西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (6): 172-194.doi: 10.19665/j.issn1001-2400.20230904
熊婉寅1(),毛剑1(),刘子雯1(),刘文懋2(),刘建伟1()
收稿日期:
2022-12-10
出版日期:
2023-12-20
发布日期:
2024-01-22
通讯作者:
毛剑(1978—),女,副教授,E-mail:作者简介:
熊婉寅(1998—),女,北京航空航天大学大学硕士研究生,E-mail:基金资助:
XIONG Wanyin1(),MAO Jian1(),LIU Ziwen1(),LIU Wenmao2(),LIU Jianwei1()
Received:
2022-12-10
Online:
2023-12-20
Published:
2024-01-22
摘要:
随着网络功能的日益多元化,具有集中控制与可编程性的软件定义网络(SDN)架构已在众多领域被广泛应用。然而,SDN特有的层次结构与运行机制也引入了新的安全挑战,其中,流规则作为控制平面管理决策的载体和数据平面网络行为的依据,已成为SDN网络攻防的重点。针对SDN中流规则的安全性问题,首先分析了SDN架构的特点及安全隐患。再基于SDN中的流规则机制,将针对流规则的攻击分为干扰控制平面决策和破坏数据平面执行两类,并介绍了攻击实例。对于提升流规则安全性的研究,分别从检验与增强两个方面展开分析,总结了现有的实现机制并简要分析了其存在的局限性。其中,分析探讨了基于建模检测和基于数据包探测的两种主流的检验方案,介绍讨论了基于权限控制、基于冲突解决和基于路径验证的3种具体的流规则增强思路。最后,展望了流规则安全性未来的发展方向。
中图分类号:
熊婉寅, 毛剑, 刘子雯, 刘文懋, 刘建伟. 软件定义网络中流规则安全性研究进展[J]. 西安电子科技大学学报, 2023, 50(6): 172-194.
XIONG Wanyin, MAO Jian, LIU Ziwen, LIU Wenmao, LIU Jianwei. Advances in security analysis of software-defined networking flow rules[J]. Journal of Xidian University, 2023, 50(6): 172-194.
表2
SDN典型攻击及影响"
攻击后果 | 分类 | 攻击效果 | 典型攻击 |
---|---|---|---|
信息泄露 | 探测网络架构 | 推断当前网络架构(传统架构或SDN架构) | 基于数据包额外延时推断网络架构[ |
探测控制器 | 推断当前SDN网络采用的具体控制器 | SDN控制器指纹技术[ | |
探测应用程序 | 推断SDN控制器上安装的应用程序 | 基于底层和加密的控制流量推断应用程序[ | |
资源耗尽 | 控制平面DoS | SDN控制器处理负荷过量,无法正常提供服务 | 针对ONOS控制器Raft算法的babble攻击[ |
拒绝服务 | 数据平面DoS | 转发设备计算或存储资源耗尽,无法正常通信 | 控制平面反射攻击[ |
系统性DoS | SDN控制平面与数据平面相互作用,影响其他组件功能 | 控制平面饱和攻击[ | |
策略修改 | 控制平面造成 | 修改SDN网络预期的网络策略,包括访 | 基于恶意应用的rootkit[ |
数据平面造成 | 问控制策略、资源分配规则等 | 虚拟交换机漏洞[ |
表3
基于形式化方法的离线建模检测工具"
核心工作 | 网络类型 | 应用方案 | 主要功能 | ||||
---|---|---|---|---|---|---|---|
传统 | SDN | 可达性 | 无环路 | 无黑洞 | 复杂策略查询 | ||
FlowChecker[ | √ | BDD编码流表,符号模型检查建模网络行为 | √ | NA | NA | 时序逻辑 | |
Anteater[ | √ | 布尔函数表示数据平面状态和不变量,SAT 求解器分析 | √ | √ | √ | Ruby、SLang | |
Hassel[ | √ | HSA框架,网络传递函数建模网络行为 | √ | √ | NA | 基于内部 函数的代码 | |
NICE[ | √ | 模型检查及符号执行搜索系统状态空间 | NA | √ | √ | 内部函数& Python | |
NoD[ | √ | 使用Datalog作为规范语言和建模语言 | √ | √ | √ | Datalog | |
FLOVER[ | √ | 流规则与安全策略转换为断言集,Yices SMT求解器分析 | NA | NA | NA | 一阶逻辑表达式 |
表4
基于建模检测的实时验证方案"
核心工作 | 网络类型 | 加速思想 | 应用方案 | 主要功能 | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
传统 | SDN | 可达性 | 无环路 | 无黑洞 | 复杂策略查询 | |||||||
NetPlumber[ | √ | 增量网络验证 | HSA框架建立网络模型,增量更新网络依赖关系图 | √ | √ | √ | FlowExp | |||||
VeriFlow[ | √ | EC划分数据 包 | 采用trie增量更新EC,为每个EC构建转发图 | √ | √ | √ | 内部API & C++ | |||||
Libra[ | √ | EC划分数据 包,并行处理 | 获取数据平面快照构建有向图,MapReduce分割图并行验证 | √ | √ | √ | 内部函数 | |||||
AP Verifier[ | √ | √ | EC计算加速 | 使用BDD表示、运算端口的原子谓词,划分EC,计算可达性树 | √ | √ | √ | 内部函数 | ||||
APT[ | √ | √ | EC重新划分 | 划分数据包的最粗EC,计算可达性树 | √ | √ | √ | CTL | ||||
Delta-net[ | √ | √ | EC计算加速, 增量验证,利用 网络相似性 | 基于IP范围划分EC并使用原子的集合表示,维护全局转发图增量更新 | √ | √ | √ | 内部API | ||||
APKeep[ | √ | EC计算加速 | 以逻辑功能为单位建模,新型EC计算、维护方法 | NA | √ | √ | 内部函数 |
[1] |
GREENBERG A, HJALMTYSSON G, MALTZ D A, et al. A Clean Slate 4d Approach to Network Control and Management[J]. ACM SIGCOMM Computer Communication Review, 2005, 35(5):41-54.
doi: 10.1145/1096536.1096541 |
[2] | CASADO M, GARFINKEL T, AKELLA A, et al. Sane:A Protection Architecture for Enterprise Networks[C]// Proceedings of the 15th conference on USENIX Security Symposium.Berkeley:USENIX, 2006:137-151. |
[3] | CASADO M, FREEDMAN M J, PETTIT J, et al. Ethane:Taking Control of the Enterprise[J]. ACM SIGCOMMComputer Communication Review, 2007, 37(4):1-12. |
[4] | JAIN S, KUMAR A, MANDAL S, et al. B4:Experience with a Globally-Deployed Software Defined Wan[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4):3-14. |
[5] |
PATEL P, BANSAL D, YUAN L, et al. Ananta:Cloud Scale Load Balancing[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4):207-218.
doi: 10.1145/2534169.2486026 |
[6] | NATARAJAN S, RAMAIAH A, MATHEN M. A Software Defined Cloud-Gateway Automation System Using Openflow[C]// Proceedings of the 2013 IEEE 2nd International Conference on Cloud Networking(CloudNet).Piscataway:IEEE, 2013:219-226. |
[7] |
LI Y, CHEN M. Software-Defined Network Function Virtualization:A Survey[J]. IEEE Access, 2015, 3:2542-2553.
doi: 10.1109/ACCESS.2015.2499271 |
[8] | JAIN R, PAUL S. Network Virtualization and Software Defined Networking for Cloud Computing:A Survey[J]. IEEE Communications Magazine, 2013, 51(11):24-31. |
[9] |
BIZANIS N, KUIPERS F A. Sdn and Virtualization Solutions for the Internet of Things:A Survey[J]. IEEE Access, 2016, 4:5591-5606.
