CN105516177A - 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV) - Google Patents

Abstract

The invention provides a 5G network multistage attack mitigation method based on SDN and FNV. The 5G network multistage attack mitigation method comprises the following steps of a first step, expanding an SDN-MN architecture; a second step, according to the expanded SDN-MN architecture, obtaining a proof driving security evaluation mechanism in which a software defined network-mobile network (SDN-MN) based on NFV detection; a third step, measuring the security level of a static network through the proof driving security evaluation mechanism and a generated new-probability proof driving attack graph; a fourth step, calculating a state node probability, an action node probability and a posterior probability in the attack graph through a security evaluation algorithm in the proof driving security evaluation mechanism; and a fifth step, disposing an attack mitigation mechanism by means of SDN control and NFV, and disposing a corresponding attack mitigation plan through a security level which is obtained from the proof driving attack graph. The 5G network multistage attack mitigation method can be directly used in a 5G network and can perform strategy decision according to a current network environment and settles an attack mitigation strategy disposition problem.

Description

5G network multi-level based on SDN and NFV attacks remission method

Technical field

The present invention relates to mobile communication security fields, particularly, relate to a kind of 5G network multi-level based on SDN and NFV and attack remission method.

Background technology

The development of mobile communications network facilitates the birth of next generation mobile communication 5G network.5G network can link together various smart machine and heterogeneous network, makes 5G network more diversified and complicated than ever.Along with a large amount of sensitive information and confidential information access 5G network, effective security service how is provided to be the key issue that 5G network needs to solve.

Meanwhile, multi stage attack is one of maximum network security threats of harmfulness.It is attempted to be undertaken attacking by multiple step thus reaches the effect concealing and attack, and the injury that each step produces is less than overall injury.Current most of safety means are only analyzed single-stage and are attacked, and are therefore difficult to prevent the multi stage attack that complete.Due to diversity and the complexity of 5G network, it is easier than common network is subject to multi stage attack.Therefore, prerequisite 5G network performing security service is to provide an effective multi stage attack mitigation scheme.

Software defined network (SoftwareDefinedNetwork, SDN) becomes Future network architectures gradually.In SDN, control plane is that forwarding separation is also directly programmable.This function performs for simplified strategy and network (again) configures and evolution provides a great help.In this context, one of framework becoming 5G network possible from now on based on mobile network SDN (SoftwareDefinedNetwork-MobileNetwork, SDN-MN) gradually.Except SDN-MN technology, network function virtual (NetworkFunctionVirtualization, NFV) technology can also be adopted in order to network management.Such as, make the network equipment, as fire compartment wall, deep-packet detection (DeepPacketInspection, DPI) and intruding detection system are configured in the system of common hardware as virtualisation component.

The new features brought by SDN-MN and NFV are conducive to alleviating the attack in 5G network.SDN-MN can monitor whole network, comprises all-network event and evidence of attack, and the security application then above controller can be measured the current safe state of network and make strategy judgement.When security application sends the decision of strategy, it can utilize the virtualizing performance notification controller deployment secure alleviation plan of SDN programmability and NFV.

For resisting the multi stage attack in 5G network, three major issues are wherein had to need to solve.First is occur along with attack, the evaluation problem of internet security.In security evaluation field, attack graph is a kind of main method.Have at present and much study attack graph for common network security assessment, but these methods directly can not be used in 5G network.Second is the select permeability of security strategy.The research of policy selection aspect also has, but their great majority study the policy selection be in particular surroundings, cannot be applied directly to SDN-MN.Three is the deployment issues attacking mitigation strategy, meets the promptness of strategy judgement according to current network environment.Therefore a kind of new attack is needed to alleviate deployment framework.

Summary of the invention

For defect of the prior art, the object of this invention is to provide a kind of 5G network multi-level based on SDN and NFV and attack remission method.

The present invention use SDN and NFV for 5G network provides effective multi stage attack mitigation scheme.By utilizing the advantage of SDN and NFV, SDN-MN framework is extended to a more fully framework.In the present invention, safety function is widely deployed in network, and provides the centralized control to security architecture, the architecture provides policy and effective response function flexibly.Meanwhile, propose security evaluation mechanism and the algorithm of evidence driving, solve dynamic secure estimation problem, it can measure the current security level of the SDN-MN based on threat information.In addition, present invention demonstrates in attack alleviation question essence is that a constrained optimization problem and constrained optimization method can make strategy judge effectively, and demonstrates the validity of attack alleviation mechanism and algorithm.

Attack remission method according to the 5G network multi-level based on SDN and NFV provided by the invention, comprise the steps:

Step 1: expansion SDN-MN framework;

Step 2: according to the SDN-MN framework of expansion, be applied SDN-MN and the evidence driving security evaluation mechanism based on NFV detection;

Step 3: driven the evidence of the new probability of security evaluation mechanism and generation to drive attack graph to measure the level of security of static network by described evidence;

Step 4: drive the security evaluation algorithm in security evaluation mechanism to calculate state node probability in attack graph, action node probability and posterior probability by evidence;

Step 5: utilize SDN control and NFV to dispose and attack alleviation mechanism, and dispose corresponding attack alleviation plan by the level of security that evidence driving attack graph obtains.

Preferably, described step 1 comprises:

Step 1.1: set up the SDN-MN controller strengthened; Wherein:

The SDN-MN controller of described reinforcement comprises: VNF finds security module, attack strategies module, network event collection module and SDN assembly that module, VNF Registering modules, VFN administration module, SDN-MN control module, evidence drive;

Described VNF Registering modules safeguards the startup log-on message of all VNF examples, and described log-on message comprises function, cost effect;

Described VNF finds that module is used for carrying out VNF selection and negotiation, and carries out alternately with VNF Registering modules, thus selects the safety standard with VNF example match;

The SDN-MN controller management module of described reinforcement is from control panel collecting network information, and notification controller performs safety policy;

Described VFN administration module collects security incident from VNF example domains, and notifies that VNF example performs safety policy;

The security module that described evidence drives is triggered by evidence of attack, and along with evidence measurement current safe state, when identification is in dangerous situation, triggers attack strategies module and determine to alleviate plan;

Described attack strategies module determines to alleviate plan according to the security strategy sent from security application;

Described network event collection module is responsible for monitor network defensive equipment, comprising: IDS, fire compartment wall; And the security evaluation module sending to evidence to drive event;

Described SDN assembly is the basic configuration of the SDN-MN controller strengthened, and stores, router-level topology, Topology Discovery for realizing;

Step 1.2: the SDN-MN controller of described reinforcement is electrically connected with switch by northbound interface or southbound interface, and also comprise multiple VNF container except surface low is dynamic in described switch, the form of described multiple VNF container comprises: virtual machine or interpreter.

Preferably, described step 2 comprises:

Step 2.1: topological sum vulnerability information collected by the SDN-MN controller of reinforcement from network node;

Step 2.2: the SDN-MN controller of reinforcement generates electric current attack graph according to the topological sum vulnerability information collected;

Step 2.3: by the cyber-defence equipment Inspection security incident based on NFV;

Step 2.4: the SDN-MN controller of reinforcement generates corresponding evidence drive security evaluation mechanism according to electric current attack graph, security incident.

Preferably, described step 3 comprises:

Step 3.1: the SDN-MN controller of reinforcement drives security evaluation mechanism to measure the current security level driven by evidence by the evidence that step 2.4 obtains;

Step 3.2: the level of security of static network measured by the SDN-MN controller of reinforcement by the probability that evidence drives attack graph to draw.

Preferably, described step 4 comprises: drive the security evaluation algorithm in security evaluation mechanism to calculate state node probability in attack graph, action node probability and posterior probability by evidence; Particularly,

Under local condition, state node probability distribution is: in directed acyclic graph AG, i-th state node s _iconditional probability distribution function be Pr (s _i| Pre (s _i)), Pre (s _i) represent s _iprerequisite node, be defined as follows:

A. for decomposition

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∩ a _j)

Wherein a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∩ a _j) represent a meeting all conditions _jprobability;

B. for or decompose

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∪ a _j)

In formula: a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∪ a _j) represent a meeting arbitrary condition _jprobability;

Under local condition, action node probability distribution is: at directed acyclic graph AG, i-th state node a _ilocal condition's probability-distribution function be mathematically equivalent to Pr (a _i| Pre (a _i)), Pre (a _i) represent a _iprerequisite node, be defined as follows:

A. for decomposition

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∩ s _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∩ a _j) represent the s meeting all conditions _jprobability;

B. for or decompose

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∪ a _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∪ a _j) represent the s meeting arbitrary condition _jprobability;

Described security evaluation algorithm, specifically describes as follows:

Measurement fail safe and evidence need separate computations to arrive action node a _jprobability P r (a _j) and arrive state node a _jprobability P r (s _j), and calculate the posterior probability of evidence;

Arrive action node a _jprobability P r (a _j) computational methods as follows:

Pr(a _i)＝2×B _AV×B _AC×B _AU

In NIST common leak points-scoring system CVSS, B _aVrepresent access vector, B _aCrepresent the complexity of access, B _aUrepresent certification example;

Arrive state node s _jprobability P r (s _j) normally a very large value close to 1, make Pr (s _j)=0.98;

Posterior probability and evidence: each network state has a probability of happening determined, when some security incident occurs, posterior probability can change in Network morals;

Order be one group of action node having observed evidence, a ' _mrepresent that m meets the action node observing evidence, and a _j∈ A-E represents that evidence is as required to determine the action node of probability, namely solves posterior probability Pr (a _j| E), computing formula is as follows:

Pr(a _j|E)＝Pr(E|a _j)×Pr(a _j)/Pr(E)

In formula: Pr (E) represents one group of existing unconditional probability value having observed the action node of evidence, Pr (a _j) represent corresponding a _jthe existing unconditional probability value of node, Pr (E|a _j) represent a ' ₁, a ' ₂..., a ' _mthe conditional probability of event when jointly occurring.

Preferably, described step 5 comprises:

Step 5.1: the SDN-MN controller of reinforcement determines to attack according to security strategy predefined in all VNF examples alleviates plan;

Step 5.2: the SDN-MN controller of reinforcement obtains to attack alleviates plan, and installs VFN example to selected network node, and wherein VFN can be embodied as binary code or interpretative code script;

Step I: all can reach according to all probability in attack graph and dispose attack alleviation plan lower than setting threshold.

Preferably, described step I comprises:

Step I 1: establish m _i(p _i, cost _i) be action a _iattack alleviate mechanism, p _irepresent and reduce a _ithe factor of the probability of success, cost _ibe dispose attack alleviation to control cost, then obtain following computing formula:

Pr(a _j|m _i)＝Pr(a _j)×p _i

In formula: Pr (a _j| m _i) represent meeting action a _iattack alleviate action a in machine-processed situation _jconditional probability;

With M={m _i| i=1,2 ..., N} represents action A={a _i| i=1,2 ..., the attack of N} alleviates mechanism, wherein m _ioperation a _iattack alleviate mechanism, a _irepresent i-th state node; A boolean vector T={t _i| i=1,2 ..., N} represents that is attacked alleviation plan, a wherein t _ithere are two value True or False, t _im is represented during=True _ibe used in the works, working as t _im is represented during=False _ibe not used in the works;

Have P paths to target in hypothesize attack figure, and T is alleviation plan of attacking; P _i(T) represent the probability of the i-th paths successful attack, the total cost of attacking alleviation plan T is Cost (T), in order to realize the target of attacking alleviation plan, then must obey following policy:

P _i(T)≤Threshold,i＝1,2,...,p

Be equal to

G _i(T)＝P _i(T)-Thresold≤0,i＝1,2,...,p

In formula: G _i(T) represent the difference between the probability of the i-th paths successful attack and Threshold, p represents in attack graph have P paths to target, and Threshold represents threshold values, is the maximum allowed after carrying out attacking alleviation plan;

Calculate minimum Cost (T) value, then corresponding attack alleviation plan T is optimal attack alleviation plan.

