Research And Implementation Of Key Technology Of SDN Application Authorization Audit And Behavior Detection

Software Define Network(SDN)separates the control plane from the data plane,with new features such as logic centralization,openness and programmability.Administrators can develop or deploy applications developed by third parties on the open interfaces provided by SDN controllers,which facilitates the rapid deployment of new services and management network,and brings new security challenges to application permission management.Compared with other single-user systems such as Android,due to the logic centralization feature of SDN,malicious applications may harm all users in the network and cause bad consequences.At present,only a few of the mainstream SDN controllers realize simple application permission audit,and these controllers also lack monitoring and disposal schemes for application permission use.In related studies on SDN application permission auditing,it is assumed that source code can be obtained through reverse engineering and access to permission usage is obtained through source code analysis techniques.However,for the purpose of intellectual property protection,encryption obfuscation and other technologies are used to prevent source code leakage.Further,ambiguity in understanding(called semantic bias)due to the complexity of natural language in reading application documentation can also lead to errors in audit decisions.In addition,due to the lack of an effective mechanism for verifying the customized permissions,the application program can spread the obtained network information to other applications through the customized permissions without being discovered by management personnel.In terms of the monitoring of SDN application’s authority use,previous studies mainly focused on the detection and disposal of authority transgression behavior,while the detection and disposal of authority abuse behavior,such as the application issuing the flow rules that lead to firewall failure,was rarely mentioned.To this end,this paper designs a complete permission management scheme for SDN application authorization review and detection and disposal of permission abuse.The main tasks of this paper are as follows:(1)A more rigorous SDN application permission audit process named two-stage permission audit process is proposed.Replace the application description with a trusted requirements document in the two-phase permission review process to prevent third parties from forging the application description to trick the administrator into granting additional permissions.In addition,the expected permission description of the manager generating program and the permission application of the audit program are divided into two completely independent stages.That is,before the manager forms the description of the expected permission of the program,the set of permissions actually applied by the program is not visible,so as to avoid the application permission information of the program and the interference of the manager to form the expected permission of the program.(2)A formal language named RuoQi is designed to describe the use of permissions.In RuoQi grammar,the declaration statement including the use of permission and the control statement for organization logic are defined,and developers are required to describe through RuoQi according to the basic logic of the implementation of the application.Managers can understand the basic situation of the use of permission by looking at the RuoQi description of the application.In addition,RuoQi contains only tens of keywords in the syntax structure,as well as logical control statements designed to ensure readability,which can effectively avoid audit errors caused by semantic deviation of natural language.(3)A custom event description model is proposed to help custom permission audit.According to the general situation of the use of custom permissions and the focus of management personnel’s review,the method of "event source+relationship+existing event" is proposed to describe the use of custom permissions.You can obtain the application program that creates the user-defined event based on the event source description,and obtain the specific information about the user-defined event based on the relationship between the event and an existing event.(4)For SDN applications with abnormal flow table delivery behavior,a solution of associated permissions is proposed.The scheme identifies and persistently stores the resources and the flow rules delivered during the application permission review phase.After detecting abnormal flow table delivery behavior,the administrator obtains related resources by tracing the source of abnormal flow rules and generates a conflict report after integrated filtering.The administrator can determine whether the application has permission abuse by tracing the resource information obtained from the source.If the application has permission abuse,the administrator will revoke the permission.(5)In the open source Ryu controller,SDN application permission audit scheme and application abnormal behavior disposal scheme are implemented.Test cases are designed to test the function and performance of SDN application permission audit scheme and application abnormal behavior disposal scheme.Functional test results show that compared with the traditional authority audit plan,in this paper the application of access audit scheme,overall authority audit field goal percentage correct permissions granted by about 10%,the custom permission to review the correct permissions granted shooting about 35%,so,this scheme is more advantageous to management personnel accurately authority approval.In addition,after a flow rule conflict occurs,related application resources are successfully sourced and abnormal behavior reports are generated.The performance test results show that the application permission audit scheme generates match reports in milliseconds and has little impact on application deployment.In addition,the delay and throughput loss of SDN application abnormal behavior disposal scheme for controller northbound interface is about 2%,and the consumption of memory resources increased by less than 5%.The loss of controller performance and memory resource consumption of the scheme are both within the acceptable range.