This application claims priority to Chinese Patent Application Ser. No. CN202310223837.1 filed on 9 Mar. 2023.
The present invention relates to a service function chain orchestration technology, in particular to an endogenous dynamic defense architecture-based multi-objective service function chain deployment method.
The introduction of the concepts of virtualization, IT, and software enables the 5G network to have flexibility, programmability and intelligentization, and also provides a novel manner for designing, orchestrating and deploying various mobile services to support increasingly complex and variable customer requirements, so that the network service deployment is more flexible and quick. As a virtualization technology, the NFV deploys software network functions on a stable commercial computing resource platform, which avoids complex connection and configuration works in a traditional heterogeneous hardware network function deployment process, and effectively solves the problems of high device price, difficulties in management, and high failure rate caused by connection configuration, network traffic overload, etc. existing in traditional network function hardware devices in combination with flexible management mechanisms such as load balancing. SDN is a novel method for designing, implementing and managing networks, which decouples network control management (control plane) from a data forwarding process (data plane), so as to obtain good user experience. The separation of network control and data provides many benefits for flexibility and controllability of the networks. In a manner of speaking, the emergence of the NFV and SDN makes the deployment of service function chains (SFC) more flexible and quick; although these technologies bring convenience, these technologies cause the SFC and virtualized network function (VNF) to be more vulnerable to attacks, making the traditional “plug-in” and “patch” network security mechanisms more challenging against potential attacks and potential security hazards.
The moving target defense is a theory and method proposed by the National Science and Technology Council of America to improve existing information system defects on the basis of the concept of dynamicalization, randomization and diversification. Its core idea is to build a dynamic and uncertain network space target environment, thereby increasing the attack difficulty, and coping with the network attacks with the randomness and unpredictability of a system. The moving target defense can be implemented in a plurality of aspects such as a network, a platform, a running environment, software, and data. The constantly variable target system environment and resource configuration relationship greatly increases the sniffing difficulty of information systems and the availability of system defects, and is an endogenous security technology mainly focusing on the running of the systems.
The mimic defense is a technical system primarily developed by the academician, Wu Jiangxing, of China, and declares that by constructing an information system operating environment of which the apparent structure is variable by means of a non-intrusive mimic defense support tool, platform, and product, a randomly generated network threat event can be quantized into a probability problem of generalized uncertain disturbances escaping from a multi-level differential mode infrastructure environment. The mimic defense can use its own dynamic heterogeneous redundancy mechanism, so that the sniffing and trying operations made by an attacker in the previous stage cannot be inherited in the vulnerability utilization stage, and a tolerance effect for intrusion is generated based on the concept of “quick avoidance”, thereby ensuring the security of the system and the service continuity thereof. It provides a new view for solving the problem of component-level security, that is, the system itself has a typical dynamic heterogeneous redundancy (DHR) structure model, and has an active defense capability.
It is further pointed out that endogenous security, as an emerging network security technology, constructs a novel network security defense framework with the capabilities such as active defense, situation awareness, threat cleaning. The typical endogenous security technology includes mimic defense, moving target defense, trusted computing, zero trust architecture, etc.; by technical means such as constructing a novel information system running environment and key system resource access authentication, the endogenous security technology achieves a good defense effect in the protection of known and unknown network threats. On this basis, how to apply the endogenous security to the deployment of SFCs so as to improve the security of the SFCs and the virtualized network function (VNF) is a key point of the research of the present invention.
The objective of the present invention: in order to solve the problems in current SFC deployment systems, such as SFCs and VNFs are vulnerable to attacks, it is difficult for the traditional “plug-in” and “patch” network security mechanisms to defend against the attacks, so that the present invention provides an endogenous dynamic defense architecture-based multi-objective service function chain deployment method.