Compared with prior art, the present invention has following beneficial effect:

1, because current attack graph is the most frequently used method arrived in security evaluation field, therefore have and much study attack graph for common network security assessment, but this directly can not apply in 5G network; And the use SDN-MN factor proposed in the present invention and drive security evaluation mechanism well to solve this problem based on the evidence that NFV detects, can directly apply in 5G network.

2, the present invention proposes the mechanism using SDN control and NFV deployment to carry out attacking alleviation, strategy can be carried out according to current network environment in time and judge, and solve the deployment issue of attack mitigation strategy.

Accompanying drawing explanation

By reading the detailed description done non-limiting example with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:

Fig. 1 is the SDN-MN enhancement mode configuration diagram based on 5G network;

Fig. 2 is the overall structure schematic diagram of SDN-MN enhanced controller;

Fig. 3 uses SDN-MN factor and drives security evaluation mechanism principle schematic diagram based on the evidence that NFV detects;

Fig. 4 is typical network attack schematic diagram;

Fig. 5 uses SDN control and NFV to dispose to carry out attacking the mechanism principle schematic diagram alleviated.

Embodiment

Below in conjunction with specific embodiment, the present invention is described in detail.Following examples will contribute to those skilled in the art and understand the present invention further, but not limit the present invention in any form.It should be pointed out that to those skilled in the art, without departing from the inventive concept of the premise, some distortion and improvement can also be made.These all belong to protection scope of the present invention.

The definition that first the present invention expands the SDN-MN framework in 5G is to improve system capability and to monitor comprehensive network event and on-premise network safety function in time, then propose use SDN-MN factor and drive security evaluation machine-processed based on the evidence of NFV detection, and finally propose the mechanism using SDN control and NFV deployment to carry out attacking alleviation.

Concrete steps of the present invention comprise:

Step S1: expansion SDN-MN framework;

Step S2: draw application SDN-MN factor and drive security evaluation mechanism based on the evidence that NFV detects;

Step S3: by the level of security using attack graph method to measure static network;

Step S4: obtain the security evaluation algorithm that evidence drives;

Step S5: show that SDN controls and NFV disposes the mechanism of carrying out attacking alleviation;

Step S6: be eased the algorithm attacked.

Particularly, as shown in Figure 1, the controller in figure not only controls SDN switch can also control other network equipments, also control IDS, fire compartment wall and daily record, the switch in the SDN-MN enhancement mode framework of 5G network and the network equipment have the ability of installation virtual network function (VNF).This function improves the processor of current SWITCH and the network equipment and the performance of memory.

Further, as shown in Figure 2, except common SDN controller assemblies, as northbound interface and southbound interface, also comprise in the controller of described SDN-MN: find that VNF module, registration VNF module, virtual network function administration module, SDN-MN control module, evidence drive security evaluation module, attack Choice of Countermeasures module, network event collection module and SDN assembly.VNF Registering modules safeguards the startup log-on message of all VNF examples, and described log-on message comprises function, cost effect etc.

VNF finds that module is used for carrying out VNF selection and negotiation, and carries out alternately with VNF Registering modules, thus selects the safety standard with VNF example match.

SDN-MN controller management module is from control panel collecting network information, and notification controller performs safety policy.

VFN administration module collects security incident from VNF example domains, and notifies that VNF example performs safety policy.

The security module that evidence drives is triggered by evidence of attack, and along with evidence measurement current safe state, when identification is in dangerous situation, triggers attack strategies module and determine to alleviate plan.

Attack strategies module determines to alleviate plan according to the security strategy sent from security application.

Network event collection module is responsible for monitor network defensive equipment, as IDS, and fire compartment wall, and the security evaluation module sending to evidence to drive event.

