SDN网络虚拟化安全服务动态构建技术研究

发布时间：2018-08-17 18:04

【摘要】：SDN(Software Defined Network,软件定义网络)是针对传统网络架构的不灵活,不满足当前网络需求的情况下所提出的一种新型网络架构,它将网络设备的控制面和数据面分离。这种架构使得SDN不仅要面临传统网络安全威胁,还要考虑控制面集中化所带来的安全威胁。SDN的可编程性和网络功能虚拟化技术使得SDN网络安全可以以虚拟化的安全服务方式来实现防护。本论文主要研究如何动态构建SDN网络虚拟化安全服务,从而达到防护SDN安全的目的。本论文主要从以下三个方面开展工作:(1)为解决SDN面临的安全威胁,本论文分析SDN安全的需求,提出一种新型的SDN安全服务组合体系架构。即在SDN控制层增加一个安全服务编排中心,将SDN的安全防护任务从控制器中脱离出来,交由安全服务编排中心实现。(2)为实现SDN安全服务组合体系架构,本论文细化安全服务编排中心,分解安全服务构建安全元功能库。基于WEB服务组合技术,提出SDN安全服务动态构建算法。在该算法中使用两种服务组合方法:基于工作流的组合和基于专家系统的规则组合,满足不同用户需求。(3)针对SDN安全服务动态构建算法中的规则组合方法组合时间较慢的问题,提出基于RETE的SDN安全服务动态构建优化算法。即将规则组合中的规则编译为RETE网络,通过保存中间状态和共享状态节点降低规则组合时间,减少用户等待时间,改善用户体验。本论文在OpenStack云平台上搭建SDN安全服务网络环境,构建SDN安全服务从而对系统进行功能验证。测试不同用户规模下两种组合方式的时间,对影响规则组合的原因进行探讨。对运用优化算法改进后的规则组合时间进行测试,结果表明:优化算法可以较好地减少规则的组合时间,提高规则的组合效率,从功能和性能上达到SDN安全防护的目的。
[Abstract]:SDN (Software Defined Network, software defined network is a new network architecture which can not meet the current network requirements because of the inflexibility of the traditional network architecture. It separates the control surface and the data surface of the network equipment. This architecture makes SDN not only face traditional network security threats, The programmability of the security threat caused by centralization of control surface and the virtualization of network function make the security of SDN network be protected by virtualization security service. This paper mainly studies how to construct SDN network virtualization security service dynamically, so as to protect SDN security. The main work of this thesis is as follows: (1) in order to solve the security threats faced by SDN, this paper analyzes the security requirements of SDN, and proposes a new architecture of SDN security service composition. That is to add a security service orchestration center in the SDN control layer, detach the security protection task of SDN from the controller, and hand it over to the security service orchestration center. (2) in order to realize the SDN security service composition architecture, This paper refines the security service orchestration center, decomposes the security service to construct the security metafuncture library. Based on the technology of WEB service composition, an algorithm for dynamic construction of SDN security service is proposed. In this algorithm, two service composition methods are used: workflow-based composition and expert system-based rule composition to meet the needs of different users. (3) aiming at the slow composition time of the rule composition method in the dynamic construction algorithm of SDN security services, An optimization algorithm for dynamic construction of SDN security services based on RETE is proposed. The rules in the rule composition are compiled into RETE network. By saving the intermediate state and the shared state node, the rule composition time is reduced, the user waiting time is reduced, and the user experience is improved. This paper builds the SDN security service network environment on the OpenStack cloud platform, constructs the SDN security service to carry on the function verification to the system. Test the time of the two combinations under different user size, and discuss the reasons that affect the combination of rules. The test results show that the optimized algorithm can reduce the combination time of rules, improve the efficiency of rule combination, and achieve the purpose of SDN security protection in function and performance.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.09

【参考文献】