SGuard：A Lightweight SDN Safe-Guard Architecture for DoS Attacks  被引量：10

作　　者：Tao Wang Hongchang Chen 

机构地区：[1]National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450002, China

出　　处：《China Communications》2017年第6期113-125,共13页中国通信（英文版）

基　　金：supported by the National key Research and Development Program of China(No.2016YFB0800100,2016YFB0800101);the National Natural Science Fund for Creative Research Groups Project(No.61521003);the National Natural Science Fund for Youth Found Project(No.61602509)

摘　　要：Software Defined Networking(SDN) is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service(DoS) attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules:Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.Software Defined Networking（SDN） is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service（DoS） attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules：Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.

关 键 词：sguard software defined networking denial-of-service attack security application 

分 类 号：TP393.02[自动化与计算机技术—计算机应用技术]