Various types of VNF example is stored, such as IDS, fire compartment wall and log recording in the controller of described SDN-MN.Wherein the form of VNF is binary code or interpretative code script.In the switch proposed, also there is several VNF container except surface low is dynamic, the form of described VNF container comprises: virtual machine or interpreter.

Particularly, as shown in Figure 3, topological sum vulnerability information collected in time by SDN-MN controller, and described vulnerability information mainly comes from network node, and such as connective and leak all occurs within network nodes.Therefore from network node, collecting topological sum vulnerability information concerning SDN-MN controller is the work being easy to do, because it has the effect of center-control in a network.

The actual time safety event on network can be detected at traditional network protection equipment and the cyber-defence equipment based on NFV, and they are sent to SDN controller.The current security level driven by evidence measured by SDN controller.The security evaluation algorithm that described evidence and evidence drive.

Particularly, as shown in Figure 4, the current security level of network is represented by attack graph.Network attack map is one 7 tuple directed acyclic graph AG=(S, S ₀, G, A, E, Δ, φ), wherein:

S={s _i| i=1 ..., N} represents the finite aggregate of one group of state node, wherein s _irepresent i-th state node;

S ₀represent that assailant starts the set of state when taking over, S set ₀belong to S set;

G represents the set of target of attack, and set G belongs to S set;

A={a _i| i=1 ..., N} represents the finite aggregate of set node, wherein a _irepresent i-th action node;

E=E ₁∪ E ₂represent the finite aggregate on one group of connected node limit together, particularly, be a limit collection, represent that an action can only consider the limit collection of the prerequisite state that victim captures, be a limit collection, represent that an action may allow assailant capture the limit collection of some other state.Usually, the prerequisite node using " Pre (n) " and " Con (n) " to represent and subsequent node.

Δ={ δ: (Pre (a _i), a _i) → [0,1] represent the conditional probability distribution worked as time whether its prerequisite of action consideration is satisfied, wherein a _irepresent i-th action node, Pre (a _i) represent a _iprerequisite node;

represent the conditional probability distribution that an action can successfully be carried out, wherein a _irepresent i-th action node, Con (a _i) represent a _isubsequent node.

If the existence on the limit between two nodes, then represent there is a cause and effect dependence between described two nodes, namely represent the decomposition of each node.Mean that the state that is compromised of a node has implied that all nodes in the superset of this node also suffer damage with decomposition.Similarly, or decompose mean to have at least a father node to be in time of day.

Local condition's probability distribution of state node is: in directed acyclic graph AG, s _iconditional probability distribution function be Pr (s _i| Pre (s _i)), s _irepresent i-th state node, Pre (s _i) represent s _iprerequisite node, be defined as follows:

A. for decomposition

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∩ a _j)

Wherein a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∩ a _j) represent a meeting all conditions _jprobability

B. for or decompose

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∪ a _j)

Wherein a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∪ a _j) represent a meeting arbitrary condition _jprobability

Local condition's probability distribution of operation: at AG, a _ilocal condition's probability-distribution function, be mathematically equivalent to Pr (a _i| Pre (a _i)), a _irepresent i-th state node, Pre (a _i) represent a _iprerequisite node definition as follows:

A. for decomposition

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∩ s _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∩ s _j) represent the s meeting all conditions _jprobability

B. for or decompose

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∪ s _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∪ s _j) represent the s meeting arbitrary condition _jprobability

The security evaluation algorithm that described evidence drives, specifically describes as follows:

According to probabilistic method, measurement fail safe and evidence have needs three problems to solve.They are how separate computations a _jprobability P r (a _j) and s _jprobability P r (s _j), and how to calculate the posterior probability of evidence.

The probability of leak exploitation: some researchers use the standard of definition in NIST common leak points-scoring system CVSS (CommonVulnerabilityScoringSystem) to estimate the possibility of attack.

In view of the exposure information (CVSS attribute) of this leak, at the leak exploitation a that execution one is given _jtime, a _jprobability P r (a _j) successfully the computational methods of probability are as follows:

Pr(a _j)＝2×B _AV×B _AC×B _AU

In CVSS, B _aVrepresent access vector, B _aCrepresent the complexity of access, and B _aUrepresent certification example.

