软件定义网络中流规则安全性研究进展

熊婉寅; 毛剑; 刘子雯; 刘文懋; 刘建伟

doi:10.19665/j.issn1001-2400.20230904

您当前的位置：

首页 >

文章列表页 >

软件定义网络中流规则安全性研究进展

网络空间安全 | 更新时间：2024-01-22

- 软件定义网络中流规则安全性研究进展
- 暂无标题
- 西安电子科技大学学报 2023年50卷第6期页码：172-194
- 作者机构：
  
  1. 北京航空航天大学网络空间安全学院,北京 100191
  2. 绿盟科技集团股份有限公司,北京 100089
- 作者简介：
  
  [ "熊婉寅(1998—),女,北京航空航天大学大学硕士研究生,E-mail:[email protected];" ]
  毛剑(1978—),女,副教授,E-mail:[email protected]
  [ "刘子雯(1998—),女,北京航空航天大学大学博士研究生,E-mail:[email protected];" ]
  [ "刘文懋(1983—),男,高级工程师,E-mail:[email protected];" ]
  [ "刘建伟(1964—),男,教授,E-mail:[email protected]。" ]
- 基金信息：
  
  国家自然科学基金(62172027);浙江省自然科学基金资助项目(LZ23F020013);北京市自然科学基金(6202036)
- DOI：10.19665/j.issn1001-2400.20230904
  中图分类号： TP309
- 收稿日期：2022-12-10，
  
  纸质出版日期：2023-12-20
- 稿件说明：
移动端阅览
熊婉寅, 毛剑, 刘子雯, 等. 软件定义网络中流规则安全性研究进展[J]. 西安电子科技大学学报, 2023,50(6):172-194.
熊婉寅, 毛剑, 刘子雯, 等. 软件定义网络中流规则安全性研究进展[J]. 西安电子科技大学学报, 2023,50(6):172-194. DOI： 10.19665/j.issn1001-2400.20230904.

DOI：

摘要

随着网络功能的日益多元化

具有集中控制与可编程性的软件定义网络(SDN)架构已在众多领域被广泛应用。然而

SDN特有的层次结构与运行机制也引入了新的安全挑战

其中

流规则作为控制平面管理决策的载体和数据平面网络行为的依据

已成为SDN网络攻防的重点。针对SDN中流规则的安全性问题

首先分析了SDN架构的特点及安全隐患。再基于SDN中的流规则机制

将针对流规则的攻击分为干扰控制平面决策和破坏数据平面执行两类

并介绍了攻击实例。对于提升流规则安全性的研究

分别从检验与增强两个方面展开分析

总结了现有的实现机制并简要分析了其存在的局限性。其中

分析探讨了基于建模检测和基于数据包探测的两种主流的检验方案

介绍讨论了基于权限控制、基于冲突解决和基于路径验证的3种具体的流规则增强思路。最后

展望了流规则安全性未来的发展方向。

Abstract

With the increasing diversification of network functions

the software-defined networking(SDN) architecture

which provides centralized network control and programmability

has been deployed in various fields.However

the unique hierarchical structure and operation mechanism of SDN also introduce new security challenges

among which as the carrier of control plane management decisions and the basis of data plane network behavior

flow rules have become the focus of SDN attack and defense.Aiming at the security issues of flow rules in SDN

this paper first reviews the characteristics and security risks of the SDN architecture.Based on the mechanism of flow rules in SDN

the attacks against flow rules are systematically divided into two categories

namely

interference of control plane decision and violation in data plane implementation

with the attack examples introduced.Then

the methods for improving the security of flow rules are analyzed and classified into two categories

i.e.

checking and enhancing the security of flow rules.Furthermore

existing implementation mechanisms are summarized with their limitations briefly analyzed.In terms of flow rule security checking

two mainstream methods

i.e.

model-based checking and test-packet-based checking

are analyzed and discussed.In terms of flow rule security enhancement

three specific ideas based on permission control

conflict resolution and path verification are introduced and discussed.Finally

the future research trends of flow rule security are prospected.

