Survivability Assurance Mechanisms For Data Plane Of Software-Defined Network In The Cloud Data Centers

With more and more business being migrated to the Cloud data center,the user needs of Cloud data center become more diversified,differentiated and highly customized.To meet these needs,software defined network(SDN),which are of programmability and high flexibility,has been widely deployed in the Cloud data centers and has become an important network infrastructure of Cloud data centers.However,there are security flaws in the data plane,which is responsible for the actual forwarding and processing of business data.Once the data plane of SDN is compromised,the availability of Cloud service or Cloud network infrastructure,the correctness of network state data,and the reliability of network policies will not be guaranteed.Consequently,the Cloud data center will suffer incalculable losses.At present,the research on security of SDN data plane is in the ascendant.There are still many issues to be further studied.First,the network forwarding devices are the important infrastructure in the SDN.However,they are flawed in hardware implementation and processing capability,which makes the infrastructures of SDN data plane very fragile when facing with brute force attacks.Second,the SDN data plane lacks fault tolerance mechanism.Malicious or fault internal nodes can easily tamper the network state data,which would further affect the generation of network policies and threat the reliability of the network.Finally,since the data flows of the services running on the hosts are forwarded and processed by the data plane in the SDN environment,the special nature of the SDN data plane will inevitably affect the hosts and the services.When the hosts are attacked,it is necessary to formulate a Qo S(Quality of Service)aware attack mitigation method that considers all the characteristics of the SDN,the attack and the service.However,existing protection methods for the SDN data plane lack systemized consideration,showing fragmentation characteristics.Therefore,to provide a comprehensive and systemized protection for SDN data plane in Cloud data center,its survivability assurance mechanisms are studied from the following three aspects:For mitigation of brute force attacks against forwarding devices in SDNs,a queueing theory based system model is established to approximate the capacity of the whole SDN system to defend against attacks.Guided by the model,a peer-support strategy is presented to integrate the idle resources in the whole network for attack mitigation,thus to ensure the availability of the SDN data plane infrastructure.At first,the vulnerabilities of SDN forwarding device and vulnerability exploitation method are analyzed.Then,practical attacks are emulated to verify the feasibility of vulnerabilities exploitation method and to evaluate the impact of the attack on the entire network.Further,the system is modeled as a queueing system to approximate the available idle resources for attack defense.At last,a peer-support strategy based attack mitigation approach is implemented to integrate all the available idle resources to defend against the attack.The proposal can effectively enhance the availability of the SDN data plane infrastructure by strengthening the system’s ability of defending against brute force attacks.For automatic internal faulty tolerance,a Byzantine model based faulty switch tolerance approach is proposed to ensure the correctness of controller’s inputs(the network state information provided by the switches in the data plane)when the Byzantine condition is satisfied,thus to improve the reliability of SDN.At first,the faulty switches’ malicious behaviors that would taint the correctness of controller’s inputs are analyzed.The possible consequences of these malicious behaviors are also investigated.Based on these observations,a Byzantine model based automatic faulty switch tolerance approach is presented.Then,the feasibility of applying Byzantine model in this scenario is studied,which provides theoretical support and practical guidance for the implementation.At last,based on the analyses of implementation challenges,a proxy layer is introduced into the SDN framework to apply Byzantine model and protocol in the SDN environment.The proposed approach can automatically tolerate faulty switches and ensure the correctness of the controller’s inputs.As a result,the reliability of the SDN is effectively improved.For mitigation of attacks against the hosts in SDN environment,a method that combines both the advantages of software-defined networking technique and distributed processing technique is presented to protect the hosts in the SDN of Cloud data centers with Qo S assurance,thus to improve the availability of network services.With the central control mode of SDN,comprehensive analysis of the network status is achievable.Leveraging this,attack mitigation policies can be generated rapidly.Further,the SDN’s programmability makes fast implementation of network polices achievable through adaptive generation,installation and deletion of forwarding rules.Moreover,subnet division and load balancing are implemented with distributed computing techniques.At last,Qo S is maintained by intelligently caching and resending the network packets.With such designs,the hosts in the SDN of Cloud data centers can be comprehensively protected with Qo S guarantee,which effectively improves the availability of network services.In summary,focusing on the security issues of SDN data plane,enhancing mechanisms for the availability of SDN data plane infrastructure,the reliability of network policies and the availability of network services are systematically investigated.Protection methods from all the three aspects are proposed to assure the survivability of SDN data plane in the Cloud data centers.