面向服务传输的SDN移动网络脆弱性评估模型

摘要/Abstract

摘要： 针对现有的脆弱性评估算法无法直接应用于软件定义网络（Software Defined Network， SDN），以及评估技术普遍偏向于网络连通，无法针对服务与传输性能对SDN进行脆弱性分析等问题，提出一种面向服务传输的SDN移动网络脆弱性评估模型与算法，设计基于SDN的移动网络脆弱性评估框架。提出一种对基于SDN的移动网络服务器节点与网络设备进行安全脆弱性分析的方法，将静态配置信息和动态运行信息融合评估节点设备的脆弱性，使评估更加全面准确；针对SDN移动网络的服务与传输特性，从传输拓扑和SDN节点活跃度2个方面，计算面向服务与传输的基于SDN的移动网络节点重要度；最后融合节点设备的安全脆弱性和重要度来对基于SDN的移动网络进行脆弱性评估，得到评估结果。通过实例和仿真实验验证了所提算法的有效性，相比同类算法可达到更高的评估准确性。

关键词: 软件定义网络, 脆弱性评估, 安全脆弱性, 节点重要度

Abstract: Aiming at the problems that the existing vulnerability assessment algorithms can not be directly applied to software defined network（SDN）， and the assessment technology is generally biased towards network connectivity and can not analyze the vulnerability of SDN according to service and transmission performance， a service-oriented SDN mobile network vulnerability assessment model and algorithm are proposed， a mobile network vulnerability assessment framework based on SDN is designed. A method for security vulnerability analysis of mobile network server nodes and network equipment based on SDN is proposed. The vulnerability of node equipment is evaluated from static configuration information and dynamic operation information respectively， so as to make the evaluation more comprehensive and accurate; Then， according to the service and transmission characteristics of SDN mobile network， the node importance of service-oriented and transmission based SDN mobile network is calculated from 2 aspects: topology transmission performance and node activity. Finally， the security vulnerability and importance of node devices are fused to evaluate the vulnerability of mobile network based on SDN， and the evaluation results are obtained. The effectiveness of the proposed algorithm is verified by examples and simulation experiments. Compared with similar algorithms， it can achieve higher evaluation accuracy.

Key words: SDN, vulnerability assessment, security vulnerability, node importance

包春晖, 庄毅, 郭黎烨. 面向服务传输的SDN移动网络脆弱性评估模型[J]. 计算机与现代化, 2022, 0(11): 43-51.

BAO Chun-hui, ZHUANG Yi, GUO Li-ye. Vulnerability Assessment Model of SDN Mobile Network for Service Transmission[J]. Computer and Modernization, 2022, 0(11): 43-51.

参考文献［25］

［1］	JOUINI M， RABAI L B A. Mean failure cost extension model towards security threats assessment: A cloud computing case study［J］. Journal of Computers， 2015，10（3）:184-194.
［2］	FAN Z J， XIAO Y， NAYAK A， et al. An improved network security situation assessment approach in software defined networks［J］. Peer-to-Peer Networking and Applications， 2019，12（2）:295-309.
［3］	BERNARDO D V， CHUA B B. Introduction and analysis of SDN and NFV security architecture （SN-SECA）［C］// 2015 IEEE 29th International Conference on Advanced Information Networking and Applications （AINA）. 2015:796-801.
［4］	SHOHANI R B， MOSTAFAVI S， HAKAMI V. A statistical model for early detection of DDoS attacks on random targets in SDN［J］. Wireless Personal Communications: An International Journal， 2021120（1）:379-400..
［5］	DOTCENKO S， VLADYKO A， LETENKO I. A fuzzy logic-based information security management for software-defined networks［C］// 2014 16th International Conference on Advanced Communication Technology （ICACT）. 2014:167-171.
［6］	EVANS S， BUSH S F， HERSHEY J. Information assurance through Kolmogorov complexity［C］// Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01. 2001:322-331.
［7］	BUSH S. Network Vulnerability Analysis Tool Precis［R］. General Electric Corporate Research and Development Center， 1999.
［8］	ORTALO R， DESWARTE Y， KAANICHE M. Experimenting with quantitative evaluation tools for monitoring operational security［J］. IEEE Transactions on Software Engineering， 1999，25（5）:633-650.
［9］	WANG S， WANG J H， TANG G M， et al. A network vulnerability assessment method based on attack graph［C］// 2018 IEEE 4th International Conference on Computer and Communications（ICCC）. 2018:1149-1154.
［10］	LIU G Q， WANG X T， YANG J G， et al. A novel network risk assessment method based on vulnerability correlation graph［C］// 2014 IEEE Workshop on Electronics， Computer and Applications. 2014:31-34.〖HJ1.26mm〗
［11］	ZHOU L B. Study on applying the neural network in computer network security assessment［C］// 2016 Eighth International Conference on Measuring Technology and Mechatronics Automation （ICMTMA）. 2016:639-642.
［12］	NUNNALLY T， ULUAGAC A S， COPELAND J A， et al. 3DSVAT: A 3D stereoscopic vulnerability assessment tool for network security［C］// Proceedings of the 2012 IEEE 37th Conference on Local Computer Networks（LCN 2012）. 2012:111-118.
［13］	LI T. Design and implementation of computer network vulnerability assessment system［C］// 2017 International Conference on Computer Systems， Electronics and Control （ICCSEC）. 2017:440-445.
［14］	SHARAFALDIN I， LASHKARI A H， GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization［C］// 4th International Conference on Information Systems Security and Privacy. 2018:108-116.
［15］	OU X， SINGHAL A. Quantitative security risk assessment of enterprise networks［M］// The Common Vulnerability Scoring System（CVSS）. Springer， 2012:9-12.
［16］	WANG W R， SHI F， ZHANG M， et al. A vulnerability risk assessment method based on heterogeneous information network［J］. IEEE Access， 2020，8:148315-148330.
［17］	章子游，赵千川，杨文. 基于网络演算的网络故障检测方法［J］. 控制理论与应用， 2019，36（11）:1861-1870.
［18］	NIGAM R， SHARMA D K， JAIN S， et al. A local betweenness centrality based forwarding technique for social opportunistic IoT networks［J］. Mobile Networks and Applications， 2022，27（2）:547-562.
［19］	段佳勇，郑宏达. 基于节点重要度的复杂网络脆弱性分析方法［J］. 控制工程， 2020，27（4）:692-696.
［20］	张笛，李兴华，刘海，等. SDN网络中面向服务的网络节点重要性排序方法［J］. 计算机学报， 2018，41（11）:2624-2636.
［21］	BANERJEE M， AGARWAL B， SAMANTARAY S D.An integrated approach for Botnet detection and prediction using honeynet and socialnet data ［C］// International Conference on Intelligent Computing and Smart Communication 2019. Springer， 2020:423-431.
［22］	VERMA M E， IANNACONE M D， BRIDGES R A， et al. Addressing the lack of comparability & testing in CAN intrusion detection research: A comprehensive guide to CAN IDS data & introduction of the ROAD dataset［J］. arXiv preprint arXiv:2012.14600， 2020.
［23］	SEO J H. A study on the performance evaluation of unbalanced intrusion detection dataset classification based on machine learning［J］. Journal of Korean Institute of Intelligent Systems， 2017，27（5）:466-474.
［24］	黎学斌，范九伦，刘意先. 基于AHP和CVSS的信息系统漏洞评估［J］. 西安邮电大学学报， 2016，21（1）:42-46.
［25］	ALLOUZI M A， KHAN J I. Identifying and modeling security threats for IoMT edge network using markov chain and common vulnerability scoring system（CVSS）［J］. arXiv preprint arXiv:2104.11580， 2021.