关键词

Keywords

references

GREENBERG A , HJALMTYSSON G , MALTZ D A , et al . A Clean Slate 4d Approach to Network Control and Management [J]. ACM SIGCOMM Computer Communication Review , 2005 , 35 ( 5 ): 41 - 54 . DOI: 10.1145/1096536.1096541 http://doi.org/10.1145/1096536.1096541 https://dl.acm.org/doi/10.1145/1096536.1096541 https://dl.acm.org/doi/10.1145/1096536.1096541

CASADO M , GARFINKEL T , AKELLA A , et al . Sane:A Protection Architecture for Enterprise Networks [C]// Proceedings of the 15th conference on USENIX Security Symposium.Berkeley:USENIX , 2006 : 137 - 151 .

CASADO M , FREEDMAN M J , PETTIT J , et al . Ethane:Taking Control of the Enterprise [J]. ACM SIGCOMMComputer Communication Review , 2007 , 37 ( 4 ): 1 - 12 .

JAIN S , KUMAR A , MANDAL S , et al . B4:Experience with a Globally-Deployed Software Defined Wan [J]. ACM SIGCOMM Computer Communication Review , 2013 , 43 ( 4 ): 3 - 14 .

PATEL P , BANSAL D , YUAN L , et al . Ananta:Cloud Scale Load Balancing [J]. ACM SIGCOMM Computer Communication Review , 2013 , 43 ( 4 ): 207 - 218 . DOI: 10.1145/2534169.2486026 http://doi.org/10.1145/2534169.2486026 https://dl.acm.org/doi/10.1145/2534169.2486026 https://dl.acm.org/doi/10.1145/2534169.2486026

NATARAJAN S , RAMAIAH A , MATHEN M . A Software Defined Cloud-Gateway Automation System Using Openflow [C]// Proceedings of the 2013 IEEE 2nd International Conference on Cloud Networking(CloudNet).Piscataway:IEEE , 2013 : 219 - 226 .

LI Y , CHEN M . Software-Defined Network Function Virtualization:A Survey [J]. IEEE Access , 2015 , 3 : 2542 - 2553 . DOI: 10.1109/ACCESS.2015.2499271 http://doi.org/10.1109/ACCESS.2015.2499271 http://ieeexplore.ieee.org/document/7350211/ http://ieeexplore.ieee.org/document/7350211/

JAIN R , PAUL S . Network Virtualization and Software Defined Networking for Cloud Computing:A Survey [J]. IEEE Communications Magazine , 2013 , 51 ( 11 ): 24 - 31 .

BIZANIS N , KUIPERS F A . Sdn and Virtualization Solutions for the Internet of Things:A Survey [J]. IEEE Access , 2016 , 4 : 5591 - 5606 . DOI: 10.1109/ACCESS.2016.2607786 http://doi.org/10.1109/ACCESS.2016.2607786 http://ieeexplore.ieee.org/document/7563828/ http://ieeexplore.ieee.org/document/7563828/

陈金涛 , 梁俊 , 郭子桢 , 等 . 软件定义卫星网络多控制器部署策略 [J]. 西安电子科技大学学报 , 2022 , 49 ( 3 ): 59 - 67 .

CHEN Jintao , LIANG Jun , GUO Zizhen , et al . Research on Deployment Strategy of Multiple Controllers in the Software-Defined Satellite Network [J]. Journal of Xidian University , 2022 , 49 ( 3 ): 59 - 67 .

GREENE K . Tr10:Software-Defined Networking [R]. Technology Review(MIT).Massachusetts:MIT , 2009 .

UJCICH B E , JERO S , SKOWYRA R , et al . Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking [C]// Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS).Alexandria:NSF , 2020 : 1 - 18 .

UJCICH B E , JERO S , EDMUNDSON A , et al . Cross-App Poisoning in Software-Defined Networking [C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS18) . New York : ACM , 2018 : 648 - 663 .