The technical solution: an endogenous dynamic defense architecture-based multi-objective service function chain deployment method, comprising a computer readable medium operable on a computer with memory for the endogenous dynamic defense architecture-based multi-objective service function chain deployment method, and comprising program instructions for executing the following steps of:
the replica VNF dynamic scheduling deployment algorithm includes the following three modes:
Further, in step (1), for the enhanced mode, a DHR is used as a core architecture of mimic defense, which is composed of an input module, a processing module, an output module, a construction module and a scheduling module;
the input module is composed of a user input and a service scheduling agent, and after an SDA replicas the user input to obtain n user inputs so as to form n sub-inputs, the SDA distributes the n sub-inputs to the deployment set BE in the processing module;
the processing module is composed of the deployment set BE, and the replica VNFs in the deployment set process the n sub-inputs formed by the input module to form n sub-outputs, and then sends same to a mimic decision point for determination;
the output module is composed of MDP and is used for determining n sub-outputs of the same input message, and if k or more than k results are consistent, then outputting the results; otherwise, stopping outputting;
the construction module comprises a heterogeneous replica pool FE and a heterogeneous replica set AE, divides the heterogeneous replica pool FE into p sub-pools according to a sub-pool division algorithm, and selects a replica from each sub-pool according to a scheduling algorithm, so as to form the heterogeneous replica set AE; and
the scheduling module selects n replicas from the heterogeneous replica set AE as the deployment set BE in the processing module according to the scheduling and deployment algorithm, and after a scheduling period, the scheduling module removes the BE, restores same to an initial state by shuffling, and reselects a deployment set for the next scheduling period according to the scheduling and deployment algorithm.
Further, step (2) is performed to measure the heterogeneity between different replica VNFs by means of a Jaccard distance, the heterogeneity between the VNF fi and the VNF fj being expressed as follows:
where αi and αj represent vulnerability vectors of the VNF fi and the VNF fj, when the VNF fi has a vulnerability vnz, qvnz=1, otherwise qvnz=0.
Further, the replica VNF dynamic scheduling deployment algorithm in step (3) specifically includes the following processes:
Still further, the multi-objective SFC deployment problem described in step (1) is described in detail as follows:
defining a vulnerability set as VN={vnz|z∈[1, |VN|]}, each VNF vulnerable to attacks containing α vulnerabilities; and defining a heterogeneous replica VNF pool as FE={fe1|l∈[1, |FE|]}, each replica VNF also containing α vulnerabilities;
an objective function for the SFC deployment problem is as follows:
min(f1+f2+f3)
s.t. C1,C2,C3
for f1, Dμ is the total response time delay with the expression as follows:
Dμ=Lμ+Pμ+Tμ+Wμ
where Lμ=Σe
is a processing time delay,
is a transmission time delay, and
is an additional time delay brought by the dynamic defense architecture;
for
is an average defense success rate, where q represents the number of defense successes, and Q represents the total number of attacks;
for f3, C(τ) represents total deployment costs with the expression as follows:
C(τ)=Coperational(τ)+Creplica(τ)
Coperational(τ) represents total operating costs, which is the sum of starting costs of a server and costs of successfully placing a VNF;
Coperational(τ)=Σn
xf
Creplica(τ)=Cpool(τ)+Cshuffling(τ)+Cswitching(τ) represents additional costs brought about by the endogenous dynamic defense architecture, where Cpool(τ)=Σf∈FE ζcCf represents costs of maintaining the heterogeneous replica VNF pool,
represents costs of shuffling, and Cswitching(τ)=Σr
Beneficial effects: compared with the prior art, the method of the present invention enables the SFC and VNF to have an active defense capability by constructing an endogenous dynamic defense architecture, enables that the sniffing and trying operations made by an attacker in the previous stage cannot be inherited in the vulnerability utilization stage by means of a dynamic heterogeneous redundancy mechanism of mimic defense itself, and increases the attack difficulty by constructing a dynamic and uncertain network space target environment by means of moving target defense, thereby coping with the network attacks with randomness and unpredictability of a system, so as to solve the problems in current SFC deployment systems, such as SFCs and VNFs are vulnerable to attacks, and the problem that it is difficult for the traditional “plug-in” and “patch” network security mechanisms to defend against the attacks. On the basis of the implementation of the method, the present invention includes providing a sub-pool division algorithm and a replica VNF dynamic scheduling deployment algorithm, thereby providing a novel method for selecting, scheduling and deploying VNF replicas, so that the security of VNFs and SFCs in the deployment process is greatly improved.
