tolerant mechanisms which are based on passive defense defects, cannot fundamentally solve the control layer security issues. Combined with the current moving target defense and cyberspace mimic defense, a dynamic security scheduling mechanism based on heterogeneous redundant structure was proposed. A controller scheduling model was established in which the dynamic scheduling strategy was designed based on security principle combined with attack exception and heterogeneity. By considering the system load, the scheduling problem was transformed into a dynamic two-objective optimization problem by LA-SSA ( Load-Aware Security Scheduling Algorithm) to achieve an optimal scheduling scheme. Simulation results show that compared with static structure, the dynamic scheduling mechanism has obvious advantages in cumulative number of exceptions and output safety rate, and the dynamic and diversity in the security scheduling mechanism can significantly improve the system's ability to resist attacks. The load variance of LA-SSA is more stable than that of safety priority scheduling, and the security imbalance is avoided, and the effectiveness of the security scheduling mechanism is verified.
出处
《计算机应用》
CSCD
北大核心
2017年第11期3304-3310,共7页
journal of Computer Applications
基金
国家自然科学基金资助项目(61572520
61521003)
上海市科研计划项目(14DZ1104800)~~
关键词
单点脆弱性
主动防御技术
动态调度机制
安全策略
负载感知
single point vulnerability
active defense technology
dynamic scheduling mechanism
security strategy
load-awareness