CANINI M , VENZANO D , PEREŠÍNI P , et al . A Nice Way to Test Openflow Applications [C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12) . Berkeley : USENIX Association , 2012 : 127 - 140 .

WEN X , YANG B , CHEN Y , et al . Sdnshield:Reconciliating Configurable Application Permissions for Sdn App Markets [C]// Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2016).Piscataway:IEEE , 2016 : 121 - 132 .

PORRAS P , SHIN S , YEGNESWARAN V , et al . A Security Enforcement Kernel for Openflow Networks [C]// Proceedings of theFirst Workshop on Hot Topics In Software Defined Networks . New York : ACM , 2012 : 121 - 126 .

LEE S , YOON C , SHIN S . The Smaller,the Shrewder:A Simple Malicious Application Can Kill an Entire Sdn Environment [C]// Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization . New York : ACM , 2016 : 23 - 28 .

ZENG H , KAZEMIAN P , VARGHESE G , et al . Automatic Test Packet Generation [C]// Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies . New York : ACM , 2012 : 241 - 252 .

AHMAD I , NAMAL S , YLIANTTILA M , et al . Security in Software Defined Networks:A Survey [J]. IEEE Communications Surveys & Tutorials , 2015 , 17 ( 4 ): 2317 - 2346 .

KUŹNIAR M , PEREŠÍNI P , KOSTIĆ D . What You Need to Know About Sdn Flow Tables [C]// Proceedings of the 16th International Conference on Passive and Active Network Measurement.Heidelberg:Springer , 2015 : 347 - 359 .

MISEREZ J , BIELIK P , EL-HASSANY A , et al . Sdnracer:Detecting Concurrency Violations in Software-Defined Networks [C]// Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research . New York : ACM , 2015 : 1 - 7 .

PEREŠÍNI P , KUŹNIAR M , KOSTIĆ D . Monocle:Dynamic,Fine-Grained Data Plane Monitoring [C]// Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies . New York : ACM , 2015 : 1 - 13 .

SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A Survey of Security in Software Defined Networks [J]. IEEE Communications Surveys & Tutorials , 2015 , 18 ( 1 ): 623 - 654 .

BU K , WEN X , YANG B , et al . Is Every Flow on the Right Track?:Inspect Sdn Forwarding with Rulescope [C]// Proceedings of the IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.Piscataway:IEEE , 2016 : 1 - 9 .

ZHANG P , LI H , HU C , et al . Mind the Gap:Monitoring the Control-Data Plane Consistency in Software Defined Networks [C]// Proceedings of the 12th International on Conference on Emerging Networking EXperiments and Technologies . New York : ACM , 2016 : 19 - 33 .

MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al . Openflow:Enabling Innovation in Campus Networks [J]. ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .

FUNDATION O N . Software-Defined Networking:The New Norm for Networks [J]. ONF White Paper , 2012 , 2 ( 2-6 ): 11 .

GUDE N , KOPONEN T , PETTIT J , et al . Nox:Towards an Operating System for Networks [J]. ACM SIGCOMM computer communication review , 2008 , 38 ( 3 ): 105 - 110 . DOI: 10.1145/1384609.1384625 http://doi.org/10.1145/1384609.1384625 https://dl.acm.org/doi/10.1145/1384609.1384625 https://dl.acm.org/doi/10.1145/1384609.1384625

MEDVED J , VARGA R , TKACIK A , et al . Opendaylight:Towards a Model-Driven Sdn Controller Architecture [C]// Proceeding of the IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks 2014.Piscataway:IEEE , 2014 : 1 - 6 .

ERICKSON D . The Beacon Openflow Controller [C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking . New York : ACM , 2013 : 13 - 18 .

BERDE P , GEROLA M , HART J , et al . Onos:Towards an Open,Distributed Sdn Os [C]// Proceedings of the Third Workshop on Hot Topics in Software defined Networking . New York : ACM , 2014 : 1 - 6 .

李可欣 , 王兴伟 , 易波 , 等 . 智能软件定义网络 [J]. 软件学报 , 2021 , 32 ( 1 ): 118 - 136 .

LI Kexin , WANG Xingwei , YI Bo , et al . Survey of Intelligent Software Defined Networking [J]. Journal of Software , 2021 , 32 ( 1 ): 118 - 136 .

杨洋 , 吕光宏 , 赵会 , 等 . 深度学习在软件定义网络研究中的应用综述 [J]. 软件学报 , 2020 , 31 ( 7 ): 2184 - 2204 .

YANG Yang , LV Guanghong , ZHAO Hui , et al . Survey on Deep Learning Applications in Software Defined Networking Research [J]. Journal of Software , 2020 , 31 ( 7 ): 2184 - 2204 .

HALEPLIDIS E , SALIM J H , HALPERN J M , et al . Network Programmability with Forces [J]. IEEE Communications Surveys & Tutorials , 2015 , 17 ( 3 ): 1423 - 1440 .

BOSSHART P , DALY D , GIBB G , et al . P4:Programming Protocol-Independent Packet Processors [J]. ACM SIGCOMM Computer Communication Review , 2014 , 44 ( 3 ): 87 - 95 .

于洋 , 王之梁 , 毕军 , 等 . 软件定义网络中北向接口语言综述 [J]. 软件学报 , 2016 , 27 ( 04 ): 993 - 1008 .

YU Yang , WANG Zhiliang , BI Jun , et al . Survey on the Languages in the Northbound Interface of Software Defined Networking [J]. Journal of Software , 2016 , 27 ( 4 ): 993 - 1008 .

王蒙蒙 , 刘建伟 , 陈杰 , 等 . 软件定义网络:安全模型,机制及研究进展 [J]. 软件学报 , 2016 , 27 ( 4 ): 969 - 992 .

WANG Mengmeng , LIU Jianwei , CHEN Jie , et al . Software Defined Networking:Security Model,Threats and Mechanism [J]. Journal of Software , 2016 , 27 ( 4 ): 969 - 992 .

SCOTT-HAYWARD S , O'CALLAGHAN G , SEZER S . Sdn Security:A Survey [C]// Proceedings of the 2013 IEEE SDN For Future Networks and Services(SDN4FNS).Piscataway:IEEE , 2013 : 1 - 7 .

KREUTZ D , RAMOS F M , VERISSIMO P . Towards Secure and Dependable Software-Defined Networks [C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot topics in Software Defined Networking . New York : ACM , 2013 : 55 - 60 .

YOON C , LEE S , KANG H , et al . Flow Wars:Systemizing the Attack Surface and Defenses in Software-Defined Networks [J]. IEEE/ACM Transactions on Networking , 2017 , 25 ( 6 ): 3514 - 3530 . DOI: 10.1109/TNET.2017.2748159 http://doi.org/10.1109/TNET.2017.2748159 http://ieeexplore.ieee.org/document/8048353/ http://ieeexplore.ieee.org/document/8048353/

SHIN S , GU G . Attacking Software-Defined Networks:A First Feasibility Study [C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking . New York : ACM , 2013 : 165 - 166 .

AZZOUNI A , BRAHAM O , NGUYEN T M T , et al . Fingerprinting Openflow Controllers:The First Step to Attack a Sdn Control Plane [C]// Proceedings of the 2016 IEEE Global Communications Conference(GLOBECOM).Piscataway:IEEE , 2016 : 1 - 6 .

CAO J , YANG Z , SUN K , et al . Fingerprinting Sdn Applications Via Encrypted Control Traffic [C]// Proceedings of the 22nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).Berkeley:USENIX , 2019 : 501 - 515 .

