高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种面向安全的虚拟网络功能动态异构调度方法

季新生 徐水灵 刘文彦 仝青 李凌书

季新生, 徐水灵, 刘文彦, 仝青, 李凌书. 一种面向安全的虚拟网络功能动态异构调度方法[J]. 电子与信息学报, 2019, 41(10): 2435-2441. doi: 10.11999/JEIT181130
引用本文: 季新生, 徐水灵, 刘文彦, 仝青, 李凌书. 一种面向安全的虚拟网络功能动态异构调度方法[J]. 电子与信息学报, 2019, 41(10): 2435-2441. doi: 10.11999/JEIT181130
Xinsheng JI, Shuiling XU, Wenyan LIU, Qing TONG, Lingshu LI. A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function[J]. Journal of Electronics & Information Technology, 2019, 41(10): 2435-2441. doi: 10.11999/JEIT181130
Citation: Xinsheng JI, Shuiling XU, Wenyan LIU, Qing TONG, Lingshu LI. A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function[J]. Journal of Electronics & Information Technology, 2019, 41(10): 2435-2441. doi: 10.11999/JEIT181130

一种面向安全的虚拟网络功能动态异构调度方法

doi: 10.11999/JEIT181130
基金项目: 国家自然科学基金(61521003, 61602509),国家重点研发计划项目(2016YFB0800100, 2016YFB0800101)
详细信息
    作者简介:

    季新生:男,1964年生,教授,博士生导师,研究方向为网络空间安全、拟态安全等

    徐水灵:女,1995年生,硕士生,研究方向为网络主动防御技术、NFV安全

    刘文彦:男,1986年生,博士,研究方向为网络空间安全、云安全

    仝青:女,1992年生,博士,研究方向为网络空间安全防御技术、主动防御技术

    李凌书:男,1992年生,博士,研究方向为拟态防御技术、主动防御技术

    通讯作者:

    徐水灵 slxuuu@163.com

  • 中图分类号: TP309

A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function

Funds: The National Natural Science Foundation of China (61521003, 61602509), The National Key R&D Program of China (2016YFB0800100, 2016YFB0800101)
  • 摘要: 网络功能虚拟化(NFV)为服务链构建带来了灵活性与动态性,然而,软件化与虚拟化环境可能存在软件漏洞、后门等安全风险,对服务链(SC)的安全产生影响。为此,该文提出一种服务链上虚拟网络功能(VNF)调度方法。首先,为虚拟网络功能构建异构镜像池,避免利用共模漏洞的大范围攻击;随后,以特定周期选择服务链虚拟网络功能进行调度,加载异构镜像对该网络功能的执行实体进行替换;最后,考虑调度对网络功能性能的影响,应用斯坦科尔伯格博弈对攻防过程建模,以最优化防御者收益为目标求解服务链上各网络功能的调度概率。实验表明,该方法能够降低攻击者攻击成功率,同时将调度产生的开销控制在可接受范围内。
  • 图  1  服务链攻击实例

    图  2  动态异构式服务链模型举例

    图  3  静态系统与动态系统攻击成功率对比

    图  4  静态系统与动态系统防御者开销对比

    图  6  纯随机调度与最优化选择调度攻击成功率对比

    图  5  纯随机调度与最优化选择调度防御者开销对比

    图  7  多攻击者安全增益对比

    图  8  服务链整体异构度对防御者开销/攻击成功率影响

    图  9  节点异构度对节点被选概率影响

    图  10  调度周期对防御者开销影响

  • Network Functions Virtualization (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV 001: Network Functions Virtualisation (NFV); Use cases[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV/001_099/001/01.01.01_60/gs_NFV001v010101p.pdf, 2013.
    MEDHAT A M, TALEB T, ELMANGOUSH A, et al. Service function chaining in next generation networks: state of the art and research challenges[J]. IEEE Communications Magazine, 2017, 55(2): 216–223. doi: 10.1109/MCOM.2016.1600219RP
    SAHHAF S, TAVERNIER W, COLLE D, et al. Network service chaining with efficient network function mapping based on service decompositions[C]. The 1st IEEE Conference on Network Softwarization, London, UK, 2015: 1–5.
    Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV-SEC 001: Network Functions Virtualisation (NFV); NFV security; Problem statement[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf, 2014.
    LAL S, TALEB T, and DUTTA A. NFV: Security threats and best practices[J]. IEEE Communications Magazine, 2017, 55(8): 211–217. doi: 10.1109/MCOM.2017.1600899
    FIROOZJAEI M D, JEONG J, KO H, et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017, 67: 315–324. doi: 10.1016/j.future.2016.07.002
    DING Weiran, YU Hongfang, and LUO Shouxi. Enhancing the reliability of services in NFV with the cost-efficient redundancy scheme[C]. IEEE International Conference on Communications, Paris, France, 2017: 1–6.
    CARPIO F, JUKAN A, and PRIES R. Balancing the migration of virtual network functions with replications in data centers[C]. The 16th IEEE/IFIP Network Operations and Management Symposium, Taipei, China, 2018: 1–8.
    PATTARANANTAKUL M, HE R, MEDDAHI A, et al. SecMANO: Towards Network Functions Virtualization (NFV) based security management and orchestration[C]. 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 2016: 598–605.
    ZHENG Yan, ZHANG Peng, and VASILAKOS A V. A security and trust framework for virtualized networks and software‐defined networking[J]. Security and Communication Networks, 2016, 9(16): 3059–3069. doi: 10.1002/sec.1243
    GUO Minzhe and BHATTACHARYA P. Diverse virtual replicas for improving intrusion tolerance in cloud[C]. The 9th Annual Cyber and Information Security Research Conference, Oak Ridge, USA, 2014: 41–44.
    LI F, LAI A, and DDL D. Evidence of advanced persistent threat: a case study of malware for political espionage[C]. The 6th International Conference on Malicious and Unwanted Software, Fajardo, USA, 2011: 102–109.
    MA Duohe, WANG Liming, LEI Cheng, et al. Quantitative security assessment method based on entropy for moving target defense[C]. The 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2017: 9204–922.
    GARCIA M, BESSANI A, GASHI I, et al. Analysis of operating system diversity for intrusion tolerance[J]. Journal of Research and Practice in Information Technology, 2014, 44(6): 735–770. doi: 10.1002/spe.2180
    PARUCHURI P, PEARCE J P, MARECKI J, et al. Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games[C]. The 7th International Joint Conference on Autonomous Agents and Multiagent Systems-Volume 2, Estoril, Portugal, 2008: 895–902.
  • 加载中
图(10)
计量
  • 文章访问数:  1811
  • HTML全文浏览量:  1033
  • PDF下载量:  87
  • 被引次数: 0
出版历程
  • 收稿日期:  2018-12-06
  • 修回日期:  2019-04-03
  • 网络出版日期:  2019-04-23
  • 刊出日期:  2019-10-01

目录

    /

    返回文章
    返回