共查询到20条相似文献,搜索用时 187 毫秒
1.
2.
3.
软件定义网络(SDN)通过转发与控制分离,借助控制面的集中化实现网络的灵活性和开放性.控制器部署是SDN部署运行的基础和前提.针对层次型多中心SDN的控制器部署问题,该文采用多层k路划分方法实现大规模SDN网络的区域划分,将传统的SDN多控制器直接部署转化为区域划分和域内控制器部署,同时通过减少图划分的域间割边数以降低SDN跨域流数量以提高流表构建效率.通过实验验证,较其他传统方法,该文提出的层次型多中心控制器部署方法可有效减少网络通信代价,降低流表构建代价. 相似文献
4.
联动式网络入侵防御系统的研究 总被引:1,自引:0,他引:1
针对单一技术在网络安全防御上的局限性,提出了用防火墙、入侵检测系统(Snort)、蜜罐三种技术组成共同对抗网络入侵的联动式防御系统.联动系统增加了入侵检测系统的联动插件,扩展了防火墙动态加入重定向规则功能,设置了蜜罐主机监视攻击,实现了三者的紧密互动.介绍了系统的结构、工作流程以及联动方案,并做了攻击实验,结果证明,联动防御系统对大规模的蠕虫攻击能够即时抵制. 相似文献
5.
摘要:软件定义网络(software defined networking,SDN)是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。 相似文献
6.
7.
基于用户信誉值防御DDoS攻击的协同模型 总被引:2,自引:0,他引:2
提出了一种基于用户信誉值防御DDoS攻击协同(CDDACR,cooperation defense DDoS attack based on client reputation)模型来检测和防御DDoS攻击.该模型在逻辑上由2个检测代理构成:路由器端的RDA(router detection agent)和服务器端的SDA(server detection agent).RDA对用户数据流进行粗粒度检测,旨在过滤具有明显DDoS攻击特征的恶意数据流;SDA对用户数据流进行细粒度检测,检测并过滤恶意的狡猾攻击和低流量攻击,RDA和SDA协同工作来实时监测网络状况.实验结果表明,CDDACR模型能实时地识别和防御DDoS攻击,并且在异常发生时有效地阻止服务器被攻击的可能性. 相似文献
8.
传统基于主机的防御无法应对分布式拒绝服务(DDoS)攻击对整个自治系统的冲击.提出了双过滤并行净化网络方案、基于自治系统的自适应概率包标记方案和基于源地址验证的单播反向路径转发策略,形成了基于边界网关的DDoS攻击防御体系,提高了包标记方案的效率,简化了防御部署.实验验证了该防御体系的有效性. 相似文献
9.
10.
针对防火墙和入侵检测技术在网络安全防御上存在的缺陷,提出了一种融合式入侵防御系统。该系统通过增加入侵检测系统的联动响应插件,扩展防火墙动态加入过滤规则的功能,实现了两者的紧密结合。详细介绍了系统的结构、工作流程以及融合策略的具体实现,并给出了攻击实验。实验结果证明该防御系统对大规模的蠕虫攻击起到了实时抵制作用。 相似文献
11.
针对软件定义网络(SDN)中OpenFlow协议匹配字段固定且数量有限,数据流转发缺少有效的转发验证机制等问题,该文提出一种基于数据平面可编程的软件定义网络报文转发验证机制。通过为数据报文添加自定义密码标识,将P4转发设备加入基于OpenFlow的软件定义网络,在不影响数据流正常转发的基础上,对网络业务流精确控制和采样。控制器验证采样业务报文完整性,并针对异常报文下发流规则至OpenFlow转发设备,对恶意篡改、伪造等异常数据流进行转发控制。最后,构建基于开源BMv2的P4转发设备和基于OpenFlow的Open vSwitch转发设备的转发验证原型,并构建仿真网络进行实验。实验结果表明,该机制能够有效检测业务报文篡改、伪造等转发异常行为,与同类验证机制相比,在安全验证处理开销保持不变的情况下,能够实现更细粒度的业务流精确控制采样和更低的转发时延。 相似文献
12.
Reza Mohammadi Mauro Conti Chhagan Lal Satish C. Kulhari 《International Journal of Communication Systems》2019,32(17)
In software‐defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN‐Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN‐Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN‐Guard. The host of the fake SYN request is detected, and SYN‐Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN‐Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state‐of‐art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack. 相似文献
13.
针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。 相似文献
14.