HANMER R , LIU S , JAGADEESAN L , et al . Death by Babble:Security and Fault Tolerance of Distributed Consensus in High-Availability Softwarized Networks [C]// Proceedings of the 2019 IEEE Conference on Network Softwarization(NetSoft).Piscataway:IEEE , 2019 : 266 - 270 .

ZHANG M , LI G , XU L , et al . Control Plane Reflection Attacks in Sdns:New Attacks and Countermeasures [C]// Proceedings of the 21st International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2018).Heidelberg:Springer , 2018 : 161 - 183 .

ALHARBI T , PORTMANN M , PAKZAD F . The(in) Security of Topology Discovery in Software Defined Networks [C]// Proceedings of the 2015 IEEE 40th Conference on Local Computer Networks(LCN 2015).Piscataway:IEEE , 2015 : 502 - 505 .

SHIN S , YEGNESWARAN V , PORRAS P , et al . Avant-Guard:Scalable and Vigilant Switch Flow Management in Software-Defined Networks [C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS13) . New York : ACM , 2013 : 413 - 424 .

AMBROSIN M , CONTI M , DE GASPARI F , et al . Lineswitch:Tackling Control Plane Saturation Attacks in Software-Defined Networking [J]. IEEE/ACM Transactions on Networking , 2016 , 25 ( 2 ): 1206 - 1219 . DOI: 10.1109/TNET.2016.2626287 http://doi.org/10.1109/TNET.2016.2626287 http://ieeexplore.ieee.org/document/7762225/ http://ieeexplore.ieee.org/document/7762225/

RÖPKE C , HOLZ T . Sdn Rootkits:Subverting Network Operating Systems of Software-Defined Networks [C]// Proceedings of the 18th International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2015).Heidelberg:Springer , 2015 : 339 - 356 .

THIMMARAJU K , SHASTRY B , FIEBIG T , et al . Taking Control of Sdn-Based Cloud Systems Via the Data Plane [C]// Proceedings of the Symposium on SDN Research . New York : ACM , 2018 : 1 - 15 .

HONG S , XU L , WANG H , et al . Poisoning Network Visibility in Software-Defined Networks:New Attacks and Countermeasures [C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS) . San Diego : NDSS , 2015 : 8 - 11 .

UJCICH B E , THAKORE U , SANDERS W H . Attain:An Attack Injection Framework for Software-Defined Networking [C]// Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2017).Piscataway:IEEE , 2017 : 567 - 578 .

YU Y , LI X , LENG X , et al . Fault Management in Software-Defined Networking:A Survey [J]. IEEE Communications Surveys & Tutorials , 2018 , 21 ( 1 ): 349 - 392 .

DACIER M C , KÖNIG H , CWALINSKI R , et al . Security Challenges and Opportunities of Software-Defined Networking [J]. IEEE Security & Privacy , 2017 , 15 ( 2 ): 96 - 100 .

AL-SHAER E , AL-HAJ S . Flowchecker:Configuration Analysis and Verification of Federated Openflow Infrastructures [C]// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration . New York : ACM , 2010 : 37 - 44 .

MAI H , KHURSHID A , AGARWAL R , et al . Debugging the Data Plane with Anteater [J]. ACM SIGCOMM Computer Communication Review , 2011 , 41 ( 4 ): 290 - 301 . DOI: 10.1145/2043164.2018470 http://doi.org/10.1145/2043164.2018470 https://dl.acm.org/doi/10.1145/2043164.2018470 https://dl.acm.org/doi/10.1145/2043164.2018470

KAZEMIAN P , VARGHESE G , MCKEOWN N . Header Space Analysis:Static Checking for Networks [C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).Berkeley:USENIX , 2012 : 113 - 126 .

KAZEMIAN P , CHANG M , ZENG H , et al . Real Time Network Policy Checking Using Header Space Analysis [C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX , 2013 : 99 - 111 .

KHURSHID A , ZOU X , ZHOU W , et al . Veriflow:Verifying Network-Wide Invariants in Real Time [C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX , 2013 : 15 - 27 .

