Research and Implementation of Security Audit on SDN Architecture
-
摘要: 为了解决软件定义网络(software defined networking, SDN)架构面临的安全挑战,针对SDN网络架构中的安全审计环节,将传统网络中的安全审计解决方案与SDN网络集中控制的特性相结合,依托Floodlight控制器设计并实现适用于SDN网络环境的安全审计系统,包括安全审计事件的收集、分析、存储、响应等功能. 提出一种针对分布式拒绝服务(distributed denial of service, DDoS)攻击的攻击回溯算法对安全审计事件进行追溯,确定出DDoS攻击发起者及僵尸主机集合. 同时,采用滑动窗口分割算法从安全审计事件中提取出用户行为序列模式,基于Levenshtein算法计算用户行为序列模式之间的相似度,并根据用户当前行为和历史行为的相似度来判断是否出现可疑的攻击行为. 经实验验证,该系统能准确地回溯出DDoS攻击发生时被控的僵尸主机集合及攻击者,并且可以有效地检测出用户攻击行为.
-
关键词:
- 软件定义网络(SDN) /
- 安全审计 /
- Floodlight /
- 攻击回溯 /
- 用户行为分析
Abstract: To address security challenges in software defined networking (SDN) architecture, centered on the security audit aspect of the SDN architecture, the traditional network security audit solutions and the SDN architecture’s centralized control features were combined. A security audit system was designed and implemented based on the Floodlight controller and was operated in the SDN environment, in which the collection, analysis, storage of audit events and other functions were included. A backtracking algorithm against DDoS scenario was designed to detect the attackers and dummy hosts via reviewing and analyzing security audit events retrospectively. Besides, a sliding window segmentation algorithm was proposed which extracted user’s behavior patterns after implementing sequence analysis against security audit events. Based on the Levenshtein algorithm to the similarity of sequence patterns were calculated, then according to the similarity of the current user’s behaviors and historical behaviors, suspected attack behaviors were detected. -
表 1 主机角色及IP地址分配表
Table 1. Host role and IP address allocation table
主机角色 表头 Attacker 172.16.10.10 Zombie Hosts PC1 172.16.10.11 Zombie Hosts PC2 172.16.10.13 Zombie Hosts PC3 172.16.10.14 Target Host 172.16.10.88 
下载: 导出CSV
表 2 参数Δtattack对僵尸主机集合ZHset和攻击者Attackers以及迭代次数i的影响
Table 2. Influence of parameter Δtattack change on ZHset, Attackers and i
Δtattack/s 5 6 7 8 9 10 ZHset 172.16.10.13 172.16.10.13172.16.10.14 172.16.10.13172.16.10.14 172.16.10.13172.16.10.14172.16.10.11 172.16.10.13172.16.10.14172.16.10.11 172.16.10.13172.16.10.14172.16.10.11 Attackers 172.16.10.10 172.16.10.10 172.16.10.10 172.16.10.10 172.16.10.10 172.16.10.10 i 0 0 0 0 0 0 Δtattack/s 11 12 13 14 15 ZHset 172.16.10.13 172.16.10.13172.16.10.14 172.16.10.13172.16.10.14 172.16.10.13172.16.10.14172.16.10.11 172.16.10.13172.16.10.14172.16.10.11 Attackers 172.16.10.10 172.16.10.10172.16.10.88 172.16.10.10172.16.10.88 172.16.10.10172.16.10.88 172.16.10.10172.16.10.88 i 0 8 8 8 8
下载: 导出CSV
表 3 172.16.10.10在不同支持度下的序列模式示例
Table 3. Sequence pattern examples of 172.16.10.10 under different support
最小支持度/% 序列模式数 模式示例 说明 10 4 [‘172.16.10.14’]→[‘172.16.10.11’]→[‘172.16.10.13’] 该用户经常连续访问172.16.10.14、172.16.10.11、172.16.10.13,且访问顺序基本保持不变 5 16 [‘172.16.10.14’]→[‘172.16.10.11’]→[‘172.16.10.13’]→[‘172.16.10.12’] 该用户经常连续访问172.16.10.14、172.16.10.11、172.16.10.13、172.16.10.12,且访问顺序基本保持不变 3 29 [‘172.16.10.14’]→[‘172.16.10.11’]→[‘172.16.10.13’]→[‘172.16.10.12’]→[‘172.16.10.14’] 该用户经常连续访问172.16.10.14、172.16.10.11、172.16.10.13、172.16.10.12,且访问顺序总是14→11→13→12,支持度降低时,可获得相对较长序列模式
