| Software defined network(SDN)is a new type of software-based network architecture and technology,which aims to separate the control plane and data plane of the network.The logically centralized control plane has a global perspective of the network,performs global resource allocation and optimization,and improves the convenience of the network.SDN realizes efficient network management and resource scheduling by reconstructing the traditional network architecture.Its transfer and control separation,centralized control,open programmable,flow table forwarding and other features enhance security protection flexibility,intelligence and coordination,and promote network capabilities.Call to support network business innovation.With the widespread application of SDN,the security problems faced by the data plane have gradually emerged.The data plane switch may contain various vulnerabilities that can be exploited by attackers.Once the switch is controlled by the attacker,it will not only lose its normal function,but may also commit malicious behaviors,such as packet loss,traffic replication and traffic bias,which affect normal network functions.Aiming at the above-mentioned security problems faced by the data plain,this paper conducts research from two aspects of malicious switch detection and defense.The main work of this paper is as follows:(1)A malicious switch detection method based on flow rule consistency and neighbor switch monitoring is proposed.This method makes full use of the flow table forwarding characteristics of the SDN architecture.The controller detects the consistency of the flow rules by reading the flow table information of the flow path switches,analyzes the flow information of the neighboring switches connected to the flow path switch,monitors the flow path switch,and exposes some malicious behavior that it deliberately hides,and detects Malicious switches improve SDN network security.(2)A defense method based on the dynamic change of Open Flow switch ports is proposed.Use the IP address and port number information in the header of the data packet as the seed information for port conversion to ensure that the converted port has sufficient randomness and effectively improve the dynamics of the network.The switch and the controller realize the port synchronization conversion through the number of times the flow rule is issued.There is no need for strict time synchronization and no need to send additional synchronization messages,which further enhances the security of the network.(3)Using Ryu as the SDN controller and Mininet as the experimental simulation platform to test,evaluate and analyze the method proposed in this paper.The analysis of the experimental results shows that the malicious switch detection module can effectively detect the switch performing malicious behavior.The mobile target defense module can dynamically change the port that the switch forwards data to prevent attackers from performing malicious actions. |
PDF Full Text Request