张艳,杨喜敏,唐菀,刘艳萍,刘宇宸.基于区块链的SDN数据平面错误流规则检测[J].中南民族大学学报自然科学版,2022,41(4):467-474
基于区块链的SDN数据平面错误流规则检测
False flow rule detection in SDN data plane based on blockchain
  
DOI:10.12130/znmdzk.20220413
中文关键词: 软件定义网络  区块链  流规则检测  共识算法
英文关键词: software-defined networking  blockchain  flow rule detection  consensus algorithm
基金项目:国家自然科学基金资助项目(61902437);湖北省自然科学基金资助项目(2020CFB629);中央高校基本科研业务费专项资金资助项目(CZY22016)
作者单位
张艳 中南民族大学 计算机科学学院武汉 430074 
杨喜敏 中南民族大学 计算机科学学院武汉 430074 
唐菀 中南民族大学 计算机科学学院武汉 430074 
刘艳萍 华灵云科技有限公司杭州 311121 
刘宇宸 中南民族大学 计算机科学学院武汉 430074 
摘要点击次数: 75
全文下载次数: 72
中文摘要:
      由于软件定义网络(SDN)的数据平面只负责流量转发,并不具备识别流规则是否正确的功能,使得攻击者可通过恶意向数据平面注入错误流规则,造成网络拥塞和信息泄露,甚至是网络瘫痪等严重后果.鉴于区块链的可追溯、不可篡改等特性,提出了一个在控制平面运行的基于区块链的错误流规则检测(FFRD-BC)机制,当控制器向数据平面下发流规则的同时将其存储到区块链中,通过随机选择数据平面中的流规则并验证其是否存在于区块链中,来检测出数据平面中第三方行动者注入的错误流规则.其次,在FFRD-BC的流规则检测阶段,引入基于实用拜占庭容错共识算法的投票验证策略,避免由于区块链节点一致性不稳定而导致的误检情况.实验结果表明:随着检测次数的增加,提出的FFRD-BC机制能够有效检测数据平面中第三方行动者注入的错误流规则,并且与自主验证策略相比有效降低了误检率.
英文摘要:
      The data plane of Software-Defined Networking (SDN) is only responsible for traffic forwarding and does not have the function of identifying whether flow rules are true or not. Therefore, attackers can maliciously inject false flow rules into the data plane to cause network congestion, information leakage, and even network breakdown. Considering the traceable and tamper-proofing characteristics of blockchain, a false flow rule detection mechanism based on blockchain (FFRD-BC) is proposed and running on the control plane. The SDN controllers in the control plane send flow rules to the data plane and store them in the blockchain. By randomly selecting flow rules from the data plane and verifying whether they are in the blockchain, the false flow rules injected by the third man can be detected. Furthermore, the vote-verification strategy based on the Practical Byzantine Fault Tolerance consensus algorithm is introduced in the flow rule detection stage of FFRD-BC to avoid the false detection caused by the unstable consistency of blockchain nodes. Experimental results show that, with the detection times increasing, the proposed FFRD-BC mechanism can detect the false flow rules injected into the data plane by the third man effectively. Moreover, compared with the self-verification strategy, it effectively reduces the false detection rate.
查看全文   查看/发表评论  下载PDF阅读器
关闭