基于SDN的动态网络防御系统的设计与实现

发布时间：2018-03-29 21:37

本文选题：软件定义网络　切入点：流量异常检测　出处：《电子科技大学》2017年硕士论文

【摘要】：随着网络技术的不断发展,人们越来越依赖于网络来进行信息的传输。在传统网络中,静态网络配置导致攻击者能轻易地标识网络目标,从而发起攻击。最近几年,网络安全事件频频发生,国家、公司和个人都面临着许多潜在的网络安全威胁,于是网络安全问题引起了社会的广泛关注。软件定义网络(SDN)作为一种新型的网络技术,为网络控制提供了强大的功能,也为网络安全研究领域提供了新的机会。本论文主要研究一种基于SDN架构的动态网络防御系统。系统通过统计流量状态信息来生成流量矩阵,进而进行异常检测,然后调用相应的网络配置跳变策略,消除安全隐患。论文描述了系统的结构设计,包括流量异常检测和动态目标防御模块。流量异常检测模块中重点研究了流量矩阵的估计;动态目标防御模块中主要是研究如何动态地改变3种网络配置:IP地址、端口号和路由。另外,通过实验验证了系统的可行性。论文的主要工作如下:(1)提出了两种流量矩阵估计算法,分别是最大波动值优先算法和流规则负载均衡算法。首先,论文基于流规则负载均衡的算法测量出初始流量矩阵;然后,利用最大波动值优先的算法,从初始矩阵中优先选择前k个波动值较大的数据流进行测量;最后,引入二分图最大权匹配的思想来分配流表项。(2)采用动态目标防御的思想,实现IP地址、端口号和路由三种网络配置动态跳变。IP地址跳变中,采用了一种基于两级分频的跳变方法,最大化IP地址的不可预测性。路由跳变中,采用了一种基于路径权重的路由选择方法,减少单节点脆弱性。最后,利用D-ITG来模拟现实流量数据对系统进行了性能测试。流量异常测试实验结果显示,流规则负载均衡算法选出前k个波动值较大的数据流的正确率在70%以上,这就证明了最大波动优先算法能够有效地减少流量矩阵的估计误差。动态目标防御实验,证明了网络配置跳变可以最大化网络配置的不可预测性,能够有效地防止网络侦察。
[Abstract]:With the development of network technology, people rely more and more on the network to transmit information. In traditional network, static network configuration can easily identify the target of the network and launch an attack. With the frequent occurrence of network security incidents, countries, companies and individuals are faced with many potential network security threats, so network security issues have aroused widespread concern in the society. As a new network technology, software defines network SDN. It provides a powerful function for network control and provides a new opportunity for network security research. In this paper, a dynamic network defense system based on SDN architecture is studied. The system generates traffic matrix by statistical traffic state information. Then the anomaly detection is carried out, and then the corresponding network configuration jump strategy is called to eliminate the hidden danger of security. The structure design of the system is described in this paper. Traffic anomaly detection module focuses on the estimation of traffic matrix, and dynamic target defense module mainly studies how to dynamically change three kinds of network configuration: IP address. In addition, the feasibility of the system is verified by experiments. The main work of this paper is as follows: 1) two algorithms for estimating the flow matrix are proposed, one is the maximum fluctuation priority algorithm and the other is the flow rule load balancing algorithm. In this paper, the initial flow matrix is measured based on the algorithm of flow rule load balancing. Then, using the algorithm of maximum fluctuation value first, the first k data streams with large fluctuation value are selected first from the initial matrix. Finally, This paper introduces the idea of bipartite graph maximum weight matching to allocate the flow table item. (2) using the idea of dynamic object defense, it realizes three network configurations, I. E. IP address, port number and route, in dynamic jump. IP address jump. In order to maximize the unpredictability of IP address, a route selection method based on path weight is adopted to reduce the vulnerability of single node. The performance of the system is tested by using D-ITG to simulate the real traffic data. The experimental results of flow anomaly test show that the accuracy of selecting the first k data streams with large fluctuation value is more than 70% by using the flow rule load balancing algorithm. It is proved that the maximum fluctuation priority algorithm can effectively reduce the estimation error of the traffic matrix. The dynamic target defense experiment proves that the network configuration jump can maximize the unpredictability of the network configuration and can effectively prevent network reconnaissance.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】