信息安全研究 ›› 2020, Vol. 6 ›› Issue (3): 202-211.
黄颖祺1,卢赓1,张宏斌1,杜宇2,李剑2
收稿日期:
2020-03-02
出版日期:
2020-03-10
发布日期:
2020-03-02
通讯作者:
黄颖祺
作者简介:
黄颖祺
高级工程师。主要研究方向为信息安全、电网自动化技术。
hz36@yeah.net
卢赓
工程师。主要研究方向为信息安全、变电站自动化系统。
张宏斌
高级工程师。主要研究方向为信息安全、电网自动化技术。
杜宇
硕士研究生。主要研究方向为信息安全、人工智能.
duyu@bupt.edu.cn
李剑
教授,博士生导师。主要研究方向为信息安全、量子密码、人工智能.
lijian@bupt.edu.cn
Received:
2020-03-02
Online:
2020-03-10
Published:
2020-03-02
摘要: 近年来,软件定义网络(softwaredefined networking, SDN)一直是研究的重点.SDN可能会取代传统网络,成为下一代网络体系结构,因为它的可编程性和可拓展性为网络管理带来了新的机会.全面分析了软件定义网络(SDN)的安全隐患,对软件定义网络中自身的安全问题进行了全面深入地分析,并提出相应的对策和建议.讨论了SDN的特征和标准,并在此基础上从SDN范式的3个层面,即数据转发层、控制层和应用层出发,分别详细分析了每一层面的安全威胁和对策,并介绍了可用于预防、缓解或解决此类攻击的对策技术.
黄颖祺 卢赓 张宏斌 杜宇 李剑. 软件定义网络的安全问题及对策研究[J]. 信息安全研究, 2020, 6(3): 202-211.
[1] Chen Min, Zhang Yin, Li Yong, et al. EMC: Emotion-aware mobile cloud computing in 5G[J]. IEEE Network,2015, 29(2):32-38 [2] Wan J, Yan H, Suo H, et al. Advances in cyber-physical systems research[J]. KSII Trans on Internet and Information System, 2019, 5(11):1891–1908 [3] Ahmad I, Namal S, Ylianttila M, et al. Security in software defined networks: A survey[J]. IEEE Communications Surveys & Tutorials, 2018,17(4):2317-2346 [4] Zhang Hongwen. A vision for cloud security[J]. Network Security, 2014(2):12-15 [5] Benton K, Camp L J, Small C. Openflow vulnerability assessment[C] // Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013: 151–152 [6] Sandra Scott-Hayward, Gemma O'Callaghan, Sakir Sezer. SDN security: A survey[C] // Proc of Future Networks and Services (SDN4FNS). Piscataway,NJ:IEEE, 2013 [7] Floodlight controller documentation for developers [OL].[2020-01-09]. http://www.projectfloodlight.org/floodlight/ [8] Gude N, Koponen T, Pettit J, et al. NOX: Towards an operating system for networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(3):105-110 [9] OpenDaylight[OL]. [2020-01-09].http://www.opendaylight.org [10] Kreutz D, Ramos FM, Esteves Verissimo P,et al. Software-defined networking: a comprehensive survey[J]. Proc of the IEEE, 2019, 103(1):14–76 [11] Lara A, Kolasani A, Ramamurthy B. Network innovation using openflow: A survey[J]. IEEE Commun Surv Tutorials, 2019 16(1): 493–512 [12] Bernardo DV. Software-defined networking and network function virtualization security architecture[OL]. Internet Engineering Task Force, [2020-01-09].https://tools.ietf.org/html/ draft-bernardo-sec-arch- sdnnvfarchitecture-00 [13] Yang M, Li Y, Jin D, et al. Software-defined and virtualized future mobile and wireless networks: A survey[J]. Mobile Networks and Applications, 2015, 20(1):4–18 [14] Yuan W, Deng P, Taleb T, et al. An unlicensed taxi identification model based on big data analysis[J]. IEEE Trans on Intell Transp Syst. 2015,17(6):1-11 [15] Jing Q, Vasilakos A, Wan J, et al. Security of the internet of things: perspectives and challenges[J]. Wirel Netw,2014, 20(8): 2481–2501 [16] Namal S, Ahmad I, Gurtov A, et al. SDN based inter-technology load balancing leveraged by flow admission control[C]//Proc of IEEE SDN for Future Networks and Services.Piscataway,NJ:IEEE,2013:1–5 [17] Dierks T. The transport layer security (TLS)protocol version 1.2 [OL]. [2020-01-09].http://tools.ietf.org/html/rfc5246 [18] Wasserman M, Hartman S. Security analysis of the open networking foundation (ONF) OpenFlow switch specification.Internet Engineering Task Force [OL]. [2020-01-09].https://tools.ietf.org/html/draft-mrw-SDNec-openflow-analysis-02 [19] Al-Shaer E, Al-Haj S. FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures[C]//Proc of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York:ACM,2010:37–44 [20] Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for OpenFlow networks[C]//Proc of the 1st Workshop on Hot Topics in SoftwareDefined Networks. 