To describe the technical solutions disclosed in the present invention in detail, the present invention is further described as follows with reference to the accompanying drawings and embodiments.
The present invention provides an endogenous dynamic defense architecture-based multi-objective service function chain deployment method, which is mainly used for solving the problems in current SFC deployment systems, such as SFCs and VNFs are vulnerable to attacks, and the problem that it is difficult for the traditional “plug-in” and “patch” network security mechanisms to defend against the attacks.
The endogenous dynamic defense architecture proposed in the present invention mainly relates to two defense modes, i.e. moving target defense and mimic defense. The present invention combines same with the SFC deployment to improve the security.
The implementation process of the technical solution provided by the present invention will be described in detail below.
According to the method of the present invention, the deployment of the SFC is implemented by using an endogenous dynamic defense architecture, which mainly includes two modes and five modules. The basic mode only relates to the moving target defense, and the enhanced mode relates to moving target defense and mimic defense. The input module is responsible for replicating an input and distributing same to a processing module; the processing module is responsible for processing a deployment set obtained from a scheduling module and the input obtained from the input module to form sub-outputs and send same to an output module; the output module determines the sub-outputs obtained from the processing module; a construction module is responsible for obtaining a heterogeneous replica set from a heterogeneous replica pool; and the scheduling module is responsible for obtaining a deployment set from the heterogeneous replica set according to a scheduling deployment algorithm.
As shown in
Specific implementations of the steps of the present invention are further described with respect to the described steps of the present invention.
Step 1: an endogenous dynamic defense architecture is constructed.
As shown in
the basic mode includes using moving target defense to guarantee the security of a VNF, and shuffling the VNF, i.e. when the VNF is generated, dynamically changing an IP address, an execution code and a generation parameter, so that it is difficult for an attacker to perform prediction and attacks;
the enhanced mode includes using mimic defense to perform security protection on a VNF, i.e. a VNF vulnerable to attacks can use a dynamic heterogeneous redundancy (DHR) architecture to achieve the capability of active defense;
and the DHR is used as a core architecture of mimic defense, which is composed of an input module, a processing module, an output module, a construction module and a scheduling module. The specific content is as follows:
Step 2: Proposed a multi-objective SFC deployment problem in combination with the actual condition and proposed endogenous dynamic defense architecture.
In the present invention, a vulnerability set is defined as VN={vnz|z∈[1, |VN|]}, each VNF vulnerable to attacks containing α vulnerabilities; and a heterogeneous replica VNF pool is defined as FE={fe1|l∈[1, |FE|]}, each replica VNF also containing α vulnerabilities.
An objective function of the SFC deployment problem is as follows:
min(f1+f2+f3)
s.t. C1,C2,C3
For f1, Dμ is the total response time delay, i.e.
Dμ=Lμ+Pμ+Tμ+Wμ,
where Lμ=Σe
is a processing time delay,
is a transmission time delay, and
is an additional time delay brought by the dynamic defense architecture;
For
is an average defense success rate, where q represents the number of defense successes, and Q represents the total number of attacks.
For f3, C(τ) represents total deployment costs, i.e.,
C(τ)=Coperational(τ)+Creplica(τ)
Coperational(τ) represents total operating costs, which is the sum of starting costs of a server and costs of successfully placing a VNF;
Coperational(τ)=Σn
xf
Creplica(τ)=Cpool(τ)+Cshuffling(τ)+Cswitching(τ) represents the additional costs brought about by the endogenous dynamic defense architecture, where Cpool(τ)=Σf∈FE ζcCf represents costs of maintaining the heterogeneous replica VNF pool,
represents costs of shuffling, and Cswitching(τ)=Σr
The resource constraint is as follows:
∀ni∈N,Σf
where sn
The bandwidth constraint is as follows:
∀ej∈E,Σr
where ar,τ represents whether the request rμ∈R is still in a service, and Be
The delay constraint is as follows:
∀rμ∈R,Dμ≤Dμmax, C3:
where Dμmax represents the maximum end-to-end delay size.
Step 3: a sub-pool division algorithm is designed.