doi: 10.1109/ACCESS.2016.2607786 |
[10] | 陈金涛, 梁俊, 郭子桢, 等. 软件定义卫星网络多控制器部署策略[J]. 西安电子科技大学学报, 2022, 49(3):59-67. |
CHEN Jintao, LIANG Jun, GUO Zizhen, et al. Research on Deployment Strategy of Multiple Controllers in the Software-Defined Satellite Network[J]. Journal of Xidian University, 2022, 49(3):59-67. | |
[11] | GREENE K. Tr10:Software-Defined Networking[R]. Technology Review(MIT).Massachusetts:MIT, 2009. |
[12] | UJCICH B E, JERO S, SKOWYRA R, et al. Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking[C]// Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS).Alexandria:NSF, 2020:1-18. |
[13] | UJCICH B E, JERO S, EDMUNDSON A, et al. Cross-App Poisoning in Software-Defined Networking[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS18). New York: ACM, 2018:648-663. |
[14] | CANINI M, VENZANO D, PEREŠÍNI P, et al. A Nice Way to Test Openflow Applications[C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12). Berkeley: USENIX Association, 2012:127-140. |
[15] | WEN X, YANG B, CHEN Y, et al. Sdnshield:Reconciliating Configurable Application Permissions for Sdn App Markets[C]// Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2016).Piscataway:IEEE, 2016:121-132. |
[16] | PORRAS P, SHIN S, YEGNESWARAN V, et al. A Security Enforcement Kernel for Openflow Networks[C]// Proceedings of theFirst Workshop on Hot Topics In Software Defined Networks. New York: ACM, 2012:121-126. |
[17] | LEE S, YOON C, SHIN S. The Smaller,the Shrewder:A Simple Malicious Application Can Kill an Entire Sdn Environment[C]// Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. New York: ACM, 2016:23-28. |
[18] | ZENG H, KAZEMIAN P, VARGHESE G, et al. Automatic Test Packet Generation[C]// Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies. New York: ACM, 2012:241-252. |
[19] | AHMAD I, NAMAL S, YLIANTTILA M, et al. Security in Software Defined Networks:A Survey[J]. IEEE Communications Surveys & Tutorials, 2015, 17(4):2317-2346. |
[20] | KUŹNIAR M, PEREŠÍNI P, KOSTIĆ D. What You Need to Know About Sdn Flow Tables[C]// Proceedings of the 16th International Conference on Passive and Active Network Measurement.Heidelberg:Springer, 2015:347-359. |
[21] | MISEREZ J, BIELIK P, EL-HASSANY A, et al. Sdnracer:Detecting Concurrency Violations in Software-Defined Networks[C]// Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research. New York: ACM, 2015:1-7. |
[22] | PEREŠÍNI P, KUŹNIAR M, KOSTIĆ D. Monocle:Dynamic,Fine-Grained Data Plane Monitoring[C]// Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. New York: ACM, 2015:1-13. |
[23] | SCOTT-HAYWARD S, NATARAJAN S, SEZER S. A Survey of Security in Software Defined Networks[J]. IEEE Communications Surveys & Tutorials, 2015, 18(1):623-654. |
[24] | BU K, WEN X, YANG B, et al. Is Every Flow on the Right Track?:Inspect Sdn Forwarding with Rulescope[C]// Proceedings of the IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.Piscataway:IEEE, 2016:1-9. |
[25] | ZHANG P, LI H, HU C, et al. Mind the Gap:Monitoring the Control-Data Plane Consistency in Software Defined Networks[C]// Proceedings of the 12th International on Conference on Emerging Networking EXperiments and Technologies. New York: ACM, 2016:19-33. |
[26] | MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. Openflow:Enabling Innovation in Campus Networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2):69-74. |
[27] | FUNDATION O N. Software-Defined Networking:The New Norm for Networks[J]. ONF White Paper, 2012, 2(2-6):11. |
[28] |
GUDE N, KOPONEN T, PETTIT J, et al. Nox:Towards an Operating System for Networks[J]. ACM SIGCOMM computer communication review, 2008, 38(3):105-110.
doi: 10.1145/1384609.1384625 |
[29] | MEDVED J, VARGA R, TKACIK A, et al. Opendaylight:Towards a Model-Driven Sdn Controller Architecture[C]// Proceeding of the IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks 2014.Piscataway:IEEE, 2014:1-6. |
[30] | ERICKSON D. The Beacon Openflow Controller[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013:13-18. |
[31] | BERDE P, GEROLA M, HART J, et al. Onos:Towards an Open,Distributed Sdn Os[C]// Proceedings of the Third Workshop on Hot Topics in Software defined Networking. New York: ACM, 2014:1-6. |
[32] | 李可欣, 王兴伟, 易波, 等. 智能软件定义网络[J]. 软件学报, 2021, 32(1):118-136. |
LI Kexin, WANG Xingwei, YI Bo, et al. Survey of Intelligent Software Defined Networking[J]. Journal of Software, 2021, 32(1):118-136. | |
[33] | 杨洋, 吕光宏, 赵会, 等. 深度学习在软件定义网络研究中的应用综述[J]. 软件学报, 2020, 31(7):2184-2204. |
YANG Yang, LV Guanghong, ZHAO Hui, et al. Survey on Deep Learning Applications in Software Defined Networking Research[J]. Journal of Software, 2020, 31(7):2184-2204. | |
[34] | HALEPLIDIS E, SALIM J H, HALPERN J M, et al. Network Programmability with Forces[J]. IEEE Communications Surveys & Tutorials, 2015, 17(3):1423-1440. |
[35] | BOSSHART P, DALY D, GIBB G, et al. P4:Programming Protocol-Independent Packet Processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3):87-95. |
[36] | 于洋, 王之梁, 毕军, 等. 软件定义网络中北向接口语言综述[J]. 软件学报, 2016, 27(04):993-1008. |
YU Yang, WANG Zhiliang, BI Jun, et al. Survey on the Languages in the Northbound Interface of Software Defined Networking[J]. Journal of Software, 2016, 27(4):993-1008. | |
[37] | 王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络:安全模型,机制及研究进展[J]. 软件学报, 2016, 27(4):969-992. |
WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software Defined Networking:Security Model,Threats and Mechanism[J]. Journal of Software, 2016, 27(4):969-992. | |
[38] | SCOTT-HAYWARD S, O'CALLAGHAN G, SEZER S. Sdn Security:A Survey[C]// Proceedings of the 2013 IEEE SDN For Future Networks and Services(SDN4FNS).Piscataway:IEEE, 2013:1-7. |
[39] | KREUTZ D, RAMOS F M, VERISSIMO P. Towards Secure and Dependable Software-Defined Networks[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot topics in Software Defined Networking. New York: ACM, 2013:55-60. |
[40] |
YOON C, LEE S, KANG H, et al. Flow Wars:Systemizing the Attack Surface and Defenses in Software-Defined Networks[J]. IEEE/ACM Transactions on Networking, 2017, 25(6):3514-3530.
doi: 10.1109/TNET.2017.2748159 |
[41] | SHIN S, GU G. Attacking Software-Defined Networks:A First Feasibility Study[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013:165-166. |
[42] | AZZOUNI A, BRAHAM O, NGUYEN T M T, et al. Fingerprinting Openflow Controllers:The First Step to Attack a Sdn Control Plane[C]// Proceedings of the 2016 IEEE Global Communications Conference(GLOBECOM).Piscataway:IEEE, 2016:1-6. |
[43] | CAO J, YANG Z, SUN K, et al. Fingerprinting Sdn Applications Via Encrypted Control Traffic[C]// Proceedings of the 22nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).Berkeley:USENIX, 2019:501-515. |
[44] | HANMER R, LIU S, JAGADEESAN L, et al. Death by Babble:Security and Fault Tolerance of Distributed Consensus in High-Availability Softwarized Networks[C]// Proceedings of the 2019 IEEE Conference on Network Softwarization(NetSoft).Piscataway:IEEE, 2019:266-270. |
[45] | ZHANG M, LI G, XU L, et al. Control Plane Reflection Attacks in Sdns:New Attacks and Countermeasures[C]// Proceedings of the 21st International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2018).Heidelberg:Springer, 2018:161-183. |
[46] | ALHARBI T, PORTMANN M, PAKZAD F.The(in) Security of Topology Discovery in Software Defined Networks[C]//Proceedings of the 2015 IEEE 40th Conference on Local Computer Networks(LCN 2015).Piscataway:IEEE, 2015:502-505. |
[47] | SHIN S, YEGNESWARAN V, PORRAS P, et al. Avant-Guard:Scalable and Vigilant Switch Flow Management in Software-Defined Networks[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS13). New York: ACM, 2013:413-424. |
[48] |
AMBROSIN M, CONTI M, DE GASPARI F, et al. Lineswitch:Tackling Control Plane Saturation Attacks in Software-Defined Networking[J]. IEEE/ACM Transactions on Networking, 2016, 25(2):1206-1219.
doi: 10.1109/TNET.2016.2626287 |
[49] | RÖPKE C, HOLZ T. Sdn Rootkits:Subverting Network Operating Systems of Software-Defined Networks[C]// Proceedings of the 18th International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2015).Heidelberg:Springer, 2015:339-356. |
[50] | THIMMARAJU K, SHASTRY B, FIEBIG T, et al. Taking Control of Sdn-Based Cloud Systems Via the Data Plane[C]// Proceedings of the Symposium on SDN Research. New York: ACM, 2018:1-15. |
[51] | HONG S, XU L, WANG H, et al. Poisoning Network Visibility in Software-Defined Networks:New Attacks and Countermeasures[C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS). San Diego: NDSS, 2015:8-11. |
[52] | UJCICH B E, THAKORE U, SANDERS W H. Attain:An Attack Injection Framework for Software-Defined Networking[C]// Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2017).Piscataway:IEEE, 2017:567-578. |
[53] | YU Y, LI X, LENG X, et al. Fault Management in Software-Defined Networking:A Survey[J]. IEEE Communications Surveys & Tutorials, 2018, 21(1):349-392. |
[54] | DACIER M C, KÖNIG H, CWALINSKI R, et al. Security Challenges and Opportunities of Software-Defined Networking[J]. IEEE Security & Privacy, 2017, 15(2):96-100. |
[55] | AL-SHAER E, AL-HAJ S. Flowchecker:Configuration Analysis and Verification of Federated Openflow Infrastructures[C]// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York: ACM, 2010:37-44. |
[56] |
MAI H, KHURSHID A, AGARWAL R, et al. Debugging the Data Plane with Anteater[J]. ACM SIGCOMM Computer Communication Review, 2011, 41(4):290-301.
doi: 10.1145/2043164.2018470 |
[57] | KAZEMIAN P, VARGHESE G, MCKEOWN N. Header Space Analysis:Static Checking for Networks[C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).Berkeley:USENIX, 2012:113-126. |
[58] | KAZEMIAN P, CHANG M, ZENG H, et al. Real Time Network Policy Checking Using Header Space Analysis[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX, 2013:99-111. |
[59] | KHURSHID A, ZOU X, ZHOU W, et al. Veriflow:Verifying Network-Wide Invariants in Real Time[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX, 2013:15-27. |
[60] | SON S, SHIN S, YEGNESWARAN V, et al. Model Checking Invariant Security Properties in Openflow[C]// Proceedings of the 2013 IEEE International Conference on Communications(ICC).Piscataway:IEEE, 2013:1974-1979. |
[61] | ZENG H, ZHANG S, YE F, et al. Libra:Divide and Conquer to Verify Forwarding Tables in Huge Networks[C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX, 2014:87-99. |
[62] | LOPES N P, BJØRNER N, GODEFROID P, et al. Checking Beliefs in Dynamic Networks[C]// Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation(NSDI 15).Berkeley:USENIX, 2015:499-512. |
[63] |
YANG H, LAM S S. Real-Time Verification of Network Properties Using Atomic Predicates[J]. IEEE/ACM Transactions on Networking, 2015, 24(2):887-900.
doi: 10.1109/TNET.2015.2398197 |
[64] |
YANG H, LAM S S. Scalable Verification of Networks with Packet Transformers Using Atomic Predicates[J]. IEEE/ACM Transactions on Networking, 2017, 25(5):2900-2915.
doi: 10.1109/TNET.2017.2720172 |
[65] | HORN A, KHERADMAND A, PRASAD M. Delta-Net:Real-Time Network Verification Using Atoms[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation(NSDI 17).Berkeley:USENIX, 2017:735-749. |
[66] | ZHANG P, LIU X, YANG H, et al. Apkeep:Realtime Verification for Real Networks[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation(NSDI 20).Berkeley:USENIX, 2020:241-255. |
[67] | HANDIGOL N, HELLER B, JEYAKUMAR V, et al. I Know What Your Packet Did Last Hop:Using Packet Histories to Troubleshoot Networks[C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX, 2014:71-85. |
[68] | AGARWAL K, ROZNER E, DIXON C, et al. Sdn Traceroute:Tracing Sdn Forwarding without Changing Network Behavior[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014:145-150. |
[69] | TAMMANA P, AGARWAL R, LEE M. Simplifying Datacenter Network Debugging with Pathdump[C]// Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI 16).Berkeley:USENIX, 2016:233-248. |
[70] |
SHUKLA A, SAIDI S J, SCHMID S, et al. Toward Consistent Sdns:A Case for Network State Fuzzing[J]. IEEE Transactions on Network and Service Management, 2019, 17(2):668-681.
doi: 10.1109/TNSM.4275028 |
[71] |
ZHANG P, WU H, ZHANG D, et al. Verifying Rule Enforcement in Software Defined Networks with Rev[J]. IEEE/ACM Transactions on Networking, 2020, 28(2):917-929.
doi: 10.1109/TNET.90 |
[72] |
ZHANG P, ZHANG F, XU S, et al. Network-Wide Forwarding Anomaly Detection and Localization in Software Defined Networks[J]. IEEE/ACM Transactions on Networking, 2021, 29(1):332-345.
doi: 10.1109/TNET.90 |
[73] | LI Y, YIN X, WANG Z, et al. A Survey on Network Verification and Testing with Formal Methods:Approaches and Challenges[J]. IEEE Communications Surveys & Tutorials, 2018, 21(1):940-969. |
[74] | XIE G G, ZHAN J, MALTZ D A, et al. On Static Reachability Analysis of Ip Networks[C]// Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM).Piscataway:IEEE, 2005:2170-2183. |
[75] |
LI Q, LIU Y, LIU Z, et al. Efficient Forwarding Anomaly Detection in Software-Defined Networks[J]. IEEE Transactions on Parallel and Distributed Systems, 2021, 32(11):2676-2690.
doi: 10.1109/TPDS.2021.3068135 |
[76] | SHIN S W, PORRAS P, YEGNESWARA V, et al. FRESCO:Modular Composable Security Services for Software-Defined Networks[C]// Proceedings of the 20th Annual Network & Distributed System Security Symposium(NDSS). San Diego: NDSS, 2013:1-16. |
[77] | PORRAS P A, CHEUNG S, FONG M W, et al. Securing the Software Defined Network Control Layer[C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS). San Diego: NDSS, 2015:1-15. |
[78] |
WANG M, LIU J, CHEN J, et al. Perm-Guard:Authenticating the Validity of Flow Rules in Software Defined Networking[J]. Journal of Signal Processing Systems, 2017, 86(2-3):157-173.
doi: 10.1007/s11265-016-1115-8 |
[79] | HU H, HAN W, AHN G-J, et al. FLOWGUARD:Building Robust Firewalls for Software-Defined Networks[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014:97-102. |
[80] | 王鹃, 王江, 焦虹阳, 等. 一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J]. 计算机学报, 2015, 38(4):872-883. |
WANG Juan, WANG Jiang, JIAO Hongyang, et al. A Method of Openflow-Based Real-Time Conflict Detection and Resolution for SDN Access Control Policies[J]. Chinese Journal of Computers, 2015, 38(4):872-883. | |
[81] | SASAKI T, PAPPAS C, LEE T, et al. SDNsec:Forwarding Accountability for the Sdn Data Plane[C]// Proceedings of the 2016 25th International Conference on Computer Communication and Networks(ICCCN).Piscataway:IEEE, 2016:1-10. |
[82] |
LI Q, LIU Y, LIU Z, et al. Efficient Forwarding Anomaly Detection in Software-Defined Networks[J]. IEEE Transactions on Parallel and Distributed Systems, 2021, 32(11):2676-2690.
doi: 10.1109/TPDS.2021.3068135 |
[83] |
XI S, BU K, MAO W, et al. RuleOut Forwarding Anomalies for SDN[J]. IEEE/ACM Transactions on Networking, 2023, 31(1):395-407.
doi: 10.1109/TNET.2022.3194970 |
[84] | 左青云, 陈鸣, 王秀磊, 等. 一种基于SDN的在线流量异常检测方法[J]. 西安电子科技大学学报, 2015, 42(1):155-160. |
ZUO Qingyun, CHEN Ming, WANG Xiulei, et al. Online Traffic Anomaly Detection Method for SDN[J]. Journal of Xidian University, 2015, 42(1):155-160. | |
[85] | 刘益岑, 陈兴凯, 卢昱, 等. 一种软件定义网络的安全服务路径优化构建机制[J]. 西安电子科技大学学报, 2019, 46(1):158-165. |
LIU Yicen, CHEN Xingkai, LU Yu, et al. SDN-Based Optimal Security Service Path Construction Mechanism[J]. Journal of Xidian University, 2019, 46(1):158-165. |
[1] | 朱光明,卢梓杰,冯家伟,张向东,张锋军,牛作元,张亮. 因果图增强的APT攻击检测算法[J]. 西安电子科技大学学报, 2023, 50(5): 107-117. |
[2] | 邓颖川,张桐,刘维杰,王丽娜. COLLATE:控制相关数据的完整性保护[J]. 西安电子科技大学学报, 2023, 50(5): 199-211. |
[3] | 柴艳娜,李坤伦,宋焕生. 智能汽车的入侵检测系统安全研究[J]. 西安电子科技大学学报, 2021, 48(3): 31-39. |
[4] | 凌敏,罗影,袁亮,靳传学. 一种面向智慧交通的车联网网络流量估计方法[J]. 西安电子科技大学学报, 2021, 48(3): 40-48. |
[5] | 刘华渊,苏云飞,李瑞林,唐朝京. 结构状态覆盖导向的灰盒模糊测试技术[J]. 西安电子科技大学学报, 2021, 48(1): 117-123. |
[6] | 李腾,曹世杰,尹思薇,魏大卫,马鑫迪,马建峰. 应用Q学习决策的最优攻击路径生成方法[J]. 西安电子科技大学学报, 2021, 48(1): 160-167. |
[7] | 杨宏宇,曾仁韵. 一种深度学习的网络安全态势评估方法[J]. 西安电子科技大学学报, 2021, 48(1): 183-190. |
[8] | 郑献春,李晖,王瑞,闫皓楠,戴睿,萧明炽. 匿名网络应用及仿真平台研究综述[J]. 西安电子科技大学学报, 2021, 48(1): 22-38. |
[9] | 杨宏宇,张旭高. 一种网络安全态势自适应预测模型[J]. 西安电子科技大学学报, 2020, 47(3): 14-22. |
[10] | 甄岩,赵虎. 层次型软件定义无线传感器网络资源调度策略[J]. 西安电子科技大学学报, 2019, 46(4): 87-98. |
[11] | 刘益岑,陈兴凯,卢昱,乔文欣. 一种软件定义网络的安全服务路径优化构建机制[J]. 西安电子科技大学学报, 2019, 46(1): 158-165. |
[12] | 郑凌;邱智亮;孙士勇;潘伟涛;王伟娜;张之义. 软件定义网络中一种两步式多级流表构建算法[J]. 西安电子科技大学学报, 2018, 45(5): 25-31. |
[13] | 杨宝旺. 采用符号动力学方法检测低速率拒绝服务攻击[J]. 西安电子科技大学学报, 2018, 45(1): 140-144. |
[14] | 熊余;张振振;师劲;吴大鹏. TWDM-PON中软件定义控制的全局资源分配机制[J]. 西安电子科技大学学报, 2017, 44(5): 140-146. |
[15] | 梁洪泉;吴巍. 利用节点可信度的安全链路状态路由协议[J]. 西安电子科技大学学报, 2016, 43(5): 121-127. |
|