[1]	陈晨, 庄毅, 高增. QoE驱动的SDN网络高可用传输框架[J]. 计算机与现代化, 2023, 0(11): 62-68.
[2]	王重阳, 庄毅. 基于SDN和改进CSA算法的多作业集群的负载均衡算法[J]. 计算机与现代化, 2023, 0(11): 28-35.
[3]	姜厚海, 庄毅, 曹子宁. 一种基于流聚合与拥塞避免的SDN快速故障恢复方案[J]. 计算机与现代化, 2023, 0(10): 77-83.
[4]	姜厚海, 庄毅, 曹子宁. 一种基于改进BDD的SDN可靠性评估算法[J]. 计算机与现代化, 2023, 0(09): 64-69.
[5]	雷依翰, 曹利峰, 韩孟达, 韩雪. 软件定义天地一体化网络安全切换架构与方法[J]. 计算机与现代化, 2023, 0(08): 119-126.
[6]	高枫, 庄毅, 刘骁. 一种基于路径跟踪反馈的SDN网络可信传输方案[J]. 计算机与现代化, 2022, 0(12): 102-110.
[7]	凌致远, 陈晓, 宋磊, . 基于匹配动作表模型的可编程数据平面流表归并[J]. 计算机与现代化, 2022, 0(07): 74-78.
[8]	王文蔚, 肖军弼, 程鹏, 张悦. 基于SDN的DDoS攻击防御系统[J]. 计算机与现代化, 2021, 0(02): 117-121.
[9]	戴松, 孙延涛, 刘强, 贾泽群, . 基于多模电台的SDMANET网络组网方法[J]. 计算机与现代化, 2020, 0(08): 82-88.
[10]	肖军弼, 程鹏, 谭立状, 孟祥泽. 基于SDN的数据中心动态优先级多路径调度算法[J]. 计算机与现代化, 2020, 0(07): 21-26.
[11]	耿岚岚1，孙延涛2，戴松1. 一种面向软件定义移动自组网的拓扑发现方法[J]. 计算机与现代化, 2019, 0(09): 53-.
[12]	詹晗. 基于OpenStack的分布式SDN控制器Dragonflow研究[J]. 计算机与现代化, 2017, 0(7): 91-94.
[13]	印苏凯1,刘光杰1,刘伟伟1,翟江涛2,戴跃伟1,2. 软件定义网络中的多流时间式隐信道设计[J]. 计算机与现代化, 2017, 0(4): 94-98,104.
[14]	庄怀东，杜庆伟. 一种基于SDN的数据中心网络动态流量调度方法[J]. 计算机与现代化, 2016, 251(07): 80-86.
[15]	马超1,2，程力1，孔玲玲3. 云环境下SDN的流量异常检测性能分析[J]. 计算机与现代化, 2015, 0(10): 92-97+102.