According to the heterogeneity among replica VNFs, the sub-pool division algorithm divides a heterogeneous replica pool FE into a plurality of replica sub-pools, in which the VNFs having many common vulnerabilities are divided into the same sub-pool, and the VNFs having few common vulnerabilities are divided into different sub-pools. In the present invention, the heterogeneity between different replica VNFs is measured by means of a Jaccard distance fi, and the heterogeneity between the VNFfi and the VNFfj is represented as follows:
where αi and αj represent vulnerability vectors of the VNF fi and the VNF fj when the VNF fi has a vulnerability vnz, qvnz=1, otherwise qvnz=0.
The specific algorithm flow is as follows:
The objective of the replica VNF dynamic scheduling deployment algorithm is to select appropriate VNFs from the sub-pools for deployment in combination with the historical information and the heterogeneity between the VNFs, so as to improve the security of the SFCs, specifically:
the replica VNF dynamic scheduling deployment algorithm includes the three modes:
The specific algorithm flow is as follows:
In this embodiment, in order to verify the actual effect of the present invention, an attack algorithm is designed to perform attack simulation on the deployed VNFs. The attack algorithm includes three different attack modes, which are specifically described as follows:
In the present invention, it is assumed that only a vulnerability is used per attack, and the VNF vulnerable to attacks is attacked N times in total, and each attack generates vulnerabilities by using the described three manners. If there are more than b/2+1 common vulnerabilities in b VNFs at the same time, the attack succeeds; otherwise, the attack fails, and a VNF having a problem in the multi-mode determination is marked, so as to reduce the probability of subsequent selection thereof, thereby improving the security of a system.
In
Next, the average costs per SFC for the four modes when the shuffle time varies from 5 to 25 are explored in this embodiment. It can be determined from
In this embodiment, the defense success rates of several algorithms using different attack modes when the shuffle time varies from 5 to 25 are compared. It can be determined from
In
Number | Date | Country | Kind |
---|---|---|---|
202310223837.1 | Mar 2023 | CN | national |
Number | Name | Date | Kind |
---|---|---|---|
10440048 | Li | Oct 2019 | B1 |
20120303924 | Ross | Nov 2012 | A1 |
20130326625 | Anderson | Dec 2013 | A1 |
20160285913 | Itskin | Sep 2016 | A1 |
20170024261 | Atluri | Jan 2017 | A1 |
20170104780 | Zaffarano | Apr 2017 | A1 |
20180332073 | Ahmed | Nov 2018 | A1 |
20190190955 | Khan | Jun 2019 | A1 |
20220164441 | Cohen | May 2022 | A1 |
20220215094 | Gupta | Jul 2022 | A1 |
Number | Date | Country |
---|---|---|
109491668 | Mar 2019 | CN |
109525418 | Mar 2019 | CN |
109587168 | Apr 2019 | CN |
109842528 | Jun 2019 | CN |
111163070 | May 2020 | CN |
111866038 | Oct 2020 | CN |
112822192 | May 2021 | CN |
115001831 | Sep 2022 | CN |
Entry |
---|
Izadi et al., “Enhancing Network Security Through Moving Target Defense Technology: An Analysis of the Impact on Attack Level,” 2023 7th International Conference on Internet of Things and Applications (IoT) Year: 2023 | Conference Paper | Publisher: IEEE. |
Chen et al., “Design and Implementation of A Vulnerability-Tolerant Reverse Proxy Based on Moving Target Defense for E-Government Application,” 2021 2nd Information Communication Technologies Conference (ICTC) Year: 2021 | Conference Paper | Publisher: IEEE. |
Jinglei Tan, Hongqi Zhang, Cheng Lei, Xiaohu Liu and Shuo Wang “SDN-oriented Moving Target Protection Technology Research Progress” Journal of Network and Information Security 07: 1-3 Publication Date:Jul. 15, 2018. |
Jichao Xie, Peng Yi, Zheng Zhang, Chuanhao Zhang, and Yunjie Gu “Service Functional Chain” Journal of Network and Information Security 06: 1-3 Publication Date:May 15, 2018. |