The probability of the wish of assailant will perform more multioperation: when assailant starts to perform attacking network; He (or she) be all the time would like to do more.Therefore, s _jprobability P r (s _j), normally a very large value is close to 1, in invention, and our definition: Pr (s _i)=0.98.

Posterior probability and evidence: each network state has a probability of happening determined.When some security incident occurs, this probability can change in Network morals.

Order be one group of action node having observed some evidences, a ' _mrepresent that m meets the action node observing evidence.Then a _j∈ A-E is that some evidences are as required to determine the action node of its probability.That is, interested probability is Pr (a _j| E), it is by using Bayes' theorem to obtain:

Pr(a _j|E)＝Pr(E|a _j)×Pr(a _j)/Pr(E)

Wherein, Pr (E) and Pr (a _j) be the existing unconditional probability value of corresponding node.Pr (E|a _j) be a ' ₁..., a ' _mthe conditional probability of event when jointly occurring.

Described use SDN controls and NFV disposes the mechanism of carrying out attacking alleviation, specifically describes as follows:

By the evidence mentioned before drive based on attack graph method, registered all VNF examples are before observed in SDN-MN controller aspect, and determine to determine to attack alleviation plan by accepting predefined security strategy.

Then, SDN-MN controller obtains to attack alleviates plan, and installs VFN example to selected network node.VFN can be implemented as binary code or interpretative code script.After completing these steps, mobile network can resist these and threaten, and reaches safe condition.

First, if m _i(p _i, cost _i) be operation a _iattack alleviate control.And p _ireduce a _ithe factor of the probability of success, cost _idispose attack alleviation to control cost.Then:

Pr(a _j|m _i)＝Pr(a _j)×p _i

In the present invention, the target of attacking alleviation plan disposes enough to attack to alleviate mechanism, all probability in attack graph can be reached lower than certain threshold value, and ensure to attack that to alleviate the cost controlled be minimum value in the works in all alleviations for disposing simultaneously.

Then, M={m is allowed _i| i=1 ..., N} becomes action A={a _i| i=1 ..., the attack of N} alleviates control, wherein m _ioperation a _iattack alleviate control, a _irepresent i-th state node.A boolean vector T={t _i| i=1 ..., N} represents that is attacked alleviation plan, a wherein t _ithere are two value True or False, t _im is represented during=True _ibe used in the works, working as t _im is represented during=False _ibe not used in the works.

Have P paths to target in hypothesize attack figure, and T attacks alleviation plan.Threshold value is the maximum allowed after carrying out attacking alleviation plan.Then can the probability in path of successful attack be P _i(T).The total cost of attacking alleviation plan T is Cost (T).In order to realize the target of attacking alleviation plan, its value must obey policy:

P _i(T)≤Threshold,i＝1,...,p

It is equal to

G _i(T)＝P _i(T)-Thresold≤0,i＝1,...,p

Calculate minimum Cost (T).

Above specific embodiments of the invention are described.It is to be appreciated that the present invention is not limited to above-mentioned particular implementation, those skilled in the art can make various distortion or amendment within the scope of the claims, and this does not affect flesh and blood of the present invention.

Claims (7)

1. the 5G network multi-level based on SDN and NFV attacks a remission method, it is characterized in that, comprises the steps:

Step 1: expansion SDN-MN framework;

Step 2: according to the SDN-MN framework of expansion, be applied SDN-MN and the evidence driving security evaluation mechanism based on NFV detection;

Step 3: driven the evidence of the new probability of security evaluation mechanism and generation to drive attack graph to measure the level of security of static network by described evidence;

Step 4: drive the security evaluation algorithm in security evaluation mechanism to calculate state node probability in attack graph, action node probability and posterior probability by evidence;

Step 5: utilize SDN control and NFV to dispose and attack alleviation mechanism, and dispose corresponding attack alleviation plan by the level of security that evidence driving attack graph obtains.

