基于SDN的物联网边缘节点间数据流零信任管理  被引量：4

作　　者：肖警续 郭渊博[1] 常朝稳[1] 吴平 杨晨立 XIAO Jingxu;GUO Yuanbo;CHANG Chaowen;WU Ping;YANG Chenli(Department of Cryptogram Engineering,Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学密码工程学院,河南郑州450001

出　　处：《通信学报》2024年第7期101-116,共16页Journal on Communications

基　　金：河南省科技攻关基金资助项目(No.222102210070)。

摘　　要：针对物联网缺少对数据流传输链路中恶意交换节点检测与定位的有效手段,提出了一种基于软件定义网络(SDN)的物联网边缘节点间数据流零信任管理方法。该方法将SDN架构应用到边缘节点间数据流的传输过程,使用固定长度的报头开销对数据流、节点和路径进行零信任管理,实现轻量级的数据包转发验证和恶意交换节点定位功能。在转发路径中,交换节点对数据包进行安全验证并统计验证信息,保证数据流传输的安全性和路径的一致性。根据异常数据包类型,控制器采用二分法标记执行验证操作的交换节点,逐步缩小恶意交换节点的范围,实现对多类型恶意交换节点的定位。最后,对所提方法进行了仿真与评估。实验结果表明,所提方法引入小于10%的转发时延和低于8%的吞吐量损失。Aiming at the lack of effective means for detecting and localizing malicious nodes in the data flow transmission link in Internet of things(IoT),a zero trust management method of data flow between IoT edge nodes based on software defined network(SDN)was proposed.This method applied the architecture of SDN to the process of data flow transmission between edge nodes.A fixed-length header overhead was used for zero trust management of data flow,nodes,and paths to achieve lightweight packet forwarding verification and malicious node localization functions.In the forwarding path,the security verification of packets was performed by the switching node,and the verification information was counted to ensure the security of the data flow transmission and the consistency of the path.Based on the type of abnormal packets,the controller adopted dichotomous method to mark the switching node that performed the verification operation to gradually narrow down the scope of malicious nodes,and realized the localization of multiple types of malicious nodes.Finally,the proposed method was simulated and evaluated.The experimental results show that the method introduces a forwarding delay of less than 10%and a throughput loss of less than 8%.

关 键 词：物联网 软件定义网络 零信任管理 异常检测 异常定位 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]