2018:121–126 [21] Khurshid A, Zhou W, Caesar M, et al. Veriflow: verifying network-wide invariants in real time[J]. ACM SIGCOMM Comput Commun Rev 2019,42(4):467–472 [22] Fonseca P, Bennesby R, Mota E, et al. A replication component for resilient OpenFlow-based networking[C]//Proc of IEEE Network Operations and Management Symp (NOMS).Piscataway,NJ:IEEE,2012:933–939 [23] Sherwood R, Gibb G, Yap K K, et al. Flowvisor: a network virtualization layer[J]. OpenFlow Switch Consortium, Tech. Rep [24] Yao G, Bi J, Xiao P. Source address validation solution with OpenFlow/NOX architecture[C]//Proc of the 23rd IEEE Int Conf on Network Protocols (ICNP).Piscataway,NJ :IEEE,2018:7–12 [25] Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]// Proc of the 35th IEEE Conf on Local Computer Networks (LCN).Piscataway,NJ:IEEE,2017:408–415 [26] Nayak A K, Reimers A, Feamster N, et al. Resonance: dynamic access control for enterprise networks[C]//Proc of the 2nd ACM Workshop on Research on Enterprise Networking.New York:ACM,2019:11–18 [27] Shin S, Yegneswaran V, Porras P. Avant-guard: scalable and vigilant switch flow management in software-defined networks[C]// Proc of the 2013 ACM SIGSAC Confe on Computer & Communications Security.Mew York:ACM,2013:413–424 [28] Wang H, Xu L, Gu G. FloodGuard: a dos attack prevention extensionin software-defined networks [C]// Proc of the 45th Annual IEEE/IFIP Int Conf on Dependable Systems and Networks (DSN).Piscataway,NJ:IEEE,2018:239–250 [29] Lim S, Ha J I, Kim H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]// Proc of the 6th IEEE Int Conf on Ubiquitous and Future Networks (ICUFN).Piscataway,NJ:IEEE,2016:63–68 [30] IETF Locator/ID Separation Protocol (LISP) [OL].[2020-01-09]. http://datatracker.ietf.org/wg/lisp/ [31] Scott-Hayward S. Design and deployment of secure, robust, and resilient SDN Controllers[C]//Proc of the 2nd IEEE Conf on Network Softwarization (NetSoft).Piscataway,NJ:IEEE,2017:1–5 [32] Li H, Li P, Guo S, et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[J].IEEE Trans on Cloud Comput ,2015, 2(4):436–447 [33] Phemius K, Bouet M, Leguay J. Disco: Distributed multi-domain sdn controllers[C]//Proc of IEEE Network Operations and Management Symp (NOMS).Piscataway,NJ:IEEE,2019:1–4 [34] Advanced message queuing protocol [OL]. [2020-01-09].http://www.amqp.org [35] Voellmy A, Wang J. Scalable software defined network controllers[C]//Proc of the ACM SIGCOMM 2012 Conf on Applications, Technologies, Architectures, and Protocols for Computer Communication.New York:ACM,2012: 289–290 [36] Liu Jiaqiang, Li Yong, Wang Huandong, et al. Leveraging software-defined networking for security policy enforcement[J]. Information Sciences, 2016, 327(C):288-299 [37] Heller B, Sherwood R, McKeown N. The controller placement problem[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2018:7–12 [38] Shin S, Porras P, Yegneswaran V, et al. FRESCO: Modular composable security services for software-defined networks [C]//Proc of Network and Distributed Security Symp. 2013:1-16 [39] Shin S, Porras P, Yegneswaran V, et al. A framework for integrating security services into software-defined networks[C]// Proc of the 2013 Open Networking Summit (Research Track poster paper) [40] Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2019:55–60 [41] Wen X, Chen Y, Hu C, Shi C, Wang Y. Towards a secure controller platform for openflow applications[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2018:171–172 [42] Canini M, Venzano D, Peresini P, et al. A NICE way to test OpenFlow applications[C]//Proc of the 9th USENIX Conf on Networked Systems Design and Implementation. Berkeley, CA: USENIX Association,2018 [43] Skowyra R, Lapets A, Bestavros A, et al. Verifiably-safe software-defined networks for CPS[C].//Proc of the 2nd ACM Int Conf on High Confidence Networked Systems.New York:ACM,2016:101–110 [44] Ball T, Bjmer N, Gember A, et al. Vericon: Towards verifying controller programs in software-defined networks[J]. ACM SIGPLAN Not ,2019, 49(6):282–293 [45] Son S, Shin S, Yegneswaran V, et al. Model checking invariant security properties in OpenFlow[C]//2013 I.E. International Conference on Communications (ICC), 2013, 1974–1979 [46] Mai H, Khurshid A, Agarwal R, et al. Debugging the data plane with anteater[J]. ACM SIGCOMM Comput Commun Rev ,2014, 41(4):290–301 [47] Kazemian P, Chan M, Zeng H, et al. Real time network policy checking using header space analysis[C]//Proc of USENIX Symp on Networked Systems Design and Implementation. Berkeley, CA: USENIX Association,2016:99–111 [48] Kazemian P, Varghese G, McKeown N. Header space analysis: Static checking for networks[C]//Proc of USENIX Symp on Networked Systems Design and Implementation NSDI. Berkeley, CA: USENIX Association,2016:113–126 [49] Wang J, Wang Y, Hu H,et al. Towards a security-enhanced firewall application for openflow networks[G]//LNCS 8300:Cyberspace Safety and Security. Berlin:Springer,2018:92–103 |
[1] | 冯科 阮树骅 陈兴蜀 王海舟 王文贤 蒋术语. 基于联合模型的网络舆情事件检测方法 [J]. 信息安全研究, 2021, 7(3): 207-214. |
[2] | 时翌飞 冯景瑜 黄鹤翔 曹旭栋 王鹤 张玉清. 安全漏洞国际披露政策研究[J]. 信息安全研究, 2021, 7(3): 215-224. |
[3] | 窦宇宸 胡勇. 基于BERT的安全事件命名实体识别研究[J]. 信息安全研究, 2021, 7(3): 242-249. |
[4] | 杨鹏飞 罗奇伟 李尧. 数字政府网络安全指数评估体系研究[J]. 信息安全研究, 2021, 7(3): 257-262. |
[5] | 夏冰心 李书社. 风险社会视阈下新一代无线电通讯技术对相关刑律的变革导向[J]. 信息安全研究, 2021, 7(3): 268-274. |
[6] | 单庆元 南峰. 虚拟机网络接口实体化在私有云安全防护中的应用[J]. 信息安全研究, 2021, 7(3): 275-280. |
[7] | 钟越 付迪阳. Android应用程序隐私权限安全研究[J]. 信息安全研究, 2021, 7(3): 287-292. |
[8] | 魏国富 石英村. 人工智能数据安全治理与技术发展概述?[J]. 信息安全研究, 2021, 7(2): 110-119. |
[9] | 谭天 高金凤 王锦霞 汪家琪. 网络攻击下的Markov跳变系统有限时间控制[J]. 信息安全研究, 2021, 7(2): 145-154. |
[10] | 宁忠华. 新冠肺炎疫情中的社交媒体和舆情应对研究[J]. 信息安全研究, 2021, 7(2): 155-165. |
[11] | 门嘉平 肖扬文 马涛. 社会工程学攻击之钓鱼邮件分析[J]. 信息安全研究, 2021, 7(2): 166-170. |
[12] | 王传合 赵利军. 等保2.0下的移动警务数据安全技术应用探究[J]. 信息安全研究, 2021, 7(2): 178-183. |
[13] | 周媛. 公安机关信息安全问题的SWOT-AHP分析及对策研究[J]. 信息安全研究, 2021, 7(2): 190-196. |
[14] | 范晓霞 周安民 郑荣锋 李孟铭. 基于深度学习的暗网市场命名实体识别研究[J]. 信息安全研究, 2021, 7(1): 37-43. |
[15] | 王海洋 杨言 王维. 域间安全路由机制对路由劫持的防御能力研究[J]. 信息安全研究, 2021, 7(1): 44-52. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||