2. the 5G network multi-level based on SDN and NFV according to claim 1 attacks remission method, and it is characterized in that, described step 1 comprises:

Step 1.1: set up the SDN-MN controller strengthened; Wherein:

The SDN-MN controller of described reinforcement comprises: VNF finds security module, attack strategies module, network event collection module and SDN assembly that module, VNF Registering modules, VFN administration module, SDN-MN control module, evidence drive;

Described VNF Registering modules safeguards the startup log-on message of all VNF examples, and described log-on message comprises function, cost effect;

Described VNF finds that module is used for carrying out VNF selection and negotiation, and carries out alternately with VNF Registering modules, thus selects the safety standard with VNF example match;

The SDN-MN controller management module of described reinforcement is from control panel collecting network information, and notification controller performs safety policy;

Described VFN administration module collects security incident from VNF example domains, and notifies that VNF example performs safety policy;

The security module that described evidence drives is triggered by evidence of attack, and along with evidence measurement current safe state, when identification is in dangerous situation, triggers attack strategies module and determine to alleviate plan;

Described attack strategies module determines to alleviate plan according to the security strategy sent from security application;

Described network event collection module is responsible for monitor network defensive equipment, comprising: IDS, fire compartment wall; And the security evaluation module sending to evidence to drive event;

Described SDN assembly is the basic configuration of the SDN-MN controller strengthened, and stores, router-level topology, Topology Discovery for realizing;

Step 1.2: the SDN-MN controller of described reinforcement is electrically connected with switch by northbound interface or southbound interface, and also comprise multiple VNF container except surface low is dynamic in described switch, the form of described multiple VNF container comprises: virtual machine or interpreter.

3. the 5G network multi-level based on SDN and NFV according to claim 2 attacks remission method, and it is characterized in that, described step 2 comprises:

Step 2.1: topological sum vulnerability information collected by the SDN-MN controller of reinforcement from network node;

Step 2.2: the SDN-MN controller of reinforcement generates electric current attack graph according to the topological sum vulnerability information collected;

Step 2.3: by the cyber-defence equipment Inspection security incident based on NFV;

Step 2.4: the SDN-MN controller of reinforcement generates corresponding evidence drive security evaluation mechanism according to electric current attack graph, security incident.

4. the 5G network multi-level based on SDN and NFV according to claim 3 attacks remission method, and it is characterized in that, described step 3 comprises:

Step 3.1: the SDN-MN controller of reinforcement drives security evaluation mechanism to measure the current security level driven by evidence by the evidence that step 2.4 obtains;

Step 3.2: the level of security of static network measured by the SDN-MN controller of reinforcement by the probability that evidence drives attack graph to draw.

5. the 5G network multi-level based on SDN and NFV according to claim 4 attacks remission method, it is characterized in that, described step 4 comprises: drive the security evaluation algorithm in security evaluation mechanism to calculate state node probability in attack graph, action node probability and posterior probability by evidence; Particularly,

Under local condition, state node probability distribution is: in directed acyclic graph AG, i-th state node s _iconditional probability distribution function be Pr (s _i| Pre (s _i)), Pre (s _i) represent s _iprerequisite node, be defined as follows:

A. for decomposition

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∩ a _j)

Wherein a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∩ a _j) represent a meeting all conditions _jprobability;

B. for or decompose

Work as a _j=Pre (s _i) time, Pr (s _i| Pre (s _i))=Pr (∪ a _j)

In formula: a _jrepresent a jth action node, Pre (s _i) represent s _iprerequisite node, Pr (∪ a _j) represent a meeting arbitrary condition _jprobability;

Under local condition, action node probability distribution is: at directed acyclic graph AG, i-th state node a _ilocal condition's probability-distribution function be mathematically equivalent to Pr (a _i| Pre (a _i)), Pre (a _i) represent a _iprerequisite node, be defined as follows:

A. for decomposition

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∩ s _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∩ s _j) represent the s meeting all conditions _jprobability;

