基于拟态防御的SDN控制层安全机制研究

软件定义网络（Software-Defined Networking，SDN）的集中式管控为网络带来了创新与便利，但主控制器被赋予了足够的管理权限，仅依赖其自身内部的防御技术，难以确保其不发生异常，以独裁的能力来危害整个网络。本文提出基于拟态防御的SDN控制层安全机制，以一种多样化民主监督的方式，使用多个异构的等价控制器同时处理数据层的请求，通过对比它们的流表项来检测主控制是否存在恶意行为。其中，重点研究了如何在语义层面对比多个异构控制器的流表项，以解决它们在语法上的差异化问题。该安全机制不依赖于对恶意行为的先验知识，实验结果验证了它检测恶意行为是有效的，同时具有较好的性能。

Research on SDN Control Layer Security Based on Mimic Defense

Software-Defined Networking (SDN) brings innovation and convenience to the network benefiting from the centralized management. However, the master controller is given sufficient management authority and relies solely on its own internal defense technology. But this method is hard to ensure that it does not occur anomaly, and the entire network is under threat. We propose an SDN control layer security mechanism based on mimic defense. In a diversified democratic supervision mode, multiple heterogeneous equivalent controllers are used to simultaneously process data layer requests, and main control is detected by comparing their flow entries. We focus on how to compare the flow table items of multiple heterogeneous controllers at the semantic level to solve their grammatical differences. The security mechanism does not rely on prior knowledge of malicious behavior. The experimental results verify that it detects malicious behavior is effective and has good performance.