一种抗恶意攻击的OpenFlow虚拟流表高性能查找方法  

作　　者：熊兵[1] 黄巧荣 罗瑶 赵锦元 张锦 Xiong Bing;Huang Qiaorong;Luo Yao;Zhao Jinyuan;Zhang Jin(School of Computer Science&Communication Engineering,Changsha University of Science&Technology,Changsha 410114,China;School of Information Science&Engineering,Changsha Normal University,Changsha 410199,China)

机构地区：[1]长沙理工大学计算机与通信工程学院,长沙410114 [2]长沙师范学院信息科学与工程学院,长沙410199

出　　处：《计算机应用研究》2023年第11期3416-3424,共9页Application Research of Computers

基　　金：国家自然科学基金资助项目(62272062);湖南省自然科学基金资助项目(2023JJ30053,2021JJ30456);湖南省教育厅资助科研项目(22A0232);长沙理工大学公路养护技术国家工程研究中心开放基金资助项目(kfj220107);长沙理工大学研究生科研创新项目(CX2021SS74);湖南省研究生科研创新项目(CX20230913)

摘　　要：针对恶意攻击给OpenFlow虚拟流表查找带来的破坏性影响,构建了一种抗恶意攻击的OpenFlow虚拟流表高性能查找方法。该方法基于近似成员关系查询理论,采用布鲁姆过滤器预测元组查找失败结果,以绕过绝大多数元组失败查找操作,提高OpenFlow虚拟流表查找效率;进一步,设计了一种可扩展计数型布鲁姆过滤器,根据元组规模的动态变化进行适应性伸缩,从而始终以高准确率判定元组查找失败结果;最后,采用实际网络流量样本和模拟恶意攻击方式,评估所提OpenFlow虚拟流表查找方法的性能。实验结果表明:当攻击包与正常包分别按1:2和2:1比例混合时,所提方法的假阳性错误率始终保持在6%以下,比计数型布鲁姆过滤器降低了93%,而平均查找长度降低了90%。Aiming at the devastating impact of malicious attacks on virtual OpenFlow-compliant flow table lookup,this paper built a high-performance lookup method for OpenFlow-compliant virtual flow tables against malicious attacks.Based on approximate membership query theory,this method applied bloom filters to predict tuple lookup failures and bypass failed lookups of a great majority of tuples,so as to accelerate the tuple space search and increase the lookup efficiency of OpenFlow-compliant virtual flow tables.Furthermore,this paper designed a scalable counting bloom filter,which adaptively extended and retracted in accordance with dynamic variation of tuple scale,to determine tuple lookup failures with high accuracy all the time.Finally,this paper evaluated the performance of the proposed lookup method of OpenFlow-compliant virtual flow tables with real network traffic traces and malicious attack simulations.The experimental results indicate that the proposed method keeps false positive error rate below 6%with 93%lower than that of the count bloom filter,and reduces average search length by 90%,both for the mixture ratio of attack packets and normal ones 1:2 and 2:1.

关 键 词：OpenFlow虚拟交换 流表查找 元组空间搜索法 可扩展计数型布鲁姆过滤器 抗恶意攻击 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]