Dong Liang Qinrang Liu Ke Song Binghao Yan Tao Hu 《International Journal of Network Management》2023,33(2):e2219
In software-defined networking (SDN), the controller relies on the information collected from the data plane for route planning, load balancing, and other functions. Statistics information is the most important kind of information among them, so the correctness of statistics information is the key to the proper operation of the network. Most of the current research on data plane focuses on policy consistency, rule redundancy, forwarding anomalies, and so on, and little attention is paid to whether the statistics information uploaded by the switches to the controller is correct. However, incorrect statistics information inevitably leads the controller to make wrong decisions. Therefore, this paper proposes an audit-based malicious information correction mechanism to address the problem of wrong statistics information uploaded by the switches. This mechanism audits the statistics information and locates malicious switches before uploading the statistics information to the controller. It identifies and corrects the statistics information errors by combining flow path and statistics information. We have performed simulations on Nsfnet, Abilene, and Fat-Tree, and the results show that our method can correct about 70% of the statistical information errors with less computational cost. To the best of our knowledge, this paper is the first malicious statistics information correction scheme for wildcard rules. 相似文献
15.
Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks. 相似文献
16.
软件定义网络(Software-Defined Networking,SDN)作为一种数据转发与控制逻辑相解耦、并开放底层编程接口的创新网络架构,为降低核心网的部署运营成本、提升应用业务性能提供了全新的解决思路.然而,在SDN架构下,逻辑上集中的控制平面容易出现性能瓶颈,进而加大分组转发时延,因此有必要理解其分组转发性能特性.为此,本文首先介绍了软件定义核心网的典型部署场景,分析了控制平面的Packet-in消息到达过程和数据平面的分组到达过程,进而应用M/M/n/m和M/M/1/m排队模型分别刻画控制器集群的Packet-in消息处理过程和OpenFlow交换机的分组处理过程.在此基础上,建立OpenFlow分组转发优先制排队模型,进而推导出不同优先级的分组转发时延及其累积分布函数CDF.最后,借助控制器性能测量工具OFsuite_Performance进行实验评估,结果表明:与现有模型相比,本文所提的M/M/n/m模型更能准确估计控制器集群的实际性能.同时,采用数值分析的方法对比了多种情况下不同优先级的分组转发时延及CDF曲线,为软件定义核心网的实际应用部署提供有效参考. 相似文献
17.
Software Defined Networking (SDN) has emerged recently as a new network architecture. It implements both control and management planes at centralized controller and data plane at forwarding devices. Therefore, SDN helps to simplify network management and improves network programmability. Changes in network policies occur frequently by making modifications at controller. However, in existing approaches, the rules installed at switches before policy change at controller are not modified. This can cause violation of network policy by packets. To address this problem, this paper presents a new approach that stores the rules generated at controller. After detecting the change in policy, the proposed approach finds the rules that will be affected by policy change by examining stored rules at controller. Then the affected rules are removed from the forwarding devices. Simulation results reveal that our proposed approach provides less packets violation ratio and normalized traffic overhead as compared to existing approach. Therefore, the proposed approach increases network performance and efficiency. 相似文献
18.
针对OpenFlow网络在状态转换过程中会暂时性出现转发回路、路由黑洞和违反访问控制策略等问题,提出了一种基于启发式调度的规则一致更新方案.首先,设计基于谓词的更新分解算法,利用并行网络属性验证技术得到子更新依赖图;其次,采用任务图生成算法对子更新依赖图进行分割,降低更新调度的复杂度;之后,设计启发式更新调度算法,采用规则增删操作交替执行策略,减少交换机的规则存储开销,并通过建立更新实施和监听并发执行机制,提升更新效率.仿真实验从更新时间开销和更新过程中交换机规则存储开销两方面验证了方案的有效性. 相似文献
19.
Aiming at the problems of high packet processing delay and high overhead caused by IP hopping,active defense gateway system with multi-layer network deployment structure was designed and implemented based on the data plane development kit (DPDK).Firstly,based on the DPDK fast forwarding framework,forwarding and processing performance of the system were optimized.Secondly,for the dynamic random mapping gateway with three different types of IP addresses,an efficient IP address allocation algorithm and an unpredictable IP address conversion algorithm were designed.The experimental results show that the designed system can effectively reduce the rate of information acquisition of sniffing attack,while greatly improving the processing delay caused by dynamic hopping. 相似文献
20.
Security issues of spectrum sensing have drawn a lot of attentions in Cognitive radio networks (CRNs). Malicious users can m islead the network to m ake wrong decision about the states of channels by tampering spectrum sensing data. To defense against Spectrum sens-ing data falsification (SSDF) attack, we propose a neighbor detection-based spectrum sensing algorithm in distributed CRNs, which can detect attackers with the help of neigh-bors during spectrum sensing to improve the accuracy of decision making. The proposed scheme can also guarantee the connectivity of the network. Simulation results illus-trate that the proposed scheme can defense against SSDF attacks effectively and reach the unified information of spectrum sensing data. 相似文献