SON S , SHIN S , YEGNESWARAN V , et al . Model Checking Invariant Security Properties in Openflow [C]// Proceedings of the 2013 IEEE International Conference on Communications(ICC).Piscataway:IEEE , 2013 : 1974 - 1979 .

ZENG H , ZHANG S , YE F , et al . Libra:Divide and Conquer to Verify Forwarding Tables in Huge Networks [C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX , 2014 : 87 - 99 .

LOPES N P , BJØRNER N , GODEFROID P , et al . Checking Beliefs in Dynamic Networks [C]// Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation(NSDI 15).Berkeley:USENIX , 2015 : 499 - 512 .

YANG H , LAM S S . Real-Time Verification of Network Properties Using Atomic Predicates [J]. IEEE/ACM Transactions on Networking , 2015 , 24 ( 2 ): 887 - 900 . DOI: 10.1109/TNET.2015.2398197 http://doi.org/10.1109/TNET.2015.2398197 http://ieeexplore.ieee.org/document/7059250/ http://ieeexplore.ieee.org/document/7059250/

YANG H , LAM S S . Scalable Verification of Networks with Packet Transformers Using Atomic Predicates [J]. IEEE/ACM Transactions on Networking , 2017 , 25 ( 5 ): 2900 - 2915 . DOI: 10.1109/TNET.2017.2720172 http://doi.org/10.1109/TNET.2017.2720172 http://ieeexplore.ieee.org/document/7982703/ http://ieeexplore.ieee.org/document/7982703/

HORN A , KHERADMAND A , PRASAD M . Delta-Net:Real-Time Network Verification Using Atoms [C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation(NSDI 17).Berkeley:USENIX , 2017 : 735 - 749 .

ZHANG P , LIU X , YANG H , et al . Apkeep:Realtime Verification for Real Networks [C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation(NSDI 20).Berkeley:USENIX , 2020 : 241 - 255 .

HANDIGOL N , HELLER B , JEYAKUMAR V , et al . I Know What Your Packet Did Last Hop:Using Packet Histories to Troubleshoot Networks [C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX , 2014 : 71 - 85 .

AGARWAL K , ROZNER E , DIXON C , et al . Sdn Traceroute:Tracing Sdn Forwarding without Changing Network Behavior [C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking . New York : ACM , 2014 : 145 - 150 .

TAMMANA P , AGARWAL R , LEE M . Simplifying Datacenter Network Debugging with Pathdump [C]// Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI 16).Berkeley:USENIX , 2016 : 233 - 248 .

SHUKLA A , SAIDI S J , SCHMID S , et al . Toward Consistent Sdns:A Case for Network State Fuzzing [J]. IEEE Transactions on Network and Service Management , 2019 , 17 ( 2 ): 668 - 681 . DOI: 10.1109/TNSM.4275028 http://doi.org/10.1109/TNSM.4275028 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4275028 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4275028

ZHANG P , WU H , ZHANG D , et al . Verifying Rule Enforcement in Software Defined Networks with Rev [J]. IEEE/ACM Transactions on Networking , 2020 , 28 ( 2 ): 917 - 929 . DOI: 10.1109/TNET.90 http://doi.org/10.1109/TNET.90 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=90 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=90

ZHANG P , ZHANG F , XU S , et al . Network-Wide Forwarding Anomaly Detection and Localization in Software Defined Networks [J]. IEEE/ACM Transactions on Networking , 2021 , 29 ( 1 ): 332 - 345 . DOI: 10.1109/TNET.90 http://doi.org/10.1109/TNET.90 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=90 https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=90

LI Y , YIN X , WANG Z , et al . A Survey on Network Verification and Testing with Formal Methods:Approaches and Challenges [J]. IEEE Communications Surveys & Tutorials , 2018 , 21 ( 1 ): 940 - 969 .

XIE G G , ZHAN J , MALTZ D A , et al . On Static Reachability Analysis of Ip Networks [C]// Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM).Piscataway:IEEE , 2005 : 2170 - 2183 .

