CN115225412A - Cloud-edge access control system - Google Patents

Cloud-edge access control system Download PDF

Info

Publication number
CN115225412A
CN115225412A CN202211140381.4A CN202211140381A CN115225412A CN 115225412 A CN115225412 A CN 115225412A CN 202211140381 A CN202211140381 A CN 202211140381A CN 115225412 A CN115225412 A CN 115225412A
Authority
CN
China
Prior art keywords
sdp
population
edge
access
cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211140381.4A
Other languages
Chinese (zh)
Other versions
CN115225412B (en
Inventor
邱日轩
何群
刘兴
孙欣
付俊峰
李路明
杨济海
汪一波
周欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202211140381.4A priority Critical patent/CN115225412B/en
Publication of CN115225412A publication Critical patent/CN115225412A/en
Application granted granted Critical
Publication of CN115225412B publication Critical patent/CN115225412B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cloud side access control system. The system comprises an identity authentication module, an access strategy module, an intrusion detection module and an SDP controller number updating module. (1) SDP can protect the cloud from edges by authorizing only authenticated edge devices to access services in the cloud; (2) Simultaneously, application programs needed by SDN hosting SDP are introduced and managed and arranged in a centralized manner, network resources are optimized, and the network is adjusted rapidly; (3) On the other hand, because the number of SDP controllers is one of the most important problems of the expandability of the fog calculation, the invention provides a main sub-population cooperative non-dominated sorting genetic algorithm II (MsPop-NSGAII) to optimize software defined boundaries and determine the optimal number of the SDP controllers so as to reduce the cost and the delay between the edge device and the corresponding controller thereof and improve the network reliability.

