期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

面向SDN环境的软件定义安全架构 被引量:28

SDN Oriented Software-Defined Security Architecture
下载PDF
导出
摘要 Open Flow协议无深度包检测能力使其在安全应用中受限,同时现有安全解决方案不能适应软件定义网络(software-defined networking,SDN)的发展。提出了一个分布式的软件定义安全架构(software-defined security architecture,SDSA),可将安全功能从SDN控制器解耦到专有的安全控制器和安全APP,提供了全局流和局部数据包层面的检测和防护,以抵御SDN和虚拟化环境中的各类攻击。全局视图和知识库有助于进行快速准确的决策,安全数据和控制分离既极大简化了安全设备的处理逻辑,又使得安全控制器具有灵活的控制平面,并且实时下发策略到设备和动态牵引流量,从而使得整个防护响应大大加快。实验表明SDSA架构可有效防护Do S、端口扫描和异常大流量等各类攻击。 Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed softnvare-defined security architecture (SDSA), which offioads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu- rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.
作者 刘文懋 裘晓峰 陈鹏程 文旭韬 何新新 汪东升 李军
机构地区 清华大学信息技术研究院 北京神州绿盟科技股份有限公司 北京邮电大学移动生活与新媒体实验室
出处 《计算机科学与探索》 CSCD 北大核心 2015年第1期63-70,共8页 Journal of Frontiers of Computer Science and Technology
基金 国家科技重大专项Nos.2012ZX03002011-003 2012ZX03002002-003~~
关键词 软件定义安全 云计算 网络虚拟化 software-defined security cloud computing network virtualization
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献14

  • 1McKeown N,Anderson T,Balakrishnan,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74. 被引量:1
  • 2Shin S,Porras P,Yegneswaran V,et al.FRESCO:modular composable security services for software-defined networks[C]//Proceedings of the 2013 Network and Distributed Security Symposium(NDSS?13).San Diego:Internet Society,2013:135-139. 被引量:1
  • 3Hassidim A,Raz D,Segalov M,et al.Network utilization:the flow view[C]//Proceedings of the 2013 IEEE International Conference on Computer Communications(INFOCOM?13),Turin,Italy,2013.Piscataway,NJ,USA:IEEE,2013:1429-1437. 被引量:1
  • 4Braga R,Mota E,Passito A.Lightweight DDo S flooding attack detection using NOX/Open Flow[C]//Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks(LCN?10),Denver,USA,Oct 2010.Piscataway,NJ,USA:IEEE,2010:233-236 被引量:1
  • 5Yao Guang,Bi Jun,Xiao Peiyao.Source address validation solution with Open Flow/NOX architecture[C]//Proceedings of the 19th IEEE International Conference on Network Protocols(ICNP?11),Vancouver,Canada,2011.Piscataway,NJ,USA:IEEE,2011:7-12. 被引量:1
  • 6Qazi Z A,Lee J,Jin Tao,et al.Application-awareness in SDN[C]//Proceedings of the 2013 ACM SIGCOMM Conference on Data Communication(SIGCOMM?13),Hong Kong,China,2013.New York,NY,USA:ACM,2013:487-488. 被引量:1
  • 7Jarschel M,Wamser F,Hohn T,et al.SDN-based applicationaware networking on the example of You Tube video streaming[C]//Proceedings of the 2nd European Workshop on Software Defined Networks(EWSDN?13),Berlin,Germany,2013.Piscataway,NJ,USA:IEEE,2013:87-92. 被引量:1
  • 8Mehdi S A,Khalid J,Khayam S A.Revisiting traffic anomaly detection using software defined networking[C]//LNCS6961:Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection(RAID?11),Menlo Park,USA,Sep 20-21,2011.Berlin,Heidelberg:Springer,2011:161-180. 被引量:1
  • 9Kumar S,Kumar T,Singh G,et al.Open flow switch with intrusion detection system[J].International Journal of Scientific Research Engineering&Technology,2012,1(7):1-4. 被引量:1
  • 10Shirali-Shahreza S,Ganjali Y.Empowering software defined network controller with packet-level information[C]//Proceedings of the 2013 IEEE International Conference on Communications Workshops(ICC?13),Atlanta,USA,2013.Piscataway,NJ,USA:IEEE,2013:1335-1339. 被引量:1

同被引文献185

  • 1蒋平.DDoS攻击分类及趋势预测[C]//全国网络与信息安全技术研讨会.北京:人民邮电出版社,2004. 被引量:2
  • 2文俊浩,杨小义,谢军.扩展UML活动图在工作流建模中的应用[J].计算机应用研究,2007,24(12):244-245. 被引量:3
  • 3尚占锋,章登义.DDoS防御机制研究[J].计算机技术与发展,2008,18(1):7-10. 被引量:9
  • 4Open Networking Foundation. Software-defined Networking: The New Norm for Networks[ S] ,2012. 被引量:1
  • 5JAIN S, KUMAR A, MANDAL S, et al. B4: Experience With a Globally-deployed Software Defined WAN [ C ]// China : Proc.of ACM SIGCOMM ' 13,2013 : 3-14. 被引量:1
  • 6MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow: Enabling Innovation In Campus Networks [ C]//USA :Proc.of ACM SIGCOMM ' 08,2008:69-74. 被引量:1
  • 7SHIN S, GU G. Cloud Watcher: Network Security Monitoring Using Openflow in Dynamic Cloud Networks(Or: How to Provide Security Monitoring as a Service in Clouds?) [ C ] // USA : Proc.of the 20 th IEEE International Conference on Network Protocols (ICNP) ,2012:1-6. 被引量:1
  • 8SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO : Modular Composable Security Services for Software-defined Networks[ C]//USA: Proc. of NDSS 2012:1-5. 被引量:1
  • 9BRAGA R, MOTA M, PASSITO P. Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow [ C ] // USA :Proc.of IEEE LCN, 2010:408-415. 被引量:1
  • 10JAFARIAN J H, AL-SHAER E, DUAN Q. Open Flow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking[ C]// Finland : Proc.of HotSDN ' 12,2012 : 127-132. 被引量:1

引证文献28

二级引证文献108

计算机科学与探索
2015年 第1期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部