下载: 导出CSV
表 4 3个僵尸主机用户行为序列模式分析结果
Table 4. Analysis of three bots user behavior sequential pattern
用户 支持度/% 序列模式 说明 172.16.10.11 80 [‘172.16.10.88’]→[‘172.16.10.88’]→[‘172.16.10.88’]→[‘172.16.10.88’] 对1d内的网络访问记录进行分析,在支持度为80%的基础上出现长度为4且连续访问同一个IP的序列模式,该序列模式可视为具有潜在攻击行为的序列模式 172.16.10.13 80 172.16.10.14 80
下载: 导出CSV
表 5 基于Levenshtein算法序列相似度的计算结果
Table 5. Sequence similarity calculation results based on the Levenshtein algorithm
历史行为序列模式 当前行为序列模式 相似度 说明 [‘172.16.10.14’]→[‘172.16.10.11’]→[‘172.16.10.13’] [‘172.16.10.14’]→[‘172.16.10.11’]→[‘172.16.10.12’] 0.67 对用户172.16.10.10而言,当其新的行为模式和历史具有安全威胁的行为模式的相似度达到一个阈值(自定义)时,可以判断此时该用户的网络访问行为可能为攻击行为 [‘172.16.10.88’]→[‘172.16.10.88’]→[‘172.16.10.88’] [‘172.16.10.88’]→[‘172.16.10.88’]→[‘172.16.10.88’] 1.00 对一般用户而言,当在某个时间段内(如上文)出现连续不断地访问某个目标IP的行为序列时,可以判断此行为可能为攻击行为,并发出警报
下载: 导出CSV
-
[1] SCOTT S, NATARAJAN S, SEZER S.A survey of security in software defined networks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(1): 623-654. [2] BRAGA R, MOTA E, PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//Local Computer Networks (LCN), 2010 IEEE 35th Conference. Denver, USA: IEEE, 2010: 408-415. [3] KOHONEN T.The self-organizing map[J]. Proc IEEE, 1990, 78(9): 1464-1480. [4] PORRAS P, SHIN S, YEGNESWARAN V, et al.A security enforcement kernel for OpenFlow networks[C]//Proceedings of the First Workshop on Hot Topics in Software Defined Networks. Helsinki: ACM, 2012: 121-126. [5] GUDE N, KOPONEN T, PETTIT J, et al.NOX: towards an operating system for networks[C]//ACM SIGCOMM Computer Communication Review. New York: IEEE, 2008, 38(3): 105-110. [6] PORRAS P, CHEUNG S, FONG M, et al.Securing the software-defined network control layer[C]//The 2015 Annual Network and Distributed System Security Symp.(NDSS 2015). San Diego: Internet Society, 2015: 1-15. [7] ZHAO Y D.Study on association rules algorithm and application in network security audit system [D]. Beijing: Tsinghua University, 2005. (in Chinese) [8] TARTAKOVSKY A G, POLUNCHENKO A S, SOKOLOV G.Efficient computer network anomaly detection by changepoint detection methods[J]. IEEE Journal of Selected Topics in Signal Processing, 2013, 7(1): 4-11. [9] AGRAWAL R, SRIKANT R.Mining sequential patterns[C]//Data Engineering 1995 the Eleventh International Conference. Taipei: IEEE, 1995: 3-14. [10] SRIKANT R, AGRAWAL R.Mining sequential patterns: generalizations and performance improvements[J]. Berlin: Springer, 1996, 1057(6): 1-17. [11] LIAN Y F, DAI Y X, WANG H.Anomaly detection of user behaviors based on profile mining[J].Chinese Journal of Computers, 2002(3): 325-330. (in Chinese) -
下载:
点击查看大图
图(12) / 表(5)
计量
- 文章访问数: 82
- HTML全文浏览量: 38
- PDF下载量: 0
- 被引次数: 0
京公网安备 11010502036328号 京ICP备17033152号