B. for or decompose

Work as s _j=Pre (a _i) time, Pr (a _i| Pre (a _i))=Pr (∪ s _j)

Wherein s _jrepresent a jth state node, Pre (a _i) represent a _iprerequisite node, Pr (∪ s _j) represent the s meeting arbitrary condition _jprobability;

Described security evaluation algorithm, specifically describes as follows:

Measurement fail safe and evidence need separate computations to arrive action node a _jprobability P r (a _j) and arrive state node s _jprobability P r (s _j), and calculate the posterior probability of evidence;

Arrive action node a _jprobability P r (a _j) computational methods as follows:

Pr(a _j)＝2×B _AV×B _AC×B _AU

In NIST common leak points-scoring system CVSS, B _aVrepresent access vector, B _aCrepresent the complexity of access, B _aUrepresent certification example;

Arrive state node s _jprobability P r (s _j) normally a very large value close to 1, make Pr (s _j)=0.98;

Posterior probability and evidence: each network state has a probability of happening determined, when some security incident occurs, posterior probability can change in Network morals;

Order be one group oneself observe the action node of evidence, a ' _mrepresent that m meets the action node observing evidence, and a _j∈ A-E represents that evidence is as required to determine the action node of probability, namely solves posterior probability Pr (a _j| E), computing formula is as follows:

Pr(a _j|E)＝Pr(E|a _j)×Pr(a _j)/Pr(E)

In formula: Pr (E) represent one group oneself observe the existing unconditional probability value of the action node of evidence, Pr (a _j) represent corresponding a _jthe existing unconditional probability value of node, Pr (E|a _j) represent a ' ₁, a ' ₂..., a ' _mthe conditional probability of event when jointly occurring.

6. the 5G network multi-level based on SDN and NFV according to claim 5 attacks remission method, and it is characterized in that, described step 5 comprises:

Step 5.1: the SDN-MN controller of reinforcement determines to attack according to security strategy predefined in all VNF examples alleviates plan;

Step 5.2: the SDN-MN controller of reinforcement obtains to attack alleviates plan, and installs VFN example to selected network node, and wherein VFN can be embodied as binary code or interpretative code script;

Step I: all can reach according to all probability in attack graph and dispose attack alleviation plan lower than setting threshold.

7. the 5G network multi-level based on SDN and NFV according to claim 6 attacks remission method, and it is characterized in that, described step I comprises:

Step I 1: establish m _i(p _i, cost _i) be action a _iattack alleviate mechanism, p _irepresent and reduce a _ithe factor of the probability of success, cost _ibe dispose attack alleviation to control cost, then obtain following computing formula:

Pr(a _j|m _i)＝Pr(a _j)×p _i

In formula: Pr (a _j| m _i) represent meeting action a _iattack alleviate action a in machine-processed situation _jconditional probability;

With M={m _i| i=1,2 ..., N} represents action A={a _i| i=1,2 ..., the attack of N} alleviates mechanism, wherein m _ioperation a _iattack alleviate mechanism, a _irepresent i-th state node; A boolean vector T={t _i| i=1,2 ..., N} represents that is attacked alleviation plan, a wherein t _ithere are two value True or False, t _im is represented during=True _ibe used in the works, working as t _im is represented during=False _ibe not used in the works;

Have P paths to target in hypothesize attack figure, and T is alleviation plan of attacking; P _i(T) represent the probability of the i-th paths successful attack, the total cost of attacking alleviation plan T is Cost (T), in order to realize the target of attacking alleviation plan, then must obey following policy:

P _i(T)≤Threshold，i＝1，2，...，p

Be equal to

G _i(T)＝P _i(T)-Thresold≤0，i＝1，2，...，p

In formula: G _i(T) represent the difference between the probability of the i-th paths successful attack and Threshold, p represents in attack graph have P paths to target, and Threshold represents threshold values, is the maximum allowed after carrying out attacking alleviation plan;

Calculate minimum Cost (T) value, then corresponding attack alleviation plan T is optimal attack alleviation plan.