摘要
为构建安全高效的网络环境,必须对伪造、受篡改数据帧进行有效的识别与过滤。然而,在软件定义网络(SDN)中,现有的安全验证机制通常在验证设备受到攻击或恶意控制时无法有效运行。为解决上述问题,提出了基于区块链的SDN数据帧安全验证机制。首先,设计帧转发证明(PoFF)共识算法并以此为基础建立轻量型区块链系统;然后,基于该系统构建针对SDN数据帧的安全验证体系;最后,提出可灵活调节的半随机选择验证模式以兼顾验证效率与资源开销。仿真结果表明,在同等比例的交换机被恶意控制情况下,所提机制的漏检概率较基于哈希链的验证机制有明显降低。其中,当受控交换机占比为40%时,降低效果尤其显著:此时所提机制在基本验证模式下的漏检概率低于32%,在辅助以半随机验证后可进一步降到7%,均远低于基于哈希链的验证机制72%的漏检概率;且所提机制引入的资源开销与通信代价在合理范围内。此外,即使在SDN控制器完全失效情况下,所提机制仍可保持良好的验证性能与效率。
Forged and tampered data frames should be identified and filtered out to ensure network security and efficiency. However, the existing schemes usually fail to work when verification devices are attacked or maliciously controlled in the Software Defined Network(SDN). To solve the above problem, a blockchain-based data frame security verification mechanism was proposed. Firstly, a Proof of Frame Forwarding(PoFF) consensus algorithm was designed and used to build a lightweight blockchain system. Then, an efficient data frame security verifying scheme for SDN data frame was proposed on the basis of this blockchain system. Finally, a flexible semi-random verifying scheme was presented to balance the verification efficiency and the resource cost. Simulation results show that compared with the hash chain based verifying scheme, the proposed scheme decreases the missed detection rate significantly when an equal proportion of switches are maliciously controlled. Specifically, when the proportion is 40%, the decrease effect is very obvious, the missed detection rate can still be kept no more than 32% in the basic verification mode, and can be further reduced to 7% with the assistance of the semi-random verifying scheme. Both are much lower than the missed detection rate of 72% in the hash chain based verifying scheme, and the resource overhead and communication cost introduced by the proposed mechanism are within a reasonable range. Additionally, the proposed scheme can still maintain good verification performance and efficiency even when the SDN controller is completely unable to work.
作者
陈何雄
罗宇薇
韦云凯
郭威
杭菲璐
毛正雄
张振红
何映军
罗震宇
谢林江
杨宁
CHEN Hexiong;LUO Yuwei;WEI Yunkai;GUO Wei;HANG Feilu;MAO Zhengxiong;ZHANG Zhenhong;HE Yingjun;LUO Zhenyu;XIE Linjiang;YANG Ning(Information Center,Yunnan Power Grid Company Limited,Kunming Yunnan 650011,China;Yangtze Delta Region Institute(Quzhou),University of Electronic Science and Technology of China,Quzhou Zhejiang 324003,China;School of Information and Communication Engineering,University of Electronic Science and Technology of China,Chengdu Sichuan 611731,China)
出处
《计算机应用》
CSCD
北大核心
2022年第10期3074-3083,共10页
journal of Computer Applications
基金
国家自然科学基金资助项目(61620106011)
云南电网科技项目(YNKJXM20200168,YNKJXM20200172,YNKJXM20200169)
衢州科技专项(2021D013)。
关键词
软件定义网络
区块链
安全验证
共识算法
数字签名
Software Defined Network(SDN)
blockchain
security verification
consensus algorithm
digital signature
