一种抗恶意攻击的OpenFlow虚拟流表高性能查找方法

针对恶意攻击给OpenFlow虚拟流表查找带来的破坏性影响，构建了一种抗恶意攻击的OpenFlow虚拟流表高性能查找方法。该方法基于近似成员关系查询理论，采用布鲁姆过滤器预测元组查找失败结果，以绕过绝大多数元组失败查找操作，提高OpenFlow虚拟流表查找效率；进一步，设计了一种可扩展计数型布鲁姆过滤器，根据元组规模的动态变化进行适应性伸缩，从而始终以高准确率判定元组查找失败结果；最后，采用实际网络流量样本和模拟恶意攻击方式，评估所提OpenFlow虚拟流表查找方法的性能。实验结果表明：当攻击包与正常包分别按1:2和2:1比例混合时，所提方法的假阳性错误率始终保持在6%以下，比计数型布鲁姆过滤器降低了93%,而平均查找长度降低了90%。

High-performance lookups of OpenFlow-compliant virtual flow tables against malicious attacks

Aiming at the devastating impact of malicious attacks on virtual OpenFlow-compliant flow table lookup, this paper built a high-performance lookup method for OpenFlow-compliant virtual flow tables against malicious attacks. Based on approximate membership query theory, this method applied bloom filters to predict tuple lookup failures and bypass failed lookups of a great majority of tuples, so as to accelerate the tuple space search and increase the lookup efficiency of OpenFlow-compliant virtual flow tables. Furthermore, this paper designed a scalable counting bloom filter, which adaptively extended and retracted in accordance with dynamic variation of tuple scale, to determine tuple lookup failures with high accuracy all the time. Finally, this paper evaluated the performance of the proposed lookup method of OpenFlow-compliant virtual flow tables with real network traffic traces and malicious attack simulations. The experimental results indicate that the proposed method keeps false positive error rate below 6% with 93% lower than that of the count bloom filter, and reduces average search length by 90%, both for the mixture ratio of attack packets and normal ones 1: 2 and 2: 1.