Description

Cloud-edge access control system
Technical Field
The invention belongs to the field of borderless cloud side access control, and particularly relates to a cloud side access control system.
Background
In recent years, the internet of things is rapidly developed, all electronic equipment, mobile terminals, household appliances and the like are interconnected, and the internet of things is gradually the power of social development, but new challenges are brought to cloud security and loads. The cloud computing can unload resources to the edge, so that the processing efficiency is greatly improved, and the workload of the cloud is reduced. But also presents some security challenges:
1. in the fog computing environment, due to the fact that a plurality of network edge devices are arranged, an attacker disguises the network edge devices by monitoring data transmission channels, and performs DDoS attack on services in cloud to cause network paralysis;
2. the traditional safety protection system is based on boundary isolation protection, which is difficult to meet the requirement of open sharing of fog computing;
3. the fog computing flow is huge, the traditional IP network is tedious to manage, and the requirement on technical personnel is high.
Disclosure of Invention
In order to solve the safety problem caused by fog computing, the invention provides an access control method based on a software defined boundary (SDP) to supplement the fog computing and provide additional safety for a cloud. The SDP ensures that only legal identities can be accessed by using a network stealth technology without distinguishing internal and external networks, and simultaneously introduces application programs required by the SDP and intensively manages and arranges, optimizes network resources and quickly adjusts the network. On the other hand, because the number of SDP controllers is one of the most important problems of the expandability of the fog computing, the invention provides a main sub-population cooperative non-dominated sorting genetic algorithm II (MsPop-NSGAII) to optimize the software defined boundary and determine the optimal number of the SDP controllers so as to reduce the cost and the delay between the edge device and the corresponding controller thereof and simultaneously improve the network reliability.
The invention provides a cloud side access control system. In the system, the SDP can protect the cloud from being influenced by the edge by only authorizing the edge equipment subjected to identity verification to access the service in the cloud, and meanwhile, a preset dynamic authorization program, an identity management program, an intrusion detection program and an SDP controller quantity updating program are deployed in an SDN application layer so as to assist the SDP in maintaining access safety, enhancing the expandability of the application program and simplifying the network, the program of the SDN application layer is managed by enterprises, and the control right of the network is opened to the enterprises. The respective components of the SDN and SDP are connected through a switch.
The cloud side access control system comprises an identity authentication module, an access strategy module, an intrusion detection module, an SDP controller quantity updating module and a database:
the identity authentication module is used for identity authentication of the edge device, and when the edge device applies for accessing the cloud, the SDP controller verifies the identity of the device through an identity management program of an SDN application layer;
the access strategy module is used for evaluating the trust level of the edge equipment, making a corresponding access strategy and limiting the available operation, accessible service and access time after the edge equipment enters the cloud; after the identity is authenticated by the identity authentication module, the authentication is realized through a dynamic authorization program preset in an SDN application layer;
after an access strategy is specified, the edge device establishes mTLS connection with the cloud through the SDP gateway to carry out service access; after the connection is established, the behavior of the dynamic authorization program collecting device continuously evaluates the trust level of the dynamic authorization program collecting device and makes corresponding instructions, including reducing/improving the access authority.
The intrusion detection module is realized based on an intrusion detection program of an SDN application layer and continuously operates in the whole access period;
the SDP controller number updating module is used for updating the number of the SDP controllers, the number of the SDP controllers is small, the SDP controllers are easy to block, and more resources are wasted; the module is realized through an SDP controller number updating program of an SDN application layer, an MsPop-NSGAII algorithm is built in the program, and the SDP controller number is periodically updated;
the database stores a device information table for all modules to access, including but not limited to device information (primary key), encryption certificates, keys, trust values.
Further, the identity authentication module is specifically configured to perform the following steps:
(1) The method comprises the steps that an edge device sends a single SPA data packet to an SDN switch to request access, and an identity management program in an SDN application layer verifies whether the SPA data packet is legal or not;
(2) If the SDN controller is called legally to issue a flow table [ switch- > SDP controller ] to the SDN switch, the SDN switch forwards the data packet to the SDP controller according to the flow table; if the data packet is illegal, calling a dynamic authorization program to reduce the trust value of the data packet, and discarding the data packet;
(3) And the SDP controller checks whether an encryption certificate in the packet is empty after receiving the SPA packet, issues the certificate for the edge equipment if the encryption certificate in the packet is empty and represents that the edge equipment is newly added, calls a dynamic authorization program to initialize a trust value for the edge equipment and updates an equipment information table.
Further, the access policy module is specifically configured to perform the following steps:
(1) When the SPA data packet reaches the SDP controller, the authentication is passed, the dynamic authorization program is automatically triggered, the encryption certificate of the edge equipment is used as input, the access authority of the equipment is output, and the access authority is packaged into an authority data packet;
(2) And calling an SDN controller to issue a flow table [ SDP controller- > SDP gateway ], forwarding the permission data packet from the SDP controller to the SDP gateway by the SDN conversion machine, configuring a firewall rule by the SDP gateway according to the data packet, allowing the edge device to access the cloud, and limiting the available operation, accessible service and access time after the edge device enters the cloud.
Further, the SDP controller number updating module includes: in order to reduce cost, reduce delay and improve network security, the number of SDP controllers needs to be periodically updated according to the number of edge devices, and the problem is modeled as a multi-objective optimization model, which is performed as follows:
step 1: for each edge device U i Each SDP controller S j Define one tuple as follows:
Figure 94206DEST_PATH_IMAGE001
wherein
Figure 526324DEST_PATH_IMAGE002
Representing edge devices U i And SDP controller S j Whether or not to connect the two or more of the two,
Figure 72712DEST_PATH_IMAGE003
presentation router U i And SDP controller S j The cost of the connection of (a) to (b),
Figure 73029DEST_PATH_IMAGE004
indicating SDP controller S j The probability of being honest is determined,
Figure 275340DEST_PATH_IMAGE005
represents U i And SDP controller S j The time delay therebetween;
and 2, step: requiring that the number of SDP controllers is less than or equal to the number of edge devices, and that only one SDP controller is connected per edge device, defines the constraint:
Figure 714412DEST_PATH_IMAGE006
where m is the number of SDP controllers and n is the number of edge devices;
and 3, step 3: calculate the total time delay of all edge devices and SDP controller connection procedures:
Figure 193935DEST_PATH_IMAGE007
and 4, step 4: calculate the total connection cost of all edge devices and SDP controllers:
Figure 755366DEST_PATH_IMAGE008
and 5: the SDP controller may have dishonest behavior, issuing incorrect instructions, defining the security of the SDP controller:
Figure 54760DEST_PATH_IMAGE009
step 6: the objective is to minimize cost, minimize delay and maximize security, the argument is the number of SDP controllers m, the number of edge devices n is taken as a parameter, and the function of steps 2-5 is modeled as a multi-objective optimization problem:
Figure 31944DEST_PATH_IMAGE010
the MsPop-NSGAII algorithm is an improvement on the NSGA-II algorithm. In order to solve the multi-objective optimization problem, an NSGA-II algorithm which is low in calculation complexity, high in running speed and good in solution uniformity and diversity is selected and used. However, since the multi-objective optimization problem has constraints, it faces the search imbalance problem between feasible domain and infeasible domain, which needs better trade-off between convergence, diversity and feasibility. In order to solve the problem, the invention provides a new Mspop-NSGAII algorithm, a main population and a sub-population in the algorithm are subjected to collaborative evolution, a search space is expanded, and the pareto optimal is finally achieved, wherein the method comprises the following steps:
step 1: randomly initializing the same main population Mq and sub-population Sq, setting the population size to be N, and setting the maximum evolutionary algebra maxg;
step 2: updating fitness vectors of the main population Mq and the sub-population Sq, i.e. the multi-objective function value vector F (q) i )={L(q i ),C(q i ),-A(q i )},q i Is the first of the populationiSolving;
and step 3: traversing the Mq of the main population, and modifying the infeasible solution Mq by using the self-adaptive penalty function i The fitness of (2):
Figure 490607DEST_PATH_IMAGE011
wherein
Figure 98306DEST_PATH_IMAGE012
Is an infeasible solution mq i At the maximum value of each of the objective functions,mq i is the first of the main populationiSolving;
and 4, step 4: traversing the sub-population Sq, and modifying the infeasible solution Sq by adopting a feasibility guide method i The fitness of (2):
Figure 275209DEST_PATH_IMAGE013
wherein
Figure 728187DEST_PATH_IMAGE014
Is the maximum value in each objective function in the current sub-population,sq i is the first of a sub-populationiSolving;
and 5: the main population Mq is subjected to non-dominated sorting aiming at convergence characteristics and sorted according to objective function values;
step 6: the sub-population Sq is ordered with respect to diversity characteristics, whose diversity is measured by the crowding distance:
Figure 306936DEST_PATH_IMAGE015
wherein L is p (. Is) L p Norm, p is set to 1/3, which provides higher contrast between the farthest and nearest neighbors;
and 7: combining the two groups, selecting a mating pool with the size of N by a binary tournament method, combining the two populations Mq and Sq with the mating pool into a new population with the size of 2N, respectively selecting, crossing and mutating, finally selecting the first N individuals as offspring populations according to respective sequencing rules, and updating an evolution counter;
and 8: and if the maximum evolution algebra is reached, outputting the main population Mq, otherwise, turning to the step 2.
Compared with the prior art, the invention has the following advantages:
1. according to the invention, a software defined boundary is embedded into a cloud edge network, for an edge device which is not verified, all services and application programs in the cloud are 'black', and the edge device is invisible and cannot be accessed; and the verified edge device is dynamically granted with access right and is continuously monitored and evaluated in the access process so as to monitor abnormal behaviors, thus reducing the attack surface and preventing the influence of malicious devices on the cloud and attacks such as DDoS and the like. And an application program required by SDN hosting SDP is introduced and managed and arranged in a centralized manner, network resources are optimized, and the network is adjusted quickly.
2. Selecting the appropriate number of SDP controllers can reduce cost, reduce latency, and improve network security, with artificial designation being clearly too aggressive. In order to balance the three objective specimens, a constraint multi-objective optimization model is established, and the multi-objective optimization problem is solved by using an MsPop-NSGAII algorithm. The MsPop-NSGAII algorithm adopts the co-evolution of the main population and the sub-population, the search spaces of the two populations are complementary, the search space is enlarged, and the diversity of the populations is ensured. The MsPop-NSGAII algorithm makes a better trade-off between convergence, diversity and feasibility, thereby solving for the optimal number of SDP controllers.
Drawings
Fig. 1 is a flowchart of a cloud-edge access control method of the cloud-edge access control system according to the present invention.
FIG. 2 is an architecture diagram of the MsPop-NSGAII algorithm optimization software defined boundary provided by the present invention.
Fig. 3 is a graph showing the resistance effect of the present invention against DoS attacks.
Detailed Description
The invention is further described with reference to the following figures and detailed description, but the following description is illustrative only and is not intended to limit the scope and application of the invention.
As shown in fig. 1, a flow chart of a cloud-side access control method of a cloud-side access control system for optimizing an SDP based on a master sub-population NSGAII algorithm includes an identity authentication module, an access policy module, an intrusion detection module, an SDP controller quantity update module, and a database. The cloud access control method specifically comprises the following steps:
(1) The identity authentication module is used for identity authentication of the edge device, and when the edge device applies for accessing the cloud, the SDP controller verifies the identity of the device through an identity management program of an SDN application layer;
(2) The access strategy module is used for evaluating the trust level of the edge equipment, formulating a corresponding access strategy and limiting the available operation, accessible service and access time after the edge equipment enters the cloud; after (1) authenticating the identity, the authentication is realized through a dynamic authorization program preset in an SDN application layer;
(3) After an access strategy is specified, the edge device establishes mTLS connection with the cloud through the SDP gateway to carry out service access; after the connection is established, the behavior of the dynamic authorization program collecting device continuously evaluates the trust level of the dynamic authorization program collecting device and makes corresponding instructions, including reducing/improving the access authority.
(4) The intrusion detection module is realized based on an intrusion detection program of an SDN application layer and continuously operates in the whole access period;
(5) The SDP controller number updating module is used for updating the number of the SDP controllers, the number of the SDP controllers is small, the SDP controllers are easy to block, and more resources are wasted; the module is realized by an SDP controller number updating program of an SDN application layer, an MspPop-NSGAII algorithm is built in the program, and the number of SDP controllers is periodically updated;
(6) The database stores a device information table for all modules to access, including but not limited to device information (primary key), encryption certificates, keys, trust values.
Further, the identity authentication module is specifically configured to perform the following steps:
(1) The method comprises the steps that an edge device sends a single SPA data packet to an SDN switch to request access, and an identity management program in an SDN application layer verifies whether the SPA data packet is legal or not;
(2) If the SDN controller is called legally to issue a flow table [ switch- > SDP controller ] to the SDN switch, the SDN switch forwards the data packet to the SDP controller according to the flow table; if the data packet is illegal, calling a dynamic authorization program to reduce the trust value of the data packet, and discarding the data packet;
(3) And the SDP controller checks whether an encryption certificate in the packet is empty after receiving the SPA packet, issues the certificate for the edge equipment if the encryption certificate in the packet is empty and represents that the edge equipment is newly added, calls a dynamic authorization program to initialize a trust value for the edge equipment and updates an equipment information table.
Further, the access policy module is specifically configured to perform the following steps:
(1) When the SPA data packet reaches the SDP controller, the authentication is passed, the dynamic authorization program is automatically triggered, the encryption certificate of the edge equipment is used as input, the access authority of the equipment is output, and the access authority is packaged into an authority data packet;
(2) And calling an SDN controller to issue a flow table [ SDP controller- > SDP gateway ], forwarding the authority data packet from the SDP controller to the SDP gateway by an SDN conversion machine, configuring a firewall rule by the SDP gateway according to the data packet, allowing the edge device to access the cloud, and limiting the available operation, accessible service and access time after the edge device enters the cloud.
FIG. 2 is a diagram of the main sub-population collaborative NSGAII algorithm optimization software defined boundary architecture, in which the overall process of the present invention is shown, and the edge device U is simulated first i And SDP controller S j A connection diagram of (2); then establishing a multi-objective optimization model according to the connection diagram, and periodically updating the number of SDP controllers; and finally, implementing a cloud side access control method of the cloud side access control system. The SDP controller quantity updating module is specifically configured to execute the following steps:
(1) Modeling a multi-objective optimization problem, which comprises the following steps:
step 1: for each edge device U i Each SDP controller S j Define one tuple as follows:
Figure 882274DEST_PATH_IMAGE016
wherein
Figure 421840DEST_PATH_IMAGE017
Representing edge devices U i And SDP controller S j Whether or not to connect the electronic device to a network,
Figure 68722DEST_PATH_IMAGE018
presentation router U i And SDP controller S j The cost of the connection of (a) is,
Figure 111764DEST_PATH_IMAGE019
indicating SDP controller S j The probability of being honest is determined,
Figure 185899DEST_PATH_IMAGE020
represents U i And SDP controller S j The time delay therebetween;
step 2: requiring that the number of SDP controllers is less than or equal to the number of edge devices, and that only one SDP controller is connected per edge device, defines the constraint:
Figure 947182DEST_PATH_IMAGE021
where m is the number of SDP controllers and n is the number of edge devices;
and 3, step 3: calculate the total time delay of all edge devices and SDP controller connection procedures:
Figure 69859DEST_PATH_IMAGE022
and 4, step 4: calculate the total connection cost of all edge devices and SDP controllers:
Figure 357620DEST_PATH_IMAGE023
and 5: the SDP controller may have dishonest behavior, issuing incorrect instructions, defining the security of the SDP controller:
Figure 212444DEST_PATH_IMAGE024
step 6: the objective is to minimize cost, minimize delay and maximize security, the arguments are the number of SDP controllers m, the number of edge devices n as parameters, and the function of steps 2-5 is modeled as a multi-objective optimization problem:
Figure 523340DEST_PATH_IMAGE025
(2) In order to solve the multi-objective optimization problem, an NSGA-II algorithm with low calculation complexity, high running speed and good solution uniformity and diversity is selected and used. However, since the multi-objective optimization problem has constraints, it faces the search imbalance problem between feasible domain and infeasible domain, which needs better trade-off between convergence, diversity and feasibility. In order to solve the problem, the invention provides a new main sub-population NSGAII algorithm, wherein the main population and the sub-population are subjected to collaborative evolution in the algorithm, the search space is expanded, and the pareto optimal is finally achieved, and the method comprises the following steps:
step 1: randomly initializing the same main population Mq and sub-population Sq, setting the population size to be N, and setting the maximum evolution algebra maxg;
and 2, step: updating fitness vectors of the main population Mq and the sub-population Sq, i.e. the multi-objective function value vector F (q) i )={L(q i ),C(q i ),-A(q i )},q i Is the first of the populationiSolving;
and step 3: traversing the Mq of the main population, and modifying the infeasible solution Mq by using the self-adaptive penalty function i The fitness of (2):
Figure 246445DEST_PATH_IMAGE026
wherein
Figure 60817DEST_PATH_IMAGE027
Is an infeasible solution mq i At the maximum value of each of the objective functions,mq i is the first of the main populationiSolving;
and 4, step 4: traversing the sub-population Sq, and modifying the infeasible solution Sq by adopting a feasibility guide method i The fitness of (2):
Figure 352121DEST_PATH_IMAGE028
wherein
Figure 884734DEST_PATH_IMAGE029
Is the maximum value in each objective function in the current sub-population,sq i is the first of a sub-populationiSolving;
and 5: the main population Mq is subjected to non-dominant sorting aiming at convergence characteristics and sorted according to pareto;
step 6: the sub-population Sq is ordered with respect to diversity characteristics, whose diversity is measured by the crowding distance:
Figure 411530DEST_PATH_IMAGE030
wherein L is p (. Is) L p Norm, p is set to 1/3, which provides higher contrast between the farthest and nearest neighbors;
and 7: combining the two groups, selecting a mating pool with the size of N by a binary tournament method, combining the two groups Mq and Sq with the mating pool into a new group with the size of 2N, respectively selecting, crossing and mutating, finally selecting the first N individuals as offspring groups according to respective sequencing rules, and updating an evolutionary counter;
and 8: and if the maximum evolution algebra is reached, outputting the main population Mq, otherwise, turning to the step 2.
For the convenience of understanding the above technical aspects of the present invention, the following detailed description will be given of the above technical aspects of the present invention by way of specific examples.
Example 1
Truncation test, which refers to removing some part of the model and algorithm and then observing its effect on the algorithm or model.
The test platform uses the Open SDP item of Waverley Labs and the Open source OpenFlow component, and runs in a Linux virtual machine. Monitoring 10 times by using a Wireshark tool, analyzing packet exchange among components, and taking an average value to determine time overhead; initiating a port scanning attack to a cloud server by using a free nmap utility tool to determine the attack resisting rate; the cost expenditure is calculated manually from market prices of the SDN and SDP components. In order to show the effectiveness of each part designed in the cloud side access control method of the cloud side access control system based on the main sub-population collaborative NSGAII algorithm optimized SDP, the SDN and the multi-objective optimization model in the whole method are respectively removed, and the obtained two versions are compared with the algorithm of the complete version, wherein the recorded results in the aspects of safety, network simplification, time and cost are shown in Table 1;
table 1 shows the test results of the truncated test of the three versions in various aspects. As can be seen from the table, the version after the SDN is removed has slightly decreased capability of resisting attacks and loses network simplification functions, the cost is reduced by 2% due to the removal of SDN components, and the time cost is increased due to the absence of network simplification functions; after multi-objective optimization is removed, the number of SDP controllers is not optimized regularly any more, the attack resistance is slightly reduced, the cost is obviously increased, and the time is reduced because the multi-objective optimization is removed. This means that it is difficult to implement multiple functions of simplifying the network, reducing the time cost, and resisting attacks by relying only on the SDP architecture.
Table 1 truncation test records
Figure 80409DEST_PATH_IMAGE031
Example 2
Performance testing, in order to further show the performance of the invention, two types of attacks of different types are given, 1) a free nmap practical tool is utilized to launch a port scanning attack to a cloud server; 2) And (3) launching a DoS attack to the cloud server by using the hping3 tool, repeating the DoS attack 100 times respectively, and capturing the traffic by using Wireshark. In the two types of attacks, the cloud side access control method and the firewall protection of the cloud side access control system for optimizing the SDP based on the main and sub population collaborative NSGAII algorithm are respectively utilized, the security performance is tested, the obtained combat effectiveness is compared, and the resistance capability of the two types of methods to the two types of attacks is compared as shown in the table 2.
Table 2 comparison of performance tests
Figure 542614DEST_PATH_IMAGE032
For the port scanning attack, the invention closes the port and makes the attack not be recognized. For a firewall, a port scan attack reveals that the port is open. Fig. 3 is a graph showing the effect of the present invention on the resistance to DoS attacks. The broken line represents that the effective flow after being attacked is in a stable state when the server faces DoS attack, and the server does not have sudden flow increase to cause service paralysis. The invention has stronger defense performance and flexibility, and can better meet the requirement of practical application compared with the traditional isolated security strategy.
The foregoing merely illustrates preferred embodiments of the invention and is therefore described in some detail and not to be construed as limiting the scope of the invention. It should be noted that, for those skilled in the art, various changes, modifications and substitutions can be made without departing from the spirit of the present invention, and these are all within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (4)

1. The utility model provides a cloud limit access management and control system which characterized in that, includes identity authentication module, access policy module, intrusion detection module, SDP controller quantity update module and database:
the identity authentication module is used for identity authentication of the edge device, and when the edge device applies for accessing the cloud, the SDP controller verifies the identity of the device through an identity management program of an SDN application layer;
the access strategy module is used for evaluating the trust level of the edge equipment, making a corresponding access strategy and limiting the available operation, accessible service and access time after the edge equipment enters the cloud; after the identity is authenticated by the identity authentication module, the authentication is realized through a dynamic authorization program preset in an SDN application layer;
after an access strategy is specified, the edge equipment establishes mTLS connection with the cloud through an SDP gateway to carry out service access; after the connection is established, the behavior of the dynamic authorization program collecting device continuously evaluates the trust level of the dynamic authorization program collecting device and makes corresponding instructions, including reducing/improving the access authority;
the intrusion detection module is realized based on an intrusion detection program of an SDN application layer and continuously operates in the whole access period;
the SDP controller number updating module is used for updating the number of the SDP controllers; the module is realized through an SDP controller quantity updating program of an SDN application layer, a main sub-population is built in the program, and the SDP controller quantity is periodically updated through an NSGAII algorithm;
the database stores an equipment information table for all modules to access, wherein the equipment information table comprises equipment information, an encryption certificate, a secret key and a trust value.
2. The cloud-edge access control system according to claim 1, wherein the identity authentication module is specifically configured to perform the following steps:
s1, an edge device sends a single SPA data packet to an SDN switch to request access, and an identity management program in an SDN application layer verifies whether the SPA packet is legal or not;
s2, if the SDN controller is called legally to issue a flow table [ switch- > SDP controller ] to the SDN switch, the SDN switch forwards the data packet to the SDP controller according to the flow table; if the data packet is illegal, calling a dynamic authorization program to reduce the trust value of the data packet, and discarding the data packet;
and S3, the SDP controller checks whether the encryption certificate in the packet is empty after receiving the SPA packet, issues the certificate for the edge equipment if the encryption certificate in the packet is empty and represents that the edge equipment is newly added, calls a dynamic authorization program to initialize a trust value for the edge equipment, and updates an equipment information table.
3. The cloud-edge access control system according to claim 2, wherein the access policy module is specifically configured to perform the following steps:
s1, when an SPA data packet reaches an SDP controller, the authentication is passed, a dynamic authorization program is automatically triggered, an encryption certificate of edge equipment is used as input, the access authority of the equipment is output, and the access authority is packaged into an authority data packet;
and S2, calling an SDN controller to issue a flow table [ SDP controller- > SDP gateway ], forwarding the permission data packet from the SDP controller to the SDP gateway by the SDN conversion machine, configuring a firewall rule by the SDP gateway according to the data packet, allowing the edge device to access the cloud, and limiting the available operation, accessible service and access time after the edge device enters the cloud.
4. The cloud-edge access control system according to claim 1, wherein the SDP controller quantity updating module is specifically configured to execute the following steps:
s1, periodically updating the number of SDP controllers according to the number of edge devices, and modeling a problem into a multi-objective optimization model, wherein the method comprises the following steps:
s1.1, for each edge device U i Each SDP controller S j Define one tuple as follows:
Figure 704830DEST_PATH_IMAGE001
wherein
Figure 153129DEST_PATH_IMAGE002
Representing edge devices U i And SDP controller S j Whether or not to connect the two or more of the two,
Figure 339391DEST_PATH_IMAGE003
presentation router U i And SDP controlDevice S j The cost of the connection of (a) to (b),
Figure 265759DEST_PATH_IMAGE004
indicating SDP controller S j The probability of being honest is determined,
Figure 486656DEST_PATH_IMAGE005
represents U i And SDP controller S j A time delay therebetween;
s1.2, the number of SDP controllers is required to be less than or equal to the number of edge devices, and each edge device is connected to only one SDP controller, defining a constraint:
Figure 840277DEST_PATH_IMAGE006
where m is the number of SDP controllers and n is the number of edge devices;
s1.3, calculating the total time delay of the connection process of all edge devices and the SDP controller:
Figure 248255DEST_PATH_IMAGE008
s1.4, calculating the total connection cost of all edge devices and the SDP controller:
Figure 978314DEST_PATH_IMAGE010
s1.5, defining the security of the SDP controller:
Figure 53717DEST_PATH_IMAGE012
s1.6, aiming at minimizing cost, minimizing delay and maximizing safety, wherein the independent variable is the number m of SDP controllers, the number n of edge devices is taken as a parameter, and a function from S1.2 to S1.5 is modeled as a multi-objective optimization problem:
Figure 578240DEST_PATH_IMAGE014
s2, in order to solve the multi-objective optimization problem, a main sub-population collaborative NSGAII algorithm is provided, the main population and the sub-population in the algorithm are collaboratively evolved to expand the search space, and the pareto optimal is finally achieved, and the method comprises the following steps:
s2.1, randomly initializing the same main population Mq and sub-population Sq, setting the population size to be N, and setting the maximum evolution algebra maxg;
s2.2, updating fitness vectors of the main population Mq and the sub population Sq, namely multi-objective function value vectors
Figure 739094DEST_PATH_IMAGE016
q i Is the first of the populationiSolving;
s2.3, traversing the Mq of the main population and modifying the infeasible solution Mq by using the self-adaptive penalty function i The fitness of (2):
Figure DEST_PATH_IMAGE017
wherein
Figure 413789DEST_PATH_IMAGE018
Is an infeasible solution mq i At the maximum value of each of the objective functions,mq i is the first of the main populationiSolving;
s2.4, traversing the sub-population Sq, and modifying the infeasible solution Sq by adopting a feasibility guidance method i The fitness of (2):
Figure 468332DEST_PATH_IMAGE019
wherein
Figure 101439DEST_PATH_IMAGE020
Is the maximum value in each objective function in the current sub-population,sq i is the first of a sub-populationiSolving;
s2.5, the main population Mq is subjected to non-dominated sorting aiming at convergence characteristics and sorted according to objective function values;
s2.6, the sub-population Sq is sorted according to diversity characteristics, and the diversity is measured by the congestion distance:
Figure DEST_PATH_IMAGE021
wherein L is p (. Is) L p Norm, p is set to be 1/3;
s2.7, merging the two groups, selecting a mating pool with the size of N by a binary tournament method, merging the two populations Mq and Sq with the mating pool into a new population with the size of 2N, respectively selecting, crossing and mutating, finally selecting the first N individuals as offspring populations according to respective sorting rules, and updating an evolution counter;
and S2.8, if the maximum evolution algebra is reached, outputting the main population Mq, otherwise, turning to S2.2.
CN202211140381.4A 2022-09-20 2022-09-20 Cloud-edge access control system Active CN115225412B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211140381.4A CN115225412B (en) 2022-09-20 2022-09-20 Cloud-edge access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211140381.4A CN115225412B (en) 2022-09-20 2022-09-20 Cloud-edge access control system

Publications (2)

Publication Number Publication Date
CN115225412A true CN115225412A (en) 2022-10-21
CN115225412B CN115225412B (en) 2023-01-03

Family

ID=83617540

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211140381.4A Active CN115225412B (en) 2022-09-20 2022-09-20 Cloud-edge access control system

Country Status (1)

Country Link
CN (1) CN115225412B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130042298A1 (en) * 2009-12-15 2013-02-14 Telefonica S.A. System and method for generating trust among data network users
CN104982006A (en) * 2013-04-10 2015-10-14 华为技术有限公司 System and method for providing a software defined protocol stack
US20150304281A1 (en) * 2014-03-14 2015-10-22 Avni Networks Inc. Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks
CN107005848A (en) * 2014-12-05 2017-08-01 华为技术有限公司 System and method for arranging Virtual Service gateway for mobile management
US20180321981A1 (en) * 2017-05-04 2018-11-08 Huawei Technologies Co., Ltd. System and method for self organizing data center
CN110691064A (en) * 2018-09-27 2020-01-14 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN111586025A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 SDN-based SDP security group implementation method and security system
CN111586026A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 Software defined boundary implementation method and system based on SDN
CN113572738A (en) * 2021-06-29 2021-10-29 中孚安全技术有限公司 Zero trust network architecture and construction method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130042298A1 (en) * 2009-12-15 2013-02-14 Telefonica S.A. System and method for generating trust among data network users
CN104982006A (en) * 2013-04-10 2015-10-14 华为技术有限公司 System and method for providing a software defined protocol stack
US20150304281A1 (en) * 2014-03-14 2015-10-22 Avni Networks Inc. Method and apparatus for application and l4-l7 protocol aware dynamic network access control, threat management and optimizations in sdn based networks
CN107005848A (en) * 2014-12-05 2017-08-01 华为技术有限公司 System and method for arranging Virtual Service gateway for mobile management
US20180321981A1 (en) * 2017-05-04 2018-11-08 Huawei Technologies Co., Ltd. System and method for self organizing data center
CN110691064A (en) * 2018-09-27 2020-01-14 国家电网有限公司 Safety access protection and detection system for field operation terminal
CN111586025A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 SDN-based SDP security group implementation method and security system
CN111586026A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 Software defined boundary implementation method and system based on SDN
CN113572738A (en) * 2021-06-29 2021-10-29 中孚安全技术有限公司 Zero trust network architecture and construction method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
孙瑞等: "基于多因素认证的零信任网络构建", 《金陵科技学院学报》 *
张银芽等: "考虑省间电力平衡的区域电网环境经济优化调度", 《武汉大学学报(工学版)》 *
王铮等: "基于SDN结构的新型标准化运营商平台SDP研究", 《信息与电脑(理论版)》 *
郑伟等: "软件定义边界技术在云计算场景中的应用", 《枣庄学院学报》 *

Also Published As

Publication number Publication date
CN115225412B (en) 2023-01-03

Similar Documents

Publication Publication Date Title
Liu et al. A survey: Typical security issues of software-defined networking
Wang et al. SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking
CN115396230A (en) Depth defense safety system and method based on block chain and reinforcement learning
CN111031003B (en) Intelligent evaluation system of cross-network isolation safety system
Ali et al. Novel three-tier intrusion detection and prevention system in software defined network
Azad et al. Preventive determination and avoidance of ddos attack with sdn over the iot networks
CN116074123B (en) Method for safely transmitting digital information of Internet of things
Zhang et al. Efficient strategy selection for moving target defense under multiple attacks
CN110830287A (en) Internet of things environment situation sensing method based on machine learning
Wan et al. Characteristic insights on industrial cyber security and popular defense mechanisms
Appiah-Kubi et al. Decentralized intrusion prevention (DIP) against co-ordinated cyberattacks on distribution automation systems
Meier et al. Towards an AI-powered Player in Cyber Defence Exercises
Sedjelmaci et al. Secure attack detection framework for hierarchical 6G-enabled internet of vehicles
CN115225412B (en) Cloud-edge access control system
CN117319064A (en) Network space safety management and control system based on trusted computing
Olakanmi et al. Throttle: An efficient approach to mitigate distributed denial of service attacks on software‐defined networks
Wang et al. Optimal repair strategy against advanced persistent threats under time-varying networks
CN115659416A (en) Manufacturing industry private data security protection system and method based on block chain
CN110971565A (en) Source network load system vulnerability evaluation method and system based on malicious attack modeling
Wang et al. An Access Control Method Against Unauthorized and Noncompliant Behaviors of Real-Time Data in Industrial IoT
Lin et al. AI-Based Mean Field Game against Resource-Consuming Attacks in Edge Computing
Mazher et al. The Security Threats and Solutions of Network Functions Virtualization: A Review
CN111107035B (en) Security situation sensing and protecting method and device based on behavior identification
Latah et al. CWT-DPA: Component-wise waiting time for BC-enabled data plane authentication
Czyczyn-Egird et al. The effectiveness of data mining techniques in the detection of DDoS attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant