一种面向安全的虚拟网络功能动态异构调度方法

季新生; 徐水灵; 刘文彦; 仝青; 李凌书

doi:10.11999/JEIT181130

一种面向安全的虚拟网络功能动态异构调度方法

doi: 10.11999/JEIT181130

国家数字交换系统工程技术研究中心郑州 450002

基金项目: 国家自然科学基金(61521003, 61602509)，国家重点研发计划项目(2016YFB0800100, 2016YFB0800101)

详细信息

作者简介:
季新生：男，1964年生，教授，博士生导师，研究方向为网络空间安全、拟态安全等

徐水灵：女，1995年生，硕士生，研究方向为网络主动防御技术、NFV安全

刘文彦：男，1986年生，博士，研究方向为网络空间安全、云安全

仝青：女，1992年生，博士，研究方向为网络空间安全防御技术、主动防御技术

李凌书：男，1992年生，博士，研究方向为拟态防御技术、主动防御技术

通讯作者:
徐水灵　slxuuu@163.com

中图分类号: TP309
计量
- 文章访问数: 1718
- HTML全文浏览量: 999
- PDF下载量: 86
- 被引次数: 0
出版历程
- 收稿日期: 2018-12-06
- 修回日期: 2019-04-03
- 网络出版日期: 2019-04-23
- 刊出日期: 2019-10-01

A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function

National Digital Switching System Engineering & Technological R&D Center, Zhengzhou 450002, China

Funds: The National Natural Science Foundation of China (61521003, 61602509), The National Key R&D Program of China (2016YFB0800100, 2016YFB0800101)

摘要

摘要: 网络功能虚拟化(NFV)为服务链构建带来了灵活性与动态性，然而，软件化与虚拟化环境可能存在软件漏洞、后门等安全风险，对服务链(SC)的安全产生影响。为此，该文提出一种服务链上虚拟网络功能(VNF)调度方法。首先，为虚拟网络功能构建异构镜像池，避免利用共模漏洞的大范围攻击；随后，以特定周期选择服务链虚拟网络功能进行调度，加载异构镜像对该网络功能的执行实体进行替换；最后，考虑调度对网络功能性能的影响，应用斯坦科尔伯格博弈对攻防过程建模，以最优化防御者收益为目标求解服务链上各网络功能的调度概率。实验表明，该方法能够降低攻击者攻击成功率，同时将调度产生的开销控制在可接受范围内。
- 网络功能虚拟化 /
- 服务链 /
- 网络安全 /
- 动态 /
- 异构 /
- 博弈论
Abstract: Network Function Virtualization (NFV) brings flexibility and dynamics to the construction of service chain. However, the software and virtualization may cause security risks such as vulnerabilities and backdoors, which may have impact on Service Chain (SC) security. Thus, a Virtual Network Function (VNF) scheduling method is proposed. Firstly, heterogeneous images are built for every virtual network function in service chain, avoiding widespread attacks using common vulnerabilities. Then, one network function is selected dynamically and periodically. The executor of this network function is replaced by loading heterogeneous images. Finally, considering the impact of scheduling on the performance of network functions, Stackelberg game is used to model the attack and defense process, and the scheduling probability of each network function in the service chain is solved with the goal of optimizing the defender’s benefit. Experiments show that this method can reduce the rate of attacker’s success while controlling the overhead generated by the scheduling within an acceptable range.
- Network Function Virtualization(NFV) /
- Service Chain (SC) /
- Cyber security /
- Dynamic /
- Heterogeneous /
- Game theory

HTML全文

图 1 服务链攻击实例

下载: 全尺寸图片幻灯片

图 2 动态异构式服务链模型举例

下载: 全尺寸图片幻灯片

图 3 静态系统与动态系统攻击成功率对比

下载: 全尺寸图片幻灯片

图 4 静态系统与动态系统防御者开销对比

下载: 全尺寸图片幻灯片

图 6 纯随机调度与最优化选择调度攻击成功率对比

下载: 全尺寸图片幻灯片

图 5 纯随机调度与最优化选择调度防御者开销对比

下载: 全尺寸图片幻灯片

图 7 多攻击者安全增益对比

下载: 全尺寸图片幻灯片

图 8 服务链整体异构度对防御者开销/攻击成功率影响

下载: 全尺寸图片幻灯片

图 9 节点异构度对节点被选概率影响

下载: 全尺寸图片幻灯片

图 10 调度周期对防御者开销影响

下载: 全尺寸图片幻灯片

参考文献(15)

Network Functions Virtualization (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV 001: Network Functions Virtualisation (NFV); Use cases[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV/001_099/001/01.01.01_60/gs_NFV001v010101p.pdf, 2013.

MEDHAT A M, TALEB T, ELMANGOUSH A, et al. Service function chaining in next generation networks: state of the art and research challenges[J]. IEEE Communications Magazine, 2017, 55(2): 216–223. doi: 10.1109/MCOM.2016.1600219RP

SAHHAF S, TAVERNIER W, COLLE D, et al. Network service chaining with efficient network function mapping based on service decompositions[C]. The 1st IEEE Conference on Network Softwarization, London, UK, 2015: 1–5.

Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV-SEC 001: Network Functions Virtualisation (NFV); NFV security; Problem statement[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf, 2014.

LAL S, TALEB T, and DUTTA A. NFV: Security threats and best practices[J]. IEEE Communications Magazine, 2017, 55(8): 211–217. doi: 10.1109/MCOM.2017.1600899

FIROOZJAEI M D, JEONG J, KO H, et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017, 67: 315–324. doi: 10.1016/j.future.2016.07.002

DING Weiran, YU Hongfang, and LUO Shouxi. Enhancing the reliability of services in NFV with the cost-efficient redundancy scheme[C]. IEEE International Conference on Communications, Paris, France, 2017: 1–6.

CARPIO F, JUKAN A, and PRIES R. Balancing the migration of virtual network functions with replications in data centers[C]. The 16th IEEE/IFIP Network Operations and Management Symposium, Taipei, China, 2018: 1–8.

PATTARANANTAKUL M, HE R, MEDDAHI A, et al. SecMANO: Towards Network Functions Virtualization (NFV) based security management and orchestration[C]. 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 2016: 598–605.

ZHENG Yan, ZHANG Peng, and VASILAKOS A V. A security and trust framework for virtualized networks and software‐defined networking[J]. Security and Communication Networks, 2016, 9(16): 3059–3069. doi: 10.1002/sec.1243

GUO Minzhe and BHATTACHARYA P. Diverse virtual replicas for improving intrusion tolerance in cloud[C]. The 9th Annual Cyber and Information Security Research Conference, Oak Ridge, USA, 2014: 41–44.

LI F, LAI A, and DDL D. Evidence of advanced persistent threat: a case study of malware for political espionage[C]. The 6th International Conference on Malicious and Unwanted Software, Fajardo, USA, 2011: 102–109.

MA Duohe, WANG Liming, LEI Cheng, et al. Quantitative security assessment method based on entropy for moving target defense[C]. The 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2017: 9204–922.

GARCIA M, BESSANI A, GASHI I, et al. Analysis of operating system diversity for intrusion tolerance[J]. Journal of Research and Practice in Information Technology, 2014, 44(6): 735–770. doi: 10.1002/spe.2180

PARUCHURI P, PEARCE J P, MARECKI J, et al. Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games[C]. The 7th International Joint Conference on Autonomous Agents and Multiagent Systems-Volume 2, Estoril, Portugal, 2008: 895–902.

施引文献

资源附件(0)

访问统计