信息网络安全 ›› 2016, Vol. 16 ›› Issue (12): 13-18.doi: 10.3969/j.issn.1671-1122.2016.12.003

• • 上一篇    下一篇

基于OwnShip-Proof模型的软件定义网络控制器集群故障安全恢复方法

武泽慧1,2(), 魏强1,2   

  1. 1.解放军信息工程大学网络空间安全学院,河南郑州 450001
    2.数学工程与先进计算国家重点实验室,河南郑州 450001
  • 收稿日期:2016-11-15 出版日期:2016-12-20 发布日期:2020-05-13
  • 作者简介:

    作者简介: 武泽慧(1988—),男,安徽,博士研究生,主要研究方向为网络安全;魏强(1979—),男,江西,副教授,博士,主要研究方向为工业控制系统安全。

  • 基金资助:
    国家高技术研究发展计划(国家863计划)[2012AA012902];国家自然科学基金[614051512];国家杰出青年科学基金[61402526]

A Secure Fault Recovery Approach Using OwnShip-Proof Model for Controller Cluster of Software Defined Networks

Zehui WU1,2(), Qiang WEI1,2   

  1. 1. Institute of Cyber Security, PLA Information Engineering University, Zhengzhou Henan 450001, China
    2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Henan 450001, China
  • Received:2016-11-15 Online:2016-12-20 Published:2020-05-13

摘要:

控制平面负责软件定义网络的管理和控制,是软件定义网络的核心。当前针对控制平面的研究主要集中在性能和稳定性提升,以及控制器的安全性方面,针对控制平面故障恢复过程中的安全问题未见研究成果。文章提出了一种基于OwnShip-Proof模型的故障安全恢复方法,在故障恢复过程前构建哈希树存储对应备份资源,故障恢复过程中使用哈希树完成快速身份校验,实现了控制器与备份资源所有权的安全认证。测试结果表明,该方法不仅可以降低控制平面备份文件的存储空间,也可以有效阻断攻击者利用故障恢复实施信息窃取的攻击行为。同时与传统方法相比,随着备份文件的增大,二者的性能差异逐渐减小。

关键词: 软件定义网络, 网络安全, 故障恢复, 控制器集群

Abstract:

Control plane is the core of software defined network, which is responsible for network management and control. Current research focus on the performance, the stability, and the security of controllers, while take no attention on the security of fault recovery progress, by which the attackers could pretend to be a controller and obtain the resources of the network from the backups of control plane. We propose a secure recovery approach based on OwnShip-Proof model to address this threat. Our method employs hash tree to map one backup file with different controllers before backup and recovery procedure, and during the recovery, the controller should provide the solution of the challenge generated through OwnShip-Proof model by the server that stored the backup file. Then the server verify the solution and decide to recovery or not. The testing results show that our approach is able to decrease the memory space used to store the backup file and defense the attackers from the forged recovery attack. Compared with the ordinary method, the performance difference of the two methods would narrow down with the increasing of the size of the backup file.

Key words: SDN, cyber security, fault recovery, controller cluster

中图分类号: