CN105516177B - 5G network multi-level based on SDN and NFV attacks alleviation method - Google Patents

5G network multi-level based on SDN and NFV attacks alleviation method Download PDF

Info

Publication number
CN105516177B
CN105516177B CN201511002737.8A CN201511002737A CN105516177B CN 105516177 B CN105516177 B CN 105516177B CN 201511002737 A CN201511002737 A CN 201511002737A CN 105516177 B CN105516177 B CN 105516177B
Authority
CN
China
Prior art keywords
attack
sdn
probability
evidence
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511002737.8A
Other languages
Chinese (zh)
Other versions
CN105516177A (en
Inventor
伍军
罗世波
张尚华
郭龙华
李建华
银鹰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN201511002737.8A priority Critical patent/CN105516177B/en
Publication of CN105516177A publication Critical patent/CN105516177A/en
Application granted granted Critical
Publication of CN105516177B publication Critical patent/CN105516177B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of, and the 5G network multi-level based on SDN and NFV attacks alleviation method, includes the following steps: step 1: extension SDN-MN framework;Step 2: according to the SDN-MN framework of extension, be applied SDN-MN and the evidence driving security evaluation mechanism based on NFV detection;Step 3: the evidence driving attack graph of the new probability of security evaluation mechanism and generation being driven by the evidence to measure the security level of static network;Step 4: driving the security evaluation algorithm in security evaluation mechanism to calculate state node probability in attack graph, movement node probability and posterior probability by evidence;Step 5: using SDN control and NFV deployment attack alleviation mechanism, and the corresponding attack alleviation plan of security level deployment for driving attack graph to obtain by evidence.The present invention can directly apply in 5G network, can carry out tactful judgement according to current network environment in time, and solve the deployment issue of attack mitigation strategy.

Description

5G network multi-level based on SDN and NFV attacks alleviation method
Technical field
The present invention relates to mobile communication security fields, and in particular, to a kind of 5G network multi-level based on SDN and NFV is attacked Hit alleviation method.
Background technique
The development of mobile communications network promotes the birth of next generation mobile communication 5G network.5G network can be various intelligence Energy equipment and heterogeneous network link together, so that 5G network is than previous more diversified and complication.With a large amount of sensibility Information and confidential information access 5G network, and how to provide effective security service is that 5G network needs the key solved to ask Topic.
At the same time, multi stage attack is one of maximum network security threats of harmfulness.It attempt by multiple steps into Row attack is to achieve the effect that conceal attack, and the injury that each step generates is smaller than overall injury.Current most of peaces Full equipment only analyzes single-stage attack, therefore is difficult to prevent a complete multi stage attack.Due to the diversity and complexity of 5G network Property, it is easier than common network by multi stage attack.Therefore, the prerequisite for security service being executed on 5G network is to mention For an effective multi stage attack mitigation scheme.
Software defined network (Software Defined Network, SDN) has been increasingly becoming Future network architectures.? In SDN, control plane be forwarding separation and it is directly programmable.Simplified strategy is executed this function and network (again) matches It sets and evolution provides a great help.In this context, it is based on mobile network SDN(Software Defined Network- Mobile Network, SDN-MN) it has been increasingly becoming one of the framework of possible 5G network from now on.In addition to SDN-MN technology, also It can be using network function virtualization (Network Function Virtualization, NFV) technology to networking pipe Reason.For example, make the network equipment, such as firewall, deep-packet detection (Deep Packet Inspection, DPI) and intrusion detection System configures in the system of common hardware as virtualisation component.
Be conducive to alleviate the attack in 5G network by new features brought by SDN-MN and NFV.SDN-MN can be monitored Whole network, including all-network event and evidence of attack, then the security application above controller can measure network Current safe state and make tactful judgement.When security application issues the decision of strategy, it is programmable that it can use SDN Property and NFV virtualizing performance notification controller deployment secure alleviate plan.
To resist the multi stage attack in 5G network, wherein there are three major issue needs to solve.First is adjoint Attack occur, the evaluation problem of internet security.In security evaluation field, attack graph is a kind of main method.At present There are many researchs attack graph for common network security assessment, but these methods cannot directly be used in 5G network.The Two be security strategy select permeability.Research in terms of policy selection there are also, but they most of be that research is in spy Policy selection in different environment, not can be used directly SDN-MN.Third is that the deployment issue of attack mitigation strategy, according to current Network environment come meet strategy judgement timeliness.Therefore a kind of new attack is needed to alleviate deployment framework.
Summary of the invention
For the defects in the prior art, the object of the present invention is to provide a kind of 5G network multi-levels based on SDN and NFV to attack Hit alleviation method.
The present invention provides effective multi stage attack mitigation scheme using SDN and NFV for 5G network.By using SDN and SDN-MN framework is extended to a more fully framework by the advantage of NFV.In the present invention, security function is widely deployed in net In network, and the centralized control to security architecture is provided, the architecture provides flexible policies and effective response function.Together When, the security evaluation mechanism and algorithm of evidence driving are proposed, solves the problems, such as dynamic secure estimation, it can be measured based on prestige Coerce the current security level of the SDN-MN of information.In addition, alleviating in question essence present invention demonstrates attack is that a constraint is excellent Change problem and constrained optimization method can be such that strategy determines effectively, and demonstrate the validity of attack alleviation mechanism and algorithm.
The 5G network multi-level attack alleviation method based on SDN and NFV provided according to the present invention, includes the following steps:
Step 1: extension SDN-MN framework;
Step 2: according to the SDN-MN framework of extension, be applied SDN-MN and the evidence driving safety based on NFV detection Evaluation mechanism;
Step 3: driving the evidence of the new probability of security evaluation mechanism and generation that attack graph is driven to survey by the evidence Measure the security level of static network;
Step 4: driving the security evaluation algorithm in security evaluation mechanism to calculate state node in attack graph by evidence Probability, movement node probability and posterior probability;
Step 5: attacking alleviation mechanism, and the safety for driving attack graph to obtain by evidence using SDN control and NFV deployment Plan is alleviated in the corresponding attack of rank deployment.
Preferably, the step 1 includes:
Step 1.1: establishing the SDN-MN controller of reinforcement;Wherein:
The SDN-MN controller of the reinforcement includes: VNF discovery module, VNF registration module, VNF management module, SDN-MN Security module, attack strategies module, network event collection module and the SDN component that control module, evidence drive;
The VNF registration module safeguards the starting registration information of all VNF examples, the registration information include function, at This effect;
The VNF discovery module is interacted for carrying out VNF selection and negotiation with VNF registration module, to select With the safety standard of VNF example match;
The SDN-MN control module is from control panel collecting network information, and notification controller executes safety policy;
The VNF management module collects security incident from VNF example domains, and VNF example is notified to execute safety policy;
The security module of the evidence driving is triggered by evidence of attack, and as evidence measures current safe state, when When assert in dangerous situation, triggering attack strategies module determines to alleviate plan;
The attack strategies module determines to alleviate plan according to the security strategy sent from security application;
The network event collection module is responsible for monitoring network defensive equipment, comprising: IDS, firewall;And event is sent The security module driven to evidence;
The SDN component is the basic configuration for the SDN-MN controller reinforced, for realizing storage, router-level topology, topology It was found that;
Step 1.2: the SDN-MN controller of the reinforcement being electrically connected with interchanger by northbound interface or southbound interface It connects, and further includes multiple VNF containers in addition to surface low is dynamic in the interchanger, the form of the multiple VNF container includes: virtual machine Or interpreter.
Preferably, the step 2 includes:
Step 2.1: the SDN-MN controller of reinforcement collects topology and vulnerability information from network node;
Step 2.2: the SDN-MN controller of reinforcement generates electric current attack graph according to the topology and vulnerability information that are collected into;
Step 2.3: security incident is detected by the cyber-defence equipment based on NFV;
Step 2.4: the SDN-MN controller of reinforcement generates corresponding evidence driving peace according to electric current attack graph, security incident Full evaluation mechanism.
Preferably, the step 3 includes:
Step 3.1: the evidence that the SDN-MN controller of reinforcement is obtained by step 2.4 drive the measurement of security evaluation mechanism by The current security level of evidence driving;
Step 3.2: the SDN-MN controller of reinforcement measures static network by the probability that evidence drives attack graph to obtain Security level.
Preferably, the step 4 includes: and drives the security evaluation algorithm in security evaluation mechanism to calculate by evidence to attack Hit state node probability in figure, movement node probability and posterior probability;Specifically,
The state node probability distribution under local condition are as follows: in directed acyclic graph AG, i-th of state nodeCondition Probability-distribution function is,It indicatesPremise node, be defined as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of movement node,It indicatesPremise node,It indicates to meet All conditionsProbability;
B. for or decompose
WhenWhen,
In formula:Indicate j-th of movement node,It indicatesPremise node,It indicates to meet and appoint One conditionProbability;
Node probability distribution is acted under local condition are as follows: in directed acyclic graph AG, i-th of state nodePart Conditional probability distribution function is mathematically equivalent to,It indicatesPremise node, specifically It is defined as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,Expression meets institute It is conditionalProbability;
B. for or decompose
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,It indicates to meet and appoint One conditionProbability;
The security evaluation algorithm, is described in detail below:
Measurement safety and evidence need separate computations arrival to act nodeProbabilityWith arrival state node Probability, and calculate the posterior probability of evidence;
Arrival acts nodeProbabilityCalculation method it is as follows:
In the common loophole points-scoring system CVSS of NIST,Indicate access vector,Indicate the complexity of access, Indicate certification example;
Reach state nodeProbabilityA usually very big value is enabled close to 1
Posterior probability and evidence: each network state has a determining probability of happening, when certain security incidents occur, Posterior probability can change in Network morals;
It enablesThe movement node of evidence is had observed that for one group,Indicate m-th of satisfaction Observe the movement node of evidence, andEvidence as needed is indicated to determine the movement node of probability, that is, is asked Solve posterior probability, calculation formula is as follows:
In formula:Indicate the existing unconditional probability value for the movement node that one group has observed that evidence,Table Show correspondingThe existing unconditional probability value of node,It indicatesItem when event occurs jointly Part probability.
Preferably, the step 5 includes:
Step 5.1: the SDN-MN controller of reinforcement determines that attack is slow according to security strategy predefined in all VNF examples Solution plan;
Step 5.2: the SDN-MN controller of reinforcement obtains attack and alleviates plan, and installs VNF example to selected net Network node, wherein VNF can be implemented as binary code or interpretative code script;
Step i: it can reach lower than given threshold according to all probability in attack graph and dispose attack alleviation plan.
Preferably, the step i includes:
Step i1: it setsIt is movementAttack alleviate mechanism,It indicates to reduceThe probability of success because Element,It is that control cost is alleviated in deployment attack, then obtains following calculation formula:
In formula:It indicates to act in satisfactionAttack alleviation mechanism in the case of actConditional probability;
WithExpression movementAttack alleviate mechanism, wherein It is operationAttack alleviate mechanism,Indicate i-th of state node;One boolean vectorTable Show an attack alleviation plan, whereinThere are two value True or False,When indicateIt is being used in the works, WhenWhen indicateIt is not used in the works;
Assuming that have P paths to target in attack graph, and T is attack alleviation plan;Indicate that the i-th paths are successfully attacked Plan is alleviated in the probability hit, attackTotle drilling cost be, in order to realize the target of attack alleviation plan, then must obey Following policy:
,
It is equal to
,
In formula:Indicate the difference between the probability and Threshold of the i-th paths successful attack,Expression is attacked Hitting in figure has P paths to target,It indicates threshold values, is the maximum value allow after attack alleviation plan;
It calculates the smallestValue, then plan is alleviated in corresponding attackAlleviate for optimal attack and plans.
Compared with prior art, the present invention have it is following the utility model has the advantages that
1, since current attack graph is the most commonly used method in security evaluation field, there are many researchs that attack graph is used In common network security assessment, but this cannot directly be applied in 5G network;And proposed in the present invention using SDN-MN because Element and the evidence detected based on NFV drive security evaluation mechanism very good solution this problem, can directly apply to 5G net In network.
It 2, can be in time according to current the invention proposes using SDN control and NFV to dispose the mechanism for carrying out attacking alleviation Network environment carry out tactful judgement, and solve the deployment issue of attack mitigation strategy.
Detailed description of the invention
Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention, Objects and advantages will become more apparent upon:
Fig. 1 is the enhanced configuration diagram of SDN-MN based on 5G network;
Fig. 2 is the overall structure diagram of SDN-MN enhanced controller;
Fig. 3 is using SDN-MN factor and the evidence based on NFV detection drives security evaluation mechanism principle schematic diagram;
Fig. 4 is typical network attack schematic diagram;
Fig. 5 is the mechanism principle schematic diagram that attack alleviation is carried out using SDN control and NFV deployment.
Specific embodiment
The present invention is described in detail combined with specific embodiments below.Following embodiment will be helpful to the technology of this field Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that the ordinary skill of this field For personnel, without departing from the inventive concept of the premise, various modifications and improvements can be made.These belong to the present invention Protection scope.
The present invention extends the definition of the SDN-MN framework in 5G first to improve system capability and monitor comprehensive network thing Then part and in time on-premise network security function are proposed using SDN-MN factor and the evidence driving peace based on NFV detection Full evaluation mechanism, and finally propose the mechanism that attack alleviation is carried out using SDN control and NFV deployment.
Specific steps of the invention include:
Step S1: extension SDN-MN framework;
Step S2: obtaining using SDN-MN factor and the evidence based on NFV detection drives security evaluation mechanism;
Step S3: the security level of static network is measured by using attack drawing method;
Step S4: the security evaluation algorithm of evidence driving is obtained;
Step S5: show that SDN control and NFV deployment carry out the mechanism of attack alleviation;
Step S6: the algorithm for the attack that is eased.
Specifically, as shown in Figure 1, the controller in figure, which not only controls SDN switch also, can control other network equipments, also IDS, firewall and log are controlled, the interchanger and the network equipment in the enhanced framework of the SDN-MN of 5G network have installation virtual The ability of network function (VNF).This function improves the processor of current SWITCH and the network equipment and the performance of memory.
Further, as shown in Fig. 2, in addition to common SDN controller assemblies, such as northbound interface and southbound interface, institute It states in the controller of SDN-MN further include: discovery VNF module, registration VNF module, virtual network function management module, SDN-MN Control module, evidence driving security evaluation module, attack Choice of Countermeasures module, network event collection module and SDN component. VNF registration module safeguards that the starting registration information of all VNF examples, the registration information include function, cost effect etc..
VNF discovery module is interacted with VNF registration module for carrying out VNF selection and negotiation, thus selection with The safety standard of VNF example match.
SDN-MN control module is from control panel collecting network information, and notification controller executes safety policy.VNF management Module collects security incident from VNF example domains, and VNF example is notified to execute safety policy.
The security module of evidence driving is triggered by evidence of attack, and as evidence measures current safe state, works as identification When in dangerous situation, triggering attack strategies module determines to alleviate plan.
Attack strategies module determines to alleviate plan according to the security strategy sent from security application.
Network event collection module is responsible for monitoring network defensive equipment, such as IDS, firewall, and sends an event to evidence The security module of driving.
Various types of VNF examples, such as IDS, firewall and log recording are stored in the controller of the SDN-MN. Wherein the form of VNF is binary code or interpretative code script.In the interchanger of proposition, in addition to surface low is dynamic, there is also several VNF container, the form of the VNF container include: virtual machine or interpreter.
Specifically, as shown in figure 3, SDN-MN controller collects topology and vulnerability information, the vulnerability information master in time All to occur within network nodes from network node, such as connectivity and loophole.Therefore topology is collected from network node It is the work for being easy to do for SDN-MN controller with vulnerability information, because it has the work of center control in a network With.
It can detecte in traditional network protection equipment and cyber-defence equipment based on by NFV real-time on network Security incident, and send them to SDN controller.SDN controller measures the current security level driven by evidence.The card The security evaluation algorithm driven according to i.e. evidence.
Specifically, as shown in figure 4, indicating the current security level of network with attack graph.Network attack map is one 7 yuan Group directed acyclic graph, in which:
Indicate the finite aggregate of one group of state node, whereinIndicate i-th of state node;
Indicate the set of state when attacker begins to take over, setBelong to set
Indicate the set of target of attack, setBelong to set
Indicate the finite aggregate of set node, whereinIndicate i-th of movement node;
Indicate the finite aggregate on the side of one group of connecting node together, specifically,It is one Side collection indicates that a movement can only consider the side collection for the prerequisite state captured by attacker,It is a side Collection indicates that acts the side collection that attacker may be allowed to capture some other state.In general, use "" and "” Come the premise node and subsequent node indicated.
It indicates when a movement considers its premise whether it is satisfied Conditional probability distribution, whereinIndicate i-th of movement node,It indicatesPremise node;
Indicate the conditional probability distribution that a movement can be carried out successfully, wherein Indicate i-th of movement node,It indicatesSubsequent node.
If the presence on the side between two nodes, then it represents that have a cause and effect dependence between described two nodes, i.e., Indicate the decomposition of each node.Mean that the state that is compromised an of node implys that the institute in the superset of the node with decomposing There is node to be also damaged.Similarly, or decomposition means that at least one father node is to be in time of day.
Local condition's probability distribution of state node are as follows: in directed acyclic graph AG,Conditional probability distribution function be,Indicate i-th of state node,It indicatesPremise node, be defined as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of movement node,It indicatesPremise node,Expression meets all PartProbability
B. for or decompose
WhenWhen,
WhereinIndicate j-th of movement node,It indicatesPremise node,Expression meets any bar PartProbability
Local condition's probability distribution of operation: in AG,Local condition's probability-distribution function, be mathematically equivalent to,Indicate i-th of state node,It indicatesPremise node definition it is as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,Expression meets all PartProbability
B. for or decompose
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,Expression meets any bar PartProbability
The security evaluation algorithm of the evidence driving, is described in detail below:
According to probabilistic method, measures safety and solved with evidence three problems in need.They are how separately to count It calculatesProbabilityWithProbability, and how to calculate the posterior probability of evidence.
The probability of loophole exploitation: some researchers use the common loophole points-scoring system CVSS(Common of NIST Vulnerability Scoring System) defined in standard come a possibility that estimating attack.
In view of the exposure information (CVSS attribute) of the loophole, a given loophole exploitation is being executedWhen,ProbabilityThe calculation method of successful probability is as follows:
In CVSS,Indicate access vector,Indicate the complexity of access, andIndicate certification example.
The probability of the wish of attacker will execute more multioperation: when attacker starts to execute attacking network;His (or she) begins It is that would like to do more eventually.Therefore,Probability, usually a very big value is close to 1, and in invention, we are defined:
Posterior probability and evidence: each network state has a determining probability of happening.When certain security incidents occur, This probability can change in Network morals.
It enablesThe movement node of some evidences is had observed that for one group,Indicate m-th of satisfaction Observe the movement node of evidence.ThenThe movement node of its probability is determined for some evidences as needed. That is, interested probability is, it is obtained by using Bayes' theorem:
Wherein,WithIt is the existing unconditional probability value of corresponding node.It is Conditional probability when event occurs jointly.
The mechanism that attack alleviation is carried out using SDN control and NFV deployment, is described in detail below:
It is registered before being abided by terms of SDN-MN controller by the evidence driving mentioned before based on attack drawing method All VNF examples, and determine to determine attack alleviation plan by accepting predefined security strategy.
Then, SDN-MN controller obtains attack alleviation plan, and installs VNF example to selected network node.VNF It can be implemented as binary code or interpretative code script.After completing these steps, mobile network can resist these threats, and reach To safe condition.
Firstly, settingIt is operationAttack alleviate control.AndIt is to reduceThe probability of success factor,It is that control cost is alleviated in deployment attack.Then:
In the present invention, the target for attacking alleviation plan is deployment attack alleviation mechanism enough, so that all in attack graph In probability can reach lower than certain threshold value, and simultaneously guarantee for deployment attack alleviate control cost be in all alleviations It is minimum value in the works.
Then, it allowsAs movementAttack alleviate control, whereinIt is operationAttack alleviate control,Indicate i-th of state node.One boolean vectorIt indicates Plan is alleviated in one attack, whereinThere are two value True or False,When indicateIt is being used in the works, WhenWhen indicateIt is not used in the works.
Assuming that have P paths to target in attack graph, and T is attack alleviation plan.Threshold value is to carry out attack alleviation plan The maximum value allowed afterwards.Then the probability for capableing of the path of successful attack is.Plan is alleviated in attackTotle drilling cost be.In order to realize that the target of attack alleviation plan, value must obey policy:
,
It is equal to
,
It calculates the smallest
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned Particular implementation, those skilled in the art can make various deformations or amendments within the scope of the claims, this not shadow Ring substantive content of the invention.

Claims (7)

1. a kind of 5G network multi-level based on SDN and NFV attacks alleviation method, which comprises the steps of:
Step 1: extension SDN-MN framework;
Step 2: according to the SDN-MN framework of extension, be applied SDN-MN and the evidence driving security evaluation based on NFV detection Mechanism;
Step 3: driving the evidence of the new probability of security evaluation mechanism and generation to drive attack graph quiet to measure by the evidence The security level of state network;
Step 4: by evidence drive security evaluation mechanism in security evaluation algorithm calculate state node probability in attack graph, Act node probability and posterior probability;
Step 5: attacking alleviation mechanism, and the security level for driving attack graph to obtain by evidence using SDN control and NFV deployment Plan is alleviated in the corresponding attack of deployment.
2. the 5G network multi-level according to claim 1 based on SDN and NFV attacks alleviation method, which is characterized in that described Step 1 includes:
Step 1.1: establishing the SDN-MN controller of reinforcement;Wherein:
The SDN-MN controller of the reinforcement includes: VNF discovery module, VNF registration module, VNF management module, SDN-MN control Security module, attack strategies module, network event collection module and the SDN component that module, evidence drive;
The VNF registration module safeguards that the starting registration information of all VNF examples, the registration information include function, cost effect It answers;
The VNF discovery module is interacted with VNF registration module for carrying out VNF selection and negotiation, thus selection with The safety standard of VNF example match;
The SDN-MN control module is from control panel collecting network information, and notification controller executes safety policy;
The VNF management module collects security incident from VNF example domains, and VNF example is notified to execute safety policy;
The security module of the evidence driving is triggered by evidence of attack, and as evidence measures current safe state, works as identification When in dangerous situation, triggering attack strategies module determines to alleviate plan;
The attack strategies module determines to alleviate plan according to the security strategy sent from security application;
The network event collection module is responsible for monitoring network defensive equipment, comprising: IDS, firewall;And send an event to card According to the security module of driving;
The SDN component is the basic configuration for the SDN-MN controller reinforced, for realizing storage, router-level topology, Topology Discovery;
Step 1.2: by northbound interface or southbound interface by the SDN-MN controller of the reinforcement with exchange mechatronics, and It in addition to surface low is dynamic further include multiple VNF containers in the interchanger, the form of the multiple VNF container includes: virtual machine or solution Release device.
3. the 5G network multi-level according to claim 2 based on SDN and NFV attacks alleviation method, which is characterized in that described Step 2 includes:
Step 2.1: the SDN-MN controller of reinforcement collects topology and vulnerability information from network node;
Step 2.2: the SDN-MN controller of reinforcement generates electric current attack graph according to the topology and vulnerability information that are collected into;
Step 2.3: security incident is detected by the cyber-defence equipment based on NFV;
Step 2.4: the SDN-MN controller of reinforcement generates corresponding evidence driving safety according to electric current attack graph, security incident and comments Estimate mechanism.
4. the 5G network multi-level according to claim 3 based on SDN and NFV attacks alleviation method, which is characterized in that described Step 3 includes:
Step 3.1: the evidence that the SDN-MN controller of reinforcement is obtained by step 2.4 drives security evaluation mechanism to measure by evidence The current security level of driving;
Step 3.2: the SDN-MN controller of reinforcement drives the probability that obtains of attack graph by evidence to measure the peace of static network Full rank.
5. the 5G network multi-level according to claim 4 based on SDN and NFV attacks alleviation method, which is characterized in that described Step 4 include: by evidence drive security evaluation mechanism in security evaluation algorithm calculate state node probability in attack graph, Act node probability and posterior probability;Specifically,
The state node probability distribution under local condition are as follows: in directed acyclic graph AG, i-th of state nodeConditional probability Distribution function is,It indicatesPremise node, be defined as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of movement node,It indicatesPremise node,Expression meets all conditionsProbability;
B. for or decompose
WhenWhen,
In formula:Indicate j-th of movement node,It indicatesPremise node,Expression meets either condition 'sProbability;
Node probability distribution is acted under local condition are as follows: in directed acyclic graph AG, i-th of state nodeLocal condition it is general Rate distribution function is mathematically equivalent to,It indicatesPremise node, be defined as follows:
A. for decomposition
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,Expression meets all conditionsProbability;
B. for or decompose
WhenWhen,
WhereinIndicate j-th of state node,It indicatesPremise node,Expression meets either conditionProbability;
The security evaluation algorithm, is described in detail below:
Measurement safety and evidence need separate computations arrival to act nodeProbabilityWith arrival state nodeIt is general Rate, and calculate the posterior probability of evidence;
Arrival acts nodeProbabilityCalculation method it is as follows:
In the common loophole points-scoring system CVSS of NIST,Indicate access vector,Indicate the complexity of access,It indicates Authenticate example;
Reach state nodeProbabilityA usually very big value is enabled close to 1
Posterior probability and evidence: each network state has a determining probability of happening, when certain security incidents generation, posteriority Probability can change in Network morals;
It enablesThe movement node of evidence is had observed that for one group,Indicate that m-th of satisfaction is observed The movement node of evidence, andEvidence as needed is indicated to determine that the movement node of probability, i.e. solution posteriority are general Rate, calculation formula is as follows:
In formula:Indicate the existing unconditional probability value for the movement node that one group has observed that evidence,It indicates to correspond to 'sThe existing unconditional probability value of node,It indicatesConditional probability when event occurs jointly.
6. the 5G network multi-level according to claim 5 based on SDN and NFV attacks alleviation method, which is characterized in that described Step 5 includes:
Step 5.1: the SDN-MN controller of reinforcement determines that meter is alleviated in attack according to security strategy predefined in all VNF examples It draws;
Step 5.2: the SDN-MN controller of reinforcement obtains attack and alleviates plan, and installs VNF example to selected network section Point, wherein VNF can be implemented as binary code or interpretative code script;
Step i: it can reach lower than given threshold according to all probability in attack graph and dispose attack alleviation plan.
7. the 5G network multi-level according to claim 6 based on SDN and NFV attacks alleviation method, which is characterized in that described Step i includes:
Step i1: it setsIt is movementAttack alleviate mechanism,It indicates to reduceThe probability of success factor,It is that control cost is alleviated in deployment attack, then obtains following calculation formula:
In formula:It indicates to act in satisfactionAttack alleviation mechanism in the case of actConditional probability;
WithExpression movementAttack alleviate mechanism, whereinIt is OperationAttack alleviate mechanism,Indicate i-th of state node;One boolean vectorIndicate one Plan is alleviated in a attack, whereinThere are two value True or False,When indicateIt is being used in the works, whenWhen indicateIt is not used in the works;
Assuming that have P paths to target in attack graph, and T is attack alleviation plan;Indicate the i-th paths successful attack Plan is alleviated in probability, attackTotle drilling cost be, in order to realize the target of attack alleviation plan, then must obey such as Lower policy:
,
It is equal to
,
In formula:Indicate the difference between the probability and Threshold of the i-th paths successful attack,It indicates in attack graph There are P paths to target,It indicates threshold values, is the maximum value allow after attack alleviation plan;
It calculates the smallestValue, then plan is alleviated in corresponding attackAlleviate for optimal attack and plans.
CN201511002737.8A 2015-12-28 2015-12-28 5G network multi-level based on SDN and NFV attacks alleviation method Active CN105516177B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511002737.8A CN105516177B (en) 2015-12-28 2015-12-28 5G network multi-level based on SDN and NFV attacks alleviation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511002737.8A CN105516177B (en) 2015-12-28 2015-12-28 5G network multi-level based on SDN and NFV attacks alleviation method

Publications (2)

Publication Number Publication Date
CN105516177A CN105516177A (en) 2016-04-20
CN105516177B true CN105516177B (en) 2019-02-22

Family

ID=55723813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511002737.8A Active CN105516177B (en) 2015-12-28 2015-12-28 5G network multi-level based on SDN and NFV attacks alleviation method

Country Status (1)

Country Link
CN (1) CN105516177B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3111506A1 (en) * 2020-06-19 2021-12-17 Orange System and method for monitoring at least a slice of a communications network
FR3111505A1 (en) * 2020-06-19 2021-12-17 Orange System and method for monitoring at least one slice of a communications network using a confidence index assigned to the slice of the network
WO2021255400A1 (en) * 2020-06-19 2021-12-23 Orange Monitoring of at least one section of a communications network using a confidence index assigned to the section of the network

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135221B (en) * 2017-05-10 2020-05-05 上海海事大学 Method for progressively solving K maximum probability attack path
CN109818762B (en) * 2017-11-20 2022-03-08 中国电信股份有限公司 Method, adapter and system for realizing automatic registration of SDN controller
CN108737213B (en) * 2018-05-22 2020-06-09 中国电子科技集团公司第四十一研究所 High-parallelism and high-throughput penetration test system and method based on FPGA
CN110868376A (en) * 2018-11-29 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable asset sequence in network environment
CN109743261B (en) * 2019-01-07 2020-10-30 中国人民解放军国防科技大学 SDN-based container network resource scheduling method
CN112904817B (en) * 2021-01-19 2022-08-12 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN115001831B (en) * 2022-06-09 2023-04-07 北京交通大学 Method and system for dynamically deploying network security service based on malicious behavior knowledge base

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125214A (en) * 2014-06-30 2014-10-29 北京邮电大学 Security architecture system for realizing software definition security and security controller
CN104202264A (en) * 2014-07-31 2014-12-10 华为技术有限公司 Carrying resource allocation method for clouded data center network, device and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125214A (en) * 2014-06-30 2014-10-29 北京邮电大学 Security architecture system for realizing software definition security and security controller
CN104202264A (en) * 2014-07-31 2014-12-10 华为技术有限公司 Carrying resource allocation method for clouded data center network, device and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《SDN安全防护技术研究》;陶冶;《电信技术》;20150630(第6期);全文
《Security for Future Software Defined Mobile Networks》;Liyanage;《web of science》;20150923(第9期);全文

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3111506A1 (en) * 2020-06-19 2021-12-17 Orange System and method for monitoring at least a slice of a communications network
FR3111505A1 (en) * 2020-06-19 2021-12-17 Orange System and method for monitoring at least one slice of a communications network using a confidence index assigned to the slice of the network
WO2021255400A1 (en) * 2020-06-19 2021-12-23 Orange Monitoring of at least one section of a communications network using a confidence index assigned to the section of the network

Also Published As

Publication number Publication date
CN105516177A (en) 2016-04-20

Similar Documents

Publication Publication Date Title
CN105516177B (en) 5G network multi-level based on SDN and NFV attacks alleviation method
Liu et al. Secure Internet of Things (IoT)-based smart-world critical infrastructures: Survey, case study and research opportunities
Koroniotis et al. A holistic review of cybersecurity and reliability perspectives in smart airports
Rubio et al. Current cyber-defense trends in industrial control systems
Li et al. Deep learning in security of internet of things
Choi et al. Ontology-based security context reasoning for power IoT-cloud security service
CN101309180B (en) Security network invasion detection system suitable for virtual machine environment
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
US10862926B2 (en) Cybersecurity threat detection and mitigation system
CN102546638B (en) Scene-based hybrid invasion detection method and system
CN105493060A (en) Honeyport active network security
US11418533B2 (en) Multi-tiered security analysis method and system
Salim et al. Securing Smart Cities using LSTM algorithm and lightweight containers against botnet attacks
Li et al. A critical review of cyber-physical security for building automation systems
CN106850558A (en) Intelligent electric meter abnormal state detection method based on seaconal model time series
CN104601553A (en) Internet-of-things tampering invasion detection method in combination with abnormal monitoring
Mihalache et al. Resilience enhancement of cyber-physical systems: A review
Alem et al. A novel bi-anomaly-based intrusion detection system approach for industry 4.0
Yeboah-ofori et al. Cybercrime and risks for cyber physical systems: A review
Pacheco et al. Enabling risk management for smart infrastructures with an anomaly behavior analysis intrusion detection system
CN110430158A (en) Collection agent dispositions method and device
CN110099041A (en) A kind of Internet of Things means of defence and equipment, system
CN117768166A (en) AMI risk quantification evaluation method and system considering network attack damage-caused path
Sharma et al. Network security and privacy evaluation scheme for cyber physical systems (CPS)
Bharati et al. A survey on hidden Markov model (HMM) based intention prediction techniques

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant