ارائه یک روش نوین جهت تصدیق صحت ارسال بستهها در شبکههای SDN به صورت موازی
محورهای موضوعی : مهندسی برق و کامپیوترروزبه بگلری 1 , حاکم بیتالهی 2
1 - دانشکده مهندسی کامپیوتر، دانشگاه علم و صنعت ایران
2 - دانشکده مهندسی کامپیوتر، دانشگاه علم و صنعت ایران
کلید واژه: شبکههای SDN, امنیت داده, تصدیق صحت ارسال بستهها, Openflow,
چکیده مقاله :
شبکههای کامپیوتری با شکستن فواصل مکانی و زمانی توانستهاند کاربران را از سراسر جهان به یکدیگر متصل کنند. از این رو نگهداری و امنیت دادهها و اطلاعات، همیشه یکی از چالشهای اصلی شبکههای کامپیوتری بوده است. با پیشرفت تکنولوژی و روشهای ارتباطات، مکانیسمهای امنیتی نیز باید مجدداً ارزیابی گردند. با توجه به پیشرفتها، تفاوتها و فرصتهای جدید در شبکههای SDN در مقایسه با شبکههای IP، روشهای موجود برای تأمین امنیت ارسال دادهها در شبکههای مبتنی بر IP، در شبکههای SDN قابل پیادهسازی نیستند؛ به همین دلیل با درنظرگرفتن محدودیتهای SDN برای مقابله با تهدیدهای فرایند ارسال بستهها، روشهای نوینی ارائه شدهاند که از مهمترین آنها میتوان به DYNAPFV اشاره کرد. در اين مقاله پس از بررسي روشهاي تصدیق صحت ارسال دادهها در شبکههای SDN، روشي جديد مبتني بر DYNAPFV برای تصدیق صحت ارسال بستهها پيشنهاد شده و كليه مشكلات و نواقص روشهای موجود، بالاخص DYNAPFV مرتفع گردیده است. نتایج آزمایشها نشان میدهند که زمان لازم برای یافتن گره مخرب در الگوریتم پیشنهادی نسبت به الگوریتم DYNAPFV به میزان 92% بهبود یافته و نیز با افزایش احتمال تصدیق یکپارچگی بسته از مقدار 8/0 به 99/0، امنیت سیستم بیشتر میشود؛ اما در مقابل زمان لازم برای تشخیص سوئیچهای مخرب بالاتر میرود.
The rise of Software-Defined Networking (SDN) has revolutionized network management, offering greater flexibility and programmability. However, ensuring the accuracy of packet forwarding remains paramount for maintaining network reliability and security in SDN environments. Unlike traditional IP networks, SDN separates the control plane from the data plane, creating new challenges for securing data transmission. Existing verification methods designed for IP networks often cannot be directly applied to SDN due to this architectural difference. To address the limitations of existing verification methods in SDN networks, new approaches are necessary. This research proposes a novel parallel method for verifying packet forwarding, building upon concepts from DYNAPFV. The proposed approach aims to overcome specific limitations of existing methods (including DYNAPFV), such as scalability issues, slow verification times. Simulations demonstrate significant improvements compared to DYNAPFV. The proposed parallel method achieves a 92% reduction in time required to identify malicious nodes within the network. The results also reveal a trade-off between security and verification time. As the probability of packet integrity confirmation increases from 0.8 to 0.99, system security strengthens, but the time to detect malicious switches also increases.
[1] D. Kreutz, et al., "Software-defined networking: a comprehensive survey," Proceeding of the IEEE, vol. 103, no. 1, pp. 14-76, Jan. 2015.
[2] Q. Li, X. Zou, Q. Huang, J. Zheng, and P. P. C. Lee, "Dynamic packet forwarding verification in SDN," IEEE Trans. on Dependable and Secure Computing, vol. 16, no. 6, pp. 915-929, Dec. 2019.
[3] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, "Sphinx: detecting security attacks in software-defined networks," in Proc. of Network and Distributed System Security Symp., NDSS'15, 15 pp., San Diego, CA, USA, 7-7 Feb. 2015.
[4] H. Kim and N. Feamster, "Improving network management with software defined networking," IEEE Communications Magazine, vol. 51, no. 2, pp. 114-119, Feb. 2013.
[5] M. Al Ahmad, M. Diab, and S. S. Patra, "Analysis and performance evaluation of openflow controller in SDN using N-policy," in Proc. of Int. Conf. on Recent Advances in Science and Engineering Technology, ICRASET'23, 5 pp., B G NAGARA, India, 23-24 Nov. 2023.
[6] X. Zhang, A. Jain, and A. Perrig, "Packet-dropping adversary identification for data plane security," in Proc. of the ACM CoNEXT Conf., Article Id.: 24, 12 pp., Madrid, Spain, 9-12 Dec. 2008.
[7] H. J. Kim, C. Basescu, L. Jia, S. B. Lee, Y. C. Hu, and A. Perrig, "Lightweight source authentication and path validation," ACM SIGCOMM Computer Communication Review, vol. 44, no. 4, pp. 271-282, Aug. 2014.
[8] H. Beitollahi, D. M. Sharif, and M. Fazeli, "Application layer DDoS attack detection using cuckoo search algorithm-trained radial basis function," IEEE Access, vol. 10, pp. 63844-638542022.
[9] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," in Proc. of the ACM SIGSAC Conf. on Computer & Communications Security, pp. 413-424, Berlin, Germany, 4-8 Nov. 2013.
[10] R. Mahajan, M. Rodrig, D. Wetherall, and J. Zahorjan, "Sustaining cooperation in multi-hop wireless networks," in Proc. of the 2nd Conf. on Symp. on Networked Systems Design & Implementation, vol. 2, pp. 231-244, 2-4 May 2005.
[11] R. Aryan, A. Yazidi, F. Brattensborg, O. Kure, and P. E. Engelstad, "SDN spotlight: a real-time openflow troubleshooting framework," J. of Future Generation Computer Systems, vol. 133, pp. 364-377, Aug. 2022.
[12] H. Yu, K. Li, and H. Qi, "An active controller selection scheme for minimizing packet-in processing latency in SDN," J. of Security and Communication Networks, vol. 2019, Article ID: 1949343, Oct. 2019.
[13] H. Wang, L. Xu, and G. Gu, "FloodGuard: A DoS attack prevention extension in software-defined networks," in Proc. of 45th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp. 239-250, Rio de Janeiro, Brazil, 22-25 Jun. 2015.
[14] T. Sasaki, C. Pappas, T. Lee, T. Hoefler, and A. Perrig, "SDNsec: forwarding accountability for the SDN data plane," in Proc. of 25th Int. Conf. on Computer Communication and Networks, ICCCN'16, 10 pp., Waikoloa, HI, USA, 1-4 Aug. 2016.
[15] X. Liu, A. Li, X. Yang, and D. Wetherall, "Passport: secure and adoptable source authentication," in Proc. of the 5th USENIX Sympo. on Networked Systems Design and Implementation, pp. 365-378, San Francisco, CA, USA 16-18 Apr. 2008.
[16] Y. Chen, Y. Yang, X. Zou, Q. Li, and Y. Jiang, "Adaptive distributed software defined networking," J. of Computer Communications, vol. 102, pp. 120-129, Apr. 2017.
[17] S. Hong, R. Baykov, L. Xu, S. Nadimpalli, and G. Gu, "Towards SDN-defined programmable byod (bring your own device) security," in Proc. of NDSS'16, 15 pp., San Diego, CA, USA, 21-24 Feb. 2016.
[18] H. Hu, W. Han, G. J. Ahn, and Z. Zhao, "Flowguard: building robust firewalls for software-defined networks," in Proc. of 3rd Workshop on Hot Topics in Software Defined Networking, pp. 97-102, Chicago, IL, USA, 22-22 Aug. 2014.
[19] O. Blial, M. Ben Mamoun, and R. Benaini, "An overview on SDN architectures with multiple controllers," J. of Computer Networks and Communications, vol. 2016, Article ID: 9396525, Apr. 2016.
[20] D. Kreutz, F. M. V. Ramos, and P. Verissimo, "Towards secure and dependable software-defined networks," in Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 55-60, Hong Kong, China, 16-16 Aug. 2013.