LI Q , LIU Y , LIU Z , et al . Efficient Forwarding Anomaly Detection in Software-Defined Networks [J]. IEEE Transactions on Parallel and Distributed Systems , 2021 , 32 ( 11 ): 2676 - 2690 . DOI: 10.1109/TPDS.2021.3068135 http://doi.org/10.1109/TPDS.2021.3068135 https://ieeexplore.ieee.org/document/9387572/ https://ieeexplore.ieee.org/document/9387572/

SHIN S W , PORRAS P , YEGNESWARA V , et al . FRESCO:Modular Composable Security Services for Software-Defined Networks [C]// Proceedings of the 20th Annual Network & Distributed System Security Symposium(NDSS) . San Diego : NDSS , 2013 : 1 - 16 .

PORRAS P A , CHEUNG S , FONG M W , et al . Securing the Software Defined Network Control Layer [C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS) . San Diego : NDSS , 2015 : 1 - 15 .

WANG M , LIU J , CHEN J , et al . Perm-Guard:Authenticating the Validity of Flow Rules in Software Defined Networking [J]. Journal of Signal Processing Systems , 2017 , 86 ( 2-3 ): 157 - 173 . DOI: 10.1007/s11265-016-1115-8 http://doi.org/10.1007/s11265-016-1115-8 http://link.springer.com/10.1007/s11265-016-1115-8 http://link.springer.com/10.1007/s11265-016-1115-8

HU H , HAN W , AHN G-J , et al . FLOWGUARD:Building Robust Firewalls for Software-Defined Networks [C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking . New York : ACM , 2014 : 97 - 102 .

王鹃 , 王江 , 焦虹阳 , 等 . 一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法 [J]. 计算机学报 , 2015 , 38 ( 4 ): 872 - 883 .

WANG Juan , WANG Jiang , JIAO Hongyang , et al . A Method of Openflow-Based Real-Time Conflict Detection and Resolution for SDN Access Control Policies [J]. Chinese Journal of Computers , 2015 , 38 ( 4 ): 872 - 883 .

SASAKI T , PAPPAS C , LEE T , et al . SDNsec:Forwarding Accountability for the Sdn Data Plane [C]// Proceedings of the 2016 25th International Conference on Computer Communication and Networks(ICCCN).Piscataway:IEEE , 2016 : 1 - 10 .

XI S , BU K , MAO W , et al . RuleOut Forwarding Anomalies for SDN [J]. IEEE/ACM Transactions on Networking , 2023 , 31 ( 1 ): 395 - 407 . DOI: 10.1109/TNET.2022.3194970 http://doi.org/10.1109/TNET.2022.3194970 https://ieeexplore.ieee.org/document/9852189/ https://ieeexplore.ieee.org/document/9852189/

左青云 , 陈鸣 , 王秀磊 , 等 . 一种基于SDN的在线流量异常检测方法 [J]. 西安电子科技大学学报 , 2015 , 42 ( 1 ): 155 - 160 .

ZUO Qingyun , CHEN Ming , WANG Xiulei , et al . Online Traffic Anomaly Detection Method for SDN [J]. Journal of Xidian University , 2015 , 42 ( 1 ): 155 - 160 .

刘益岑 , 陈兴凯 , 卢昱 , 等 . 一种软件定义网络的安全服务路径优化构建机制 [J]. 西安电子科技大学学报 , 2019 , 46 ( 1 ): 158 - 165 .

LIU Yicen , CHEN Xingkai , LU Yu , et al . SDN-Based Optimal Security Service Path Construction Mechanism [J]. Journal of Xidian University , 2019 , 46 ( 1 ): 158 - 165 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

一种高效的软件模糊测试种子生成方法

COLLATE:控制相关数据的完整性保护

因果图增强的APT攻击检测算法

一种面向智慧交通的车联网网络流量估计方法

应用Q学习决策的最优攻击路径生成方法