检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:刘文懋[1,2] 裘晓峰[3] 陈鹏程[3] 文旭韬 何新新[3] 汪东升[1] 李军[1]
机构地区:[1]清华大学信息技术研究院,北京100084 [2]北京神州绿盟科技股份有限公司,北京100089 [3]北京邮电大学移动生活与新媒体实验室,北京100876
出 处:《计算机科学与探索》2015年第1期63-70,共8页Journal of Frontiers of Computer Science and Technology
基 金:国家科技重大专项Nos.2012ZX03002011-003;2012ZX03002002-003~~
摘 要:Open Flow协议无深度包检测能力使其在安全应用中受限,同时现有安全解决方案不能适应软件定义网络(software-defined networking,SDN)的发展。提出了一个分布式的软件定义安全架构(software-defined security architecture,SDSA),可将安全功能从SDN控制器解耦到专有的安全控制器和安全APP,提供了全局流和局部数据包层面的检测和防护,以抵御SDN和虚拟化环境中的各类攻击。全局视图和知识库有助于进行快速准确的决策,安全数据和控制分离既极大简化了安全设备的处理逻辑,又使得安全控制器具有灵活的控制平面,并且实时下发策略到设备和动态牵引流量,从而使得整个防护响应大大加快。实验表明SDSA架构可有效防护Do S、端口扫描和异常大流量等各类攻击。Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed softnvare-defined security architecture (SDSA), which offioads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu- rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.117
