A SDN Access Control Mechanism Based on Zero Trust

doi:10.3969/j.issn.1671-1122.2020.08.005

Abstract

Abstract:

Software defined network (SDN) is a new network architecture which separates logic control and data forwarding. It can provide the Internet with smooth evolution ability to meet the current and future needs.SDN not only becomes a new development direction of future internet, but also gives a new way to solve the problem of network security. At present, SDN network lacks effective network dynamic access control mechanism. Therefore, this paper proposes a zero-trust based access control method for SDN network. Firstly, the security concept of "zero trust" is introduced to construct the network access control framework under SDN network. The proposed framework achieves the real-time monitoring and trust measurement of insider user behaviors. Moreover, it can adjust user resource access privilege according to the measurement results dynamically. Then, the set of user behavior trust metrics for SDN network is designed, and the behavior metrics supported by Openflow in SDN network are selected to make the index results easy to measure. The dynamic measurement mechanism of user trust based on behavior as well as the SDN network resource access control using flow table is proposed. From the viewpoint of "never trust and always verify", the behavior of users in the network is monitored periodically, and the trust value of users is measured according to their behavior data. When the user trust degree drops to an untrusted degree, the flow table is quickly issued to prevent the user from continuing to access the network. Finally, the effectiveness of the proposed model and method is verified by simulations. The experiments show that our method can achieve more fine-grained and dynamic access control.

Key words: SDN network, access control, zero trust, cloud theory, credible measurement

CLC Number:

TP309

WU Yunkun, JIANG Bo, PAN Ruixuan, LIU Yuling. A SDN Access Control Mechanism Based on Zero Trust[J]. Netinfo Security, 2020, 20(8): 37-46.

Figures/Tables 10

References 15

[1]	CERRONI W, BURATTI C, CERBONI S, et al. Intent-based Management and Orchestration of Heterogeneous Openflow/IoT SDN Domains[C]// IEEE. 2017 IEEE Conference on Network Softwarization, July 3-7, 2017, Bologna, Italy. NJ: IEEE, 2017: 1-9.
[2]	WU Qingbiao. Research on Web Authentication and Access Control in Software-defined Networking[M]. Chengdu, Southwest Jiaotong University, 2015.
	吴庆彪. 软件定义网络Web认证与访问控制技术研究[M]. 成都:西南交通大学, 2015.
[3]	ZHANG Runhuan. Research and Implementation of Resilient Control Mechanism for Network Resources Based on SDN[M]. Nanjing, Southeast University, 2018.
	张润环. 基于SDN的网络资源弹性控制机制的研究与实现[M]. 南京:东南大学, 2018.
[4]	ZAHEER Z, CHANG H, MUKHERJEE S, et al. EZTrust: Network-Independent Zero-Trust Perimeterization for Microservices[C]// ACM. 2019 ACM SOSR Symposium on SDN Research, April 3-4, 2019, San Jose, Canada. NY: ACM, 2019: 49-61.
[5]	XIE Dejun, WANG Liming, SONG Chen, et al. Design and Implementation of an Adaptive Network Access Control System Based on SDN[J]. Network New Media Technology, 2017,6(5):20-28.
	谢德俊, 王利明, 宋晨, 等. SDN自适应网络访问控制系统的设计与实现[J]. 网络新媒体技术, 2017,6(5):20-28.
[6]	WU Zenan, TIAN Liqin, WANG Zhigang. Behavior Authentication of Web Users Based on Machine Learning[J]. Chinese Journal of Network and Information Security, 2018,4(1):45-51.
	毋泽南, 田立勤, 王志刚. 基于机器学习的Web用户行为认证[J]. 网络与信息安全学报, 2018,4(1):45-51.
[7]	JI Tieguo, TIAN Liqin, HU Zhixing, et al. AHP-based User Behavior Evaluation Method in Trustworthy Network[J]. Chinese Computer Engineering and Applications, 2007,43(19):123-126.
	冀铁果, 田立勤, 胡志兴, 等. 可信网络中一种基于AHP的用户行为评估方法[J]. 计算机工程与应用, 2007,43(19):123-126.
[8]	TIAN Liqian, LIN Chuang. A Kind of Game-theoretic Control Mechanism of User Behavior Trust Based on Prediction in Trustworthy Network[J]. Chinese Journal of Computer, 2007,30(11):1930-1938.
	田立勤, 林闯. 可信网络中一种基于行为信任预测的博弈控制机制[J]. 计算机学报, 2007,30(11):1930-1938.
[9]	TIAN Guohui, YIN Jianqin, YAN Yunzhang, et al. Gaussian Mixture Models and Principal Component Analysis-based Human Trajectory Behavior Recognition[J]. Acta Electronica Sinica, 2016,44(1):143-149.
	田国会, 尹建芹, 闫云章, 等. 基于混合高斯模型和主成分分析的轨迹分析行为识别方法[J]. 电子学报, 2016,44(1):143-149.
[10]	WARD R, BEYER B. BeyondCorp: A New Approach to Enterprise Security[J]. The Magazine of Usenixand Sage, 2014,39(6):6-11.
[11]	RIZVI S, RYOO J, LIU Y, et al. A Centralized Trust Model Approach for Cloud Computing[C]// IEEE. 23rd IEEE Wireless and Optical Communication Conference, May 9-10, 2014, Newark, New Jersey, USA. NJ: IEEE, 2014: 1-6.
[12]	DECUSATIS C, LIENGTIRAPHAN P, SAGER A, et al. Implementing Zero Trust Cloud Networks with Transport Access Control and First Packet Authentication[C]// IEEE. 2016 IEEE International Conference on Smart Cloud, November 18-20, 2016, New York, USA. NJ: IEEE, 2016: 5-10.
[13]	EIDLE D, NI S, DECUSATIS C, et al. Autonomic Security for Zero Trust Networks[C]// IEEE. 8rd IEEE Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, October 19-21, 2017, New York, USA. NJ: IEEE, 2017: 288-293.
[14]	SAMANIEGO M, DETERS R. Zero-Trust Hierarchical Management in IoT[C]// IEEE. 2018 IEEE International Congress on Internet of Things, July 2-7, 2018, San Francisco, CA, USA. NJ: IEEE, 2018: 88-95.
[15]	JOHN M. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory[J]. ACM Transactions on Information and System Security, 2000,3(4):262-294.

名称	含义
ADD	用来添加一条新的流表项
DELETE	用来删除所有符合一定条件的流表项
DELETE-STRICT	用来删除某一条指定的流表项
MODIFY	用来修改所有符合一定条件的流表项
MODIFY-STRICT	修改某一条指定的流表项

标准正态信任云	与实际正态信任云的相似度
低信任	0.0001
一般信任	0.6732
高信任	0.0021

指标文献	信任度量方法	具体度量指标	持续度量机制	动态调整用户权限	考虑用户误操作行为
文献[6]	支持向量机	√	×	×	×
文献[7]	AHP	√	×	×	×
文献[8]	贝叶斯	×	×	√	×
文献[9]	混合高斯模型	×	×	×	√
本文	零信任+云理论	√	√	√	√