计算机应用 ›› 2017, Vol. 37 ›› Issue (6): 1625-1629.DOI: 10.11772/j.issn.1001-9081.2017.06.1625

• 网络空间安全 • 上一篇    下一篇

基于软件定义网络的云平台入侵防御方案设计与实现

池亚平1, 姜停停1, 戴楚屏2, 孙尉1   

  1. 1. 北京电子科技学院 通信工程系, 北京 100070;
    2. 西安电子科技大学 通信工程学院, 西安 710071
  • 收稿日期:2016-10-08 修回日期:2017-01-13 出版日期:2017-06-10 发布日期:2017-06-14
  • 通讯作者: 姜停停
  • 作者简介:池亚平(1969-),女,北京人,教授,硕士,CCF会员,主要研究方向:虚拟化安全、可信计算、加密技术、软件定义网络;姜停停(1989-),女,山东济宁人,硕士研究生,主要研究方向:虚拟化安全、加密技术、网络安全、云计算网络;戴楚屏(1990-),女,安徽黄山人,硕士研究生,主要研究方向:4G无线通信、无线通信物理层安全;孙尉(1993-),男,陕西西安人,硕士研究生,主要研究方向:网络安全、软件定义网络。
  • 基金资助:
    国家863计划项目(2015AA017202);国家发改委信息安全专项(发改办高技[2015]289号)。

Design and implementation of cloud platform intrusion prevention system based on software defined network

CHI Yaping1, JIANG Tingting1, DAI Chuping2, SUN Wei1   

  1. 1. Department of Communication Engineering, Beijing Electronic Science and Technology Institute, Beijing 100070, China;
    2. School of Telecommunications Engineering, Xidian University, Xi'an Shaanxi 710071, China
  • Received:2016-10-08 Revised:2017-01-13 Online:2017-06-10 Published:2017-06-14
  • Supported by:
    This work is partially supported by the National High Technology Research and Development Program (863 Program) of China (2015AA017202), the Information Security Special Fund of National Development and Reform Commission (NDRC High-Tech[2015]289).

摘要: 针对传统的入侵防御系统是串联在网络环境中,处理能力有限且易造成网络拥塞的问题,面向云计算应用,设计了一种基于软件定义网络(SDN)的入侵防御方案。首先,在OpenStack平台中集成了SDN控制器。然后,利用控制器的可编程特性,设计了入侵检测和控制器的联动机制,实现了入侵防御功能。联动机制实现原理是在入侵检测系统检测到入侵时把入侵信息传给控制器,控制器下发安全策略到虚拟交换机,达到过滤入侵流量、动态阻止入侵行为的目的。最后,通过实验将所提方案与传统入侵防御方案相比较,对比分析结果表明,相比传统方案能成功检测85%入侵(攻击速率为12000 packet/s),所提方案的入侵检测效率在90%以上(攻击效率为40000 packet/s),可以用于提高云环境下入侵防御的检测效率。

关键词: 云计算安全, 入侵防御, 软件定义网络, 控制器

Abstract: The traditional intrusion prevention system is the serially connected in the network environment, its ability to deal with the intrusion is limited and may cause network congestion easily. In order to solve the problems, an intrusion prevention scheme for cloud computing applications was designed based on Software Defined Network (SDN). Firstly, the SDN controller was integrated in the OpenStack platform. Then, by using the programmable characteristics of the controller, the linkage mechanism of intrusion detection and controller was designed to realize the intrusion prevention. The principle of the linkage mechanism is that the intrusion information is passed to the controller when the intrusion detection system detects the intrusion, then the security policy was issued to the virtual switch by the controller for filtering the intrusion traffic and dynamically preventing the intrusion. Finally, the proposed scheme was compared with the traditional intrusion prevention scheme in experiment. The comparison and analysis results show that, the proposed scheme can detect more than 90% of the instructions when they come at 40000 packets per second, while the traditional scheme only detect 85% of the instructions when they come at 12000 packets per second. The proposed scheme can be used to improve the detection efficiency of intrusion prevention in the cloud environment.

Key words: cloud computing security, intrusion prevention, Software Defined Network (SDN), controller

中图分类号: