一种大象流两级识别方法

基于大象流的识别准确度高且开销低,对于解决SDN流量管理过程中控制器单点故障问题具有重要意义.针对现有大象流识别方法识别开销大的问题,提出一种大象流两级识别方法.该方法在第一阶段提出基于TCP发送队列的可疑大象流识别算法,在第二阶段提出基于流持续时间的真实大象流识别算法;第一阶段是在端系统中识别可疑大象流,用于降低第二阶段真实大象流识别过程中SDN控制器所需监测的网络流数量.实验分析表明,在保证大象流识别的高准确度前提下,大象流两级识别方法较基于采样的大象流识别方法可以降低约85％的控制器识别开销.     

Traffic scheduling method based on segment routing in software-defined networking

In order to address the multi-commodity flow problem for traffic scheduling in software-defined networking,a method based on segment routing was proposed.The proposed method pre-computed sets of candidate paths and attributes of these paths for all source-target nodes,and set the requirements of attributes of candidate paths that should be met combined with various demands and constraints of flows,then generated sets of candidate paths for flows.In the proposed scheme,multi-commodity flow model in software-defined networking was simplified based on sets of candidate paths for flows,the difficulty of solving was reduced,the centralized control by the controller and the autonomous control by nodes were supported,the scalability of controller was improved.In addition,how to meet the energy-saving needs of the network was proposed,i.e.,reducing the number of links that could participate in flow forwarding.The performance evaluation results indicate that the proposed method can meet various demands and constraints of flows,improve network performance,and reduce the computational load of solving the problem of traffic scheduling.     

Power‐efficient routing for SDN with discrete link rates and size‐limited flow tables: A tree‐based particle swarm optimization approach

Software‐defined networking is a promising networking paradigm for achieving programmability and centralized control in communication networks. These features simplify network management and enable innovation in network applications and services such as routing, virtual machine migration, load balancing, security, access control, and traffic engineering. The routing application can be optimized for power efficiency by routing flows and coalescing them such that the least number of links is activated with the lowest link rates. However, in practice, flow coalescing can generally overflow the flow tables, which are implemented in a size‐limited and power‐hungry ternary content addressable memory (TCAM). In this paper, a set of practical constraints is imposed to the software‐defined networking routing problem, namely, size‐limited flow table and discrete link rate constraints, to ensure applicability in real networks. Because the problem is NP‐hard and difficult to approximate, a low‐complexity particle swarm optimization–based and power‐efficient routing (PSOPR) heuristic is proposed. Performance evaluation results revealed that PSOPR achieves more than 90% of the optimal network power consumption while requiring only 0.0045% to 0.9% of the optimal computation time in real‐network topologies. In addition, PSOPR generates shorter routes than the optimal routes generated by CPLEX.     

应用于协议无感知转发交换机的流缓存方法

协议无感知转发支持任意协议的解析和处理,增强了软件定义网络的可编程能力。为提高转发性能,该文提出一种应用于协议无感知转发交换机的流缓存方法,通过识别匹配和动作的依赖关系,得到匹配字段的绝对位置,用以预先解析报文。为确保流缓存的加速效果,根据匹配类型与表项数量选择应用流缓存的流表。此外,该文对比了单流表缓存与多流表缓存对转发性能的提升,并提出了根据网络流量实际情况的自适应切换策略。通过扩展POFSwitch实现所提方法,并用实际规则与骨干网流量进行验证,应用流缓存后,交换机报文转发速率提升了220%。流缓存可以为可编程数据平面提供更高的转发性能。     

Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks

Distributed are common threats in many networks, where attackers attempt to make victim servers unavailable to other users by flooding them with worthless requests. These attacks cannot be easily stopped by firewalls, since they forge lots of connections to victims with various IP addresses. The paper aims to exploit the software‐defined networking (SDN) technique to defend against DDoS attacks. However, the controller has to handle lots of connections launched by DDoS attacks, which burdens it with a heavy load and degrades SDN's performance. Therefore, the paper proposes an efficient and low‐cost DDoS defense (ELD) mechanism for SDN. It adopts a nested reverse‐exponential data storage scheme to help the controller efficiently record the information of packets in the limited memory. Once there are many packets with high IP variability sent to a certain server and this situation lasts for a while, then a DDoS attack is likely happening. In this case, the controller asks switches to block malicious connections by installing flow rules. Experimental results verify that the ELD mechanism rapidly recognizes protocol‐based DDoS attacks and stops them in time, including TCP SYN flood, UDP flood, and ICMP flood, and also greatly reduces the overhead for the controller to defend against attacks. Moreover, ELD can distinguish DDoS flows from legitimate ones with similar features such as elephant flows and impulse flows, thereby eliminating false alarms.     

An SDN‐based scalable routing and resource management model for service provider networks

Volume of the Internet traffic has increased significantly in recent years. Service providers (SPs) are now striving to make resource management and considering dynamically changing large volume of network traffic. In this context, software defined networking (SDN) has been alluring the attention of SPs, as it provides virtualization, programmability, ease of management, and so on. Yet severe scalability issues are one of the key challenges of the SDN due to its centralized architecture. First of all, SDN controller may become the bottleneck as the number of flows and switches increase. It is because routing and admission control decisions are made per flow basis by the controller. Second, there is a signaling overhead between the controller and switches since the controller makes decisions on behalf of them. In line with the aforementioned explanations, this paper proposes an SDN‐based scalable routing and resource management model (SRRM) for SPs. The proposed model is twofold. SRRM performs routing, admission control, and signaling operations (RASOs) in a scalable manner. Additionally, resource management has also been accomplished to increase link use. To achieve high degree of scalability and resource use, pre‐established paths (PEPs) between each edge node in the domain are provided. The proposed controller performs RASOs based on PEPs. The controller also balances the load of PEPs and adjusts their path capacities dynamically to increase resource use. Experimental results show that SRRM can successfully perform RASOs in a scalable way and also increase link use even under heavy traffic loads.     

基于自动机的TCP流识别算法

为提升网络流识别性能,本文提出了一种TCP流识别算法.该算法基于传输控制协议(Transmission Control Protocol,TCP)下网络通信双方的交互过程构建双向流自动机,由该自动机根据TCP协议规则和网络流当前状态判断TCP流终止,同时以基于规则的过滤机制和超时策略为辅助措施,快速识别单包流和异常中断流.该算法内存开销、计算和内存总开销均低于经典算法固定超时策略(Fixed Timeout strategy,FT)和同类代表性算法两层自适应超时策略(Two-level Self-Adaptive Timeout,TSAT),同时该算法精度高于TSAT,且仅比默认精度标准略有下降.该算法基于协议规则识别TCP流,既保证了流的准确性,又节省了流的超时等待时间,而且算法尤其适合中流、小流和不规则TCP流比重较大的情况,使得识别系统在面临DDoS攻击、蠕虫爆发等网络异常时仍能正常运行.     

层次型多中心的SDN控制器部署

软件定义网络(SDN)通过转发与控制分离,借助控制面的集中化实现网络的灵活性和开放性.控制器部署是SDN部署运行的基础和前提.针对层次型多中心SDN的控制器部署问题,该文采用多层k路划分方法实现大规模SDN网络的区域划分,将传统的SDN多控制器直接部署转化为区域划分和域内控制器部署,同时通过减少图划分的域间割边数以降低SDN跨域流数量以提高流表构建效率.通过实验验证,较其他传统方法,该文提出的层次型多中心控制器部署方法可有效减少网络通信代价,降低流表构建代价.     

AuthFlow: authentication and access control mechanism for software defined networking

Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.     

Traffic scheduling method based on centralized control in named data networking

In order to address the global optimization problem for traffic scheduling in named data networking,related works were analyzed,a method based on centralized control was proposed.The proposed method took network performance and communication overhead into account.In the proposed scheme,appropriate nodes would be selected as E-NDN nodes,then the controller calculated the corresponding multi-path forwarding policies and sent them to E-NDN nodes according to the in-network cache,the aggregation of Interest packets,and the traffic demands of popular contents to achieve global optimization.The evaluation results indicate that the proposed method can significantly reduce the maximum link utilization and improve network performance.Simultaneously,the proposed method will not cause a large optimization cost,and communication overhead between the controller and nodes will increase slightly.     

Method for Overflow Attack Defense of SDN Network Flow Table Based on Stochastic Differential Equation

In order to avoid the overflow problem of network flow table caused by hackers attacking the network in the process of using the network, a method for overflow attack defense of SDN network flow table based on stochastic differential equation is proposed. In this method, the stochastic differential equation is first proposed, and the drift coefficient and diffusion coefficient of the equation are expanded and adjusted by Taylor. By using the limit theorem, the spillover attack of SDN network is weakly converged to an approximate two-dimensional Markov diffusion process, and the improved stochastic differential equation is obtained. Then, according to the stochastic nature of SDN network attack, the stochastic differential equation is transformed into an amplitude equation, which is based on the amplitude. The equation establishes a SDN attack detection scheme based on flow table statistics, which detects the spillover attacks of SDN network flow tables. Finally, according to the test results, it is proposed to use other switches instead of network flow table overflow switches to control the data upload rate, thus reducing the possibility of network crash and meeting the attack defense requirements of flow table overflow. The simulation results show that the proposed method has better detection performance and shorter running time, and can provide help for network security related work.

     

A Parallel Processing and Synthesis Structure for Improving Access Security and Efficiency in SDN Environment

After studying the routing and forwarding process of network stream and the implementation of SDN,we propose a retractable management model for flow table.A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network.The parallel tables share the same storage resources.Thanks to the separation of data plane and control plane,control plane owns more computing resources than traditional device.It evaluates the role of nodes and the action of network flows,makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries.Through simulation,it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding,especially existing blocking attack.     

一种基于分段路由的多路径流传输机制

针对传统网络多路径流量调度时存在的负载均衡效能差、路径部署困难的问题，利用软件定义网络的集中控制优势，设计了一种基于分段路由的多路径流传输（Segment Routing based Multipath Flow Transmission，SRMFT）机制.首先，以实现数据流的协同最优调度为目标，建立了SRMFT最优化模型；其次，采用分段路由技术和最简段标识序列（Segment IDentify sequence，SIDs）生成算法将多路径流调度问题转化为最简SIDs的选择问题，并设计了流调度算法求解；最后，试验结果表明，同等网络流量模型下，与较典型的多路径流传输机制相比，SRMFT有效提高了网络的对分带宽，降低了短流的传输时延，同时具有较低的流表存储开销.     

A genetic algorithm‐based flow update scheduler for software‐defined networks

Software‐defined networking (SDN) facilitates network programmability through a central controller. It dynamically modifies the network configuration to adapt to the changes in the network. In SDN, the controller updates the network configuration through flow updates, ie, installing the flow rules in network devices. However, during the network update, improper scheduling of flow updates can lead to a number of problems including overflowing of the switch flow table memory and the link bandwidth. Another challenge is minimizing the network update completion time during large‐network updates triggered by events such as traffic engineering path updates. The existing centralized approaches do not search the solution space for flow update schedules with optimal completion time. We proposed a hybrid genetic algorithm‐based flow update scheduling method (the GA‐Flow Scheduler). By searching the solution space, the GA‐Flow Scheduler attempts to minimize the completion time of the network update without overflowing the flow table memory of the switches and the link bandwidth. It can be used in combination with other existing flow scheduling methods to improve the network performance and reduce the flow update completion time. In this paper, the GA‐Flow Scheduler is combined with a stand‐alone method called the three‐step method. Through large‐scale experiments, we show that the proposed hybrid approach could reduce the network update time and packet loss. It is concluded that the proposed GA‐Flow Scheduler provides improved performance over the stand‐alone three‐step method. Also, it handles the above‐mentioned network update problems in SDN.     

Toward software defined AS-level fast rerouting

Network failures are common on the Internet, and with mission-critical services widely applied, there grows demand for the Internet to maintain the performance in possibilities of failures. However, the border gateway protocol (BGP) can not react quickly to be recovered from them, which leads to unreliable packet delivery degrading the end-to-end performance. Although much solutions were proposed to address the problem, there exist limitations. The authors designed a software defined autonomous system (AS)-level fast rerouting (SD-FRR) to efficiently recover from interdomain link failures in the administrative domain. The approach leverages the principle of software defined networking (SDN) to achieve the centralized control of the entire network. By considering routing policies and BGP decision rules, an algorithm that can automatically find a policy-compliant protection path in case of link failure was proposed. The OpenFlow forwarding rules are installed on routers to ensure data forwarding. Furthermore, to deactivate the protection path, how to remove flow entries based on prefixes was proposed. Experiments show that the proposal provides effective failure recovery and does not introduce significant control overhead to the network.     

DServ‐LB: Dynamic server load balancing algorithm

In recent years, web services have been largely accessed by the customer, and it increases the network traffic on the internet. To provide the services for the large number of customer, dynamic clustering concept has been implemented that provides the ability to add or remove the servers on demand. But managing and processing the large set of traffic are very complicated. Load balancing technic helps to resolve the problems of network traffic and give efficient network management. In this paper, we proposed a dynamic server load balancing algorithm (DServ‐LB) using OpenFlow switches in software‐defined networking. The OpenFlow switches support the dynamic programmability. Also, we used the sFlow protocol, which is used to monitor the servers resource information periodically and the controller. Based on the server resource availability, the controller installs forwarding rules in the OpenFlow switches. For implementation, we used Mininet for network emulation, POX controller, and Docker container as Mininet hosts. The result shows that the proposed DServ‐LB improves the overall network performance and efficiently utilizes the server resources if compared with existing load balancing algorithms.     

Automatic rule installation in case of policy change in software defined networks

Software Defined Networking (SDN) has emerged recently as a new network architecture. It implements both control and management planes at centralized controller and data plane at forwarding devices. Therefore, SDN helps to simplify network management and improves network programmability. Changes in network policies occur frequently by making modifications at controller. However, in existing approaches, the rules installed at switches before policy change at controller are not modified. This can cause violation of network policy by packets. To address this problem, this paper presents a new approach that stores the rules generated at controller. After detecting the change in policy, the proposed approach finds the rules that will be affected by policy change by examining stored rules at controller. Then the affected rules are removed from the forwarding devices. Simulation results reveal that our proposed approach provides less packets violation ratio and normalized traffic overhead as compared to existing approach. Therefore, the proposed approach increases network performance and efficiency.     

基于等级域的多服务Agent协作求解问题研究

在合同网当中引入等级域的概念,建立相应的基于等级域的多服务Agent模型GF-CNM,并采用随机TOP-N算法对等级域中不同等级的各个服务Agent的等级跃迁进行了算法描述和分析。该模型能减少任务协作时引起的网络通信量,避免对不相关服务Agent求解的时间开销,并均衡协作任务的分布,在一定程度上避免了“忙者越忙,闲者越闲”的“马太效应”,有效地缓解了资源受限条件下的任务协作求解问题。     

Generalized processor sharing with light-tailed and heavy-tailed input

We consider a queue fed by a mixture of light-tailed and heavy-tailed traffic. The two traffic flows are served in accordance with the generalized processor sharing (GPS) discipline. GPS-based scheduling algorithms, such as weighted fair queueing, have emerged as an important mechanism for achieving service differentiation in integrated networks. We derive the asymptotic workload behavior of the light-tailed traffic flow under the assumption that its GPS weight is larger than its traffic intensity. The GPS mechanism ensures that the workload is bounded above by that in an isolated system with the light-tailed flow served in isolation at a constant rate equal to its GPS weight. We show that the workload distribution is in fact asymptotically equivalent to that in the isolated system, multiplied with a certain pre-factor, which accounts for the interaction with the heavy-tailed flow. Specifically, the pre-factor represents the probability that the heavy-tailed flow is backlogged long enough for the light-tailed flow to reach overflow. The results provide crucial qualitative insight in the typical overflow scenario.     

Data center traffic scheduling strategy based on Fibonacci tree optimization algorithm

To improve traffic scheduling capabilities in network provider data centers,both network structure and network traffic flow were considered at the same time.The analysis prediction and online scheduling mechanism was proposed in data center based on software defined networking (SDN).Aiming at the multi-dimensional,multi-constrained and multi-modal problems of traffic flow scheduling in data centers,the traffic flow scheduling strategy based on Fibonacci tree optimization (FTO) algorithm was proposed.FTO algorithm was embedded into two stages of analysis prediction and online scheduling,took it advantage of global local alternating and multi-model optimization characteristics,the optimal solution and suboptimal solutions of traffic scheduling had been got at one time.The emulator result shows that,the FTO traffic scheduling strategy can schedule traffic in data centers reasonably,which improves the load balancing capability of network providers' data centers effectively.