Edge-Cloud Synergy Information Security Protection Method for Industrial Control System Based on SDN under DDoS Attack

Abstract

Abstract: Software-defined network (SDN) is a new type of network architecture, which is characterized by the separation of control and forwarding and supports programmatic control of the network. The combination of SDN and industrial control systems provides new ideas for solving the information security problems of industrial control systems, while also making DDoS attacks a major security threat to industrial control system networks. As a converted DDoS attack, overload attack uses the vulnerability of limited load in SDN controllers and switches to pose a threat to the entire SDN network. At the same time, due to the continuous growth of SDN network service demand and the diversity of network applications, the scale of SDN network is gradually changing from the initial single-controller network to the multi-controller network. Facing the increasingly complex network scale, it is difficult to effectively defend the attacks when resources on the edge are limited. Therefore, this article uses the resource advantage of cloud computing, based on SDN network, combined with port and address hopping and load balancing algorithms, and proposes an edge-cloud synergy information security protection method for industrial control system to effectively defend against DDoS attacks.

Key words: DDoS attacks, software-defined network, edge-cloud synergy, industrial control system, information security

摘要： 软件定义网络(SDN)是一种新型网络架构，其特点是控制与转发分离并支持通过编程的方式对网络进行控制。SDN与工业控制系统的结合为解决工业控制系统信息安全问题提供了新的思路的同时也使得DDoS攻击成为工业控制系统网络的主要安全威胁。过载攻击作为一种转换的DDoS攻击，利用SDN控制器及交换机中负载受限这一漏洞，对整个SDN网络造成威胁。与此同时，由于SDN网络业务需求量的不断增长和网络应用的多样性，SDN网络规模正在由初期的单一控制器网络逐步向多控制器网络转变。面对日益复杂的网络规模，在边缘端资源受限的情况下难以进行有效防御。针对上述问题，利用云端资源优势，基于SDN网络，并结合端址跳变和负载均衡算法提出一种工业控制系统边云协同信息安全防护方法，有效防御DDoS攻击。

关键词: DDoS攻击, 软件定义网络, 边云协同, 工业控制系统, 信息安全

叶鑫豪周纯杰朱美潘杨健晖. DDoS攻击下基于SDN的工业控制系统边云协同信息安全防护方法[J]. 信息安全研究, 2021, 7(9): 861-870.

References

[1] 陈政熙, 张家鹏. 工业控制系统安全运维模式研究[J]. 自动化仪表, 2020, 41(05):98-102+106
[2] 郭栋, 尹作重, 任建勋, 等. 工业控制系统安全性防护方法研究[J]. 制造业自动化, 2020, 42(05):115-117
[3] 李怡萌, 王茜, 王春梅, 等. 基于智能终端单元的分布式配电网静态安全分析[J]. 计算机与数字工程, 2017, 45(10):1940-1944
[4] Coffey K, Smith R, Maglaras L, et al. Vulnerability analysis of network scanning on SCADA systems[J]. Security & Communication Networks, 2018, 4:1-21
[5] Zhang Y, Wang L, Xiang Y. Power system reliability analysis with intrusion tolerance in SCADA systems[J]. IEEE Transactions on Smart Grid, 2016, 7(2):669-683
[6] Mohiuddin M, Saab W, Bliudze S, et al. Axo: Detection and recovery for delay and crash faults in real-time control systems[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7):3065-3075
[7] Colbaugh R, Glass K. Proactive defense for evolving cyber threats[C]//Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics. IEEE, 2011: 125-130
[8] 许光泞. 工业控制系统安全防护体系研究[J]. 石油化工自动化, 2020, 056(003):1-6
[9] 石永杰, 于慧超, 吕峰, 等. 工业控制系统网络安全的主动防御技术研究与实践[J]. 信息技术与网络安全, 2020, 39(04):13-18
[10] 彭光彬, 陈敏, 白勇. SDN攻防技术探析[J]. 信息安全研究, 2019, 5(04):333-339
[11] 王鹃, 王江, 焦虹阳, 等. 一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J]. 计算机学报, 2015, 38(4):872-883
[12] BRAGA R, MOTA E, PASSITO A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[J]. 2010 IEEE 35th Conference on Local Computer Networks (LCN), 2010: 408-415
[13] Cohen R, Lewin-Eytan L, Naor J S, et al. On the effect of forwarding table size on SDN network utilization[C]//IEEE INFOCOM 2014-IEEE conference on computer communications. IEEE, 2014: 1734-1742
[14] 陈佳. 基于知识图谱的DDoS攻击源检测研究[J]. 信息安全研究, 2020, 6(01):91-96
[15] Chin T, Mountrouidou X, Li X, et al. Selective packet inspection to detect DoS flooding using software defined networking (SDN)[C]//2015 IEEE 35th international conference on distributed computing systems workshops. IEEE, 2015: 95-99
[16] 杨志, 韩俐. SDN环境下基于目的IP地址熵的DDoS攻击检测与易损机制研究[J]. 天津理工大学学报, 2020(4):39-44
[17] 王晓瑞. SDN中DDoS攻击检测与流表过载防御技术研究[D]. 河南:郑州大学, 2017
[18] 吴桦, 陈廷政. SDN环境中基于端址跳变的DDoS防御方法[J].网络空间安全, 2020,11(08):17-22
[19] Li J, Yu L. Using BP nerual networks for the simulation of energy consumption[C]// IEEE International Conference on Systems, Man and Cybernetics. IEEE, 2014:3542-3547
[20] 孙妍姑. SDN下基于人工智能算法的DDoS攻击检测研究[J]. 淮南师范学院学报, 2019, 021(005):135-138
[21] Song P, Liu Y, Liu T, et al. Flow Stealer: lightweight load balancing by stealing flows in distributed SDN controllers[J]. Science China Information Sciences, 2017, 60(3):1-16
[22] 陈思, 吴秋新, 张铭坤, 等. 基于边云协同的智能工控系统入侵检测技术[J]. 计算机应用与软件, 2020, 37(11):280-285+333