计算机应用 ›› 2017, Vol. 37 ›› Issue (11): 3304-3310.DOI: 10.11772/j.issn.1001-9081.2017.11.3304

• 网络空间安全 • 上一篇    下一篇

基于安全策略的负载感知动态调度机制

顾泽宇, 张兴明, 林森杰   

  1. 国家数字交换系统工程技术研究中心, 郑州 450002
  • 收稿日期:2017-05-16 修回日期:2017-06-30 出版日期:2017-11-10 发布日期:2017-11-11
  • 通讯作者: 顾泽宇
  • 作者简介:顾泽宇(1993-),男,辽宁沈阳人,硕士研究生,主要研究方向:网络安全、网络主动防御;张兴明(1963-),男,河南新乡人,教授,博士,主要研究方向:交换及拟态技术、拟态安全;林森杰(1992-),男,广东汕头人,硕士研究生,主要研究方向:拟态安全。
  • 基金资助:
    国家自然科学基金资助项目(61572520,61521003);上海市科研计划项目(14DZ1104800)。

Load-aware dynamic scheduling mechanism based on security strategies

GU Zeyu, ZHANG Xingming, LIN Senjie   

  1. National Digital Switching System Engineering & Technological R & D Center, Zhengzhou Henan 450002, China
  • Received:2017-05-16 Revised:2017-06-30 Online:2017-11-10 Published:2017-11-11
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61572520, 61521003), the Shanghai Science and Technology Research Project (14DZ1104800).

摘要: 针对软件定义网络(SDN)网络控制器流规则篡改攻击等单点脆弱性威胁,传统安全解决方案如备份、容错机制等存在被动防御缺陷,无法从根本上解决控制层安全问题。结合目前移动目标防御、网络空间拟态防御等主动防御技术研究现状,提出一种基于异构冗余结构的动态安全调度机制。建立控制器执行体与调度体调度模型,根据系统攻击异常、异构度等指标,以安全性为原则设计动态调度策略;同时考虑系统负载因素,通过设计调度算法LA-SSA将调度问题转化为动态双目标优化问题,以实现优化的调度方案。仿真结果表明,对比静态结构,动态调度机制在累积异常值、输出安全率等指标上有明显优势,说明安全调度机制中的动态性与多样性能够显著提高系统抵御攻击能力,LA-SSA机制负载方差较安全优先调度更平稳,在实现安全调度的同时避免了负载失衡问题,验证了安全调度机制的有效性。

关键词: 单点脆弱性, 主动防御技术, 动态调度机制, 安全策略, 负载感知

Abstract: Concerning the flow rule tampering attacks and other single point vulnerability threats towards Software Defined Network (SDN) controller, traditional security solutions such as backup and fault-tolerant mechanisms which are based on passive defense defects, cannot fundamentally solve the control layer security issues. Combined with the current moving target defense and cyberspace mimic defense, a dynamic security scheduling mechanism based on heterogeneous redundant structure was proposed. A controller scheduling model was established in which the dynamic scheduling strategy was designed based on security principle combined with attack exception and heterogeneity. By considering the system load, the scheduling problem was transformed into a dynamic two-objective optimization problem by LA-SSA (Load-Aware Security Scheduling Algorithm) to achieve an optimal scheduling scheme. Simulation results show that compared with static structure, the dynamic scheduling mechanism has obvious advantages in cumulative number of exceptions and output safety rate, and the dynamic and diversity in the security scheduling mechanism can significantly improve the system's ability to resist attacks.The load variance of LA-SSA is more stable than that of safety priority scheduling, and the security imbalance is avoided, and the effectiveness of the security scheduling mechanism is verified.

Key words: single point vulnerability, active defense technology, dynamic scheduling mechanism, security strategy, load-awareness

中图分类号: