研究生: |
洪浩鈞 Hao-Chun Hung |
---|---|
論文名稱: |
軟體定義網路架構下的模組化網路安全服務實作 Implementation of a Modular Network Security Services for Software Defined Networks |
指導教授: |
鄧惟中
Wei-Chung Teng |
口試委員: |
林宗男
Tsung-nan Lin 雷欽隆 Chin-Laung Lei 沈上翔 Shan-Hsiang Shen |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2018 |
畢業學年度: | 106 |
語文別: | 中文 |
論文頁數: | 55 |
中文關鍵詞: | 軟體定義網路 、入侵偵測防禦系統 、模組化開發 |
外文關鍵詞: | Software-Defined Networking, Intrusion Prevention System, Modulaize |
相關次數: | 點閱:256 下載:14 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
軟體定義網路架構提供了透過控制平面 (Control Plane) 控制交換器的功能,因此比傳統網路架構有很大的彈性及方便性。另一方面,軟體定義網路架構在應用程式的開發相對困難許多,且缺乏對這些應用程式的管理機制。本研究參考FRESCO [1] 的模組化開發概念,提出了具有模組化開發特色的安全服務開發平台。本研究並參照 Xing 等人提出的設計要點 [2],將這個安全服務開發平台實作。
模組化開發的概念讓使用者可以依據不同的網路需求組合不同的模組。為了實現模組化的開發概念,本系統透過撰寫腳本 (script) 以串接不同功能的模組。透過設計的腳本編譯器將腳本編譯為 python 語言下可運行的安全服務應用。在實驗部分,本研究透過封包檢測率來檢驗系統的運作效率,並模擬兩種不同的攻擊模式,撰寫相對應的防禦腳本,再以網路工具來進行實際攻擊,並觀察其結果。
實驗結果顯示,在單機攻擊頻率為 35,000 封包/秒的網路狀況下,相較於傳統的入侵偵測防禦系統的 10% 的偵測率 [2],本系統可達 85% 的偵測率。而在攻擊頻率 70,000 封包/秒時,雖然偵測率會下降至 50%,但相較於傳統入侵偵測系統的5% 偵測率,本系統明顯的更有效率。而在攻擊模擬實驗下,透過模組化的腳本語言所建立的兩種防禦模式:阻斷服務式攻擊 (Denial-of-Service attack, DoS attack)防禦及 Port-Scan 防禦,實驗數據顯示本系統能在攻擊行為發生後的一秒內即偵測出攻擊行為並採取後續手段,如封鎖來自該攻擊者的所有封包。
Software-Defined Networking (SDN) allows user to control switch through the ControlPlane, and provides more flexibility and programmability than traditional networkarchitecture. On the other hand, developing applications on SDN is more difficult thantraditional network architectures. Also, application management in SDN is not convenient.According to the concept of modular development proposed by FRESCO [1], Wedeveloped a network security service development platform with the concept of modulardeveloping. We also refer to design principle proposed by Xing et al. [2] to implementsecurity service development platform.
The concept of modular development allows user to implement security functionsthrough composing modules, so as to easily adapt the functions for any specific networkenviroment. Upon implementing modular developing notation, to connect different modules.Then, the script compiler compiles script into security service applications intopython language code, which provides security services. To evaluate the performance,we realized few scenarios and measured the detection rate of abnormal packets. Scripts todefend from two types of network attacks were developed and used on the experiments.
The result of the experiments show that when single attacker launch an attack with35,000 pkt/s attack rate, our platform performs detection rate with 85%, but traditionalintrusion detection system performs detection rate with 10%. When attack is rate up to70,000 pkt/s, our platform performs detection rate with 50%, which is better traditional intrusionsystem about 5%. In network attack experiment, we launched two types of networkattacks: Denial-of-Service attack and port-scan attack. The result shows that the scriptsare able to detect attacks within one second and execute the following process such likeblocking the attacker.
[1] S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson, “FRESCO: Modular
Composable Security Services for Software-Defined Networks,” in ISOC Network
and Distributed System Sercurity Symposium, NDSS Symposium, Feb. 2013.
[2] T. Xing, Z. Xiong, and D. Huang, “SDNIPS: Enabling Software-Defined Networking
based intrusion prevention system in clouds,” in 10th International Conference
on Network and Service Management (CNSM) and Workshop, pp. 308–311, Nov.
2014.
[3] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,
S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,”
ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69–74, 2008.
[4] “SNORT.” https://www.snort.org/.
[5] R. U. Rehman, Intrusion detection systems with Snort: advanced IDS techniques
using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall Professional, 2003.
[6] “OpenFlow Switch Specification Version 1.3.1.” https://www.opennetworking.org/
images/ stories/ downloads/ sdn-resources/ onf-specifications/ openflow/ openflowspec-v1.3.1.pdf,
Sept. 2012.
[7] C. Ching-Hao and D. Y.-D. Lin, “OpenFlow Version Roadmap.” http://speed.
cis.nctu.edu.tw/~ydlin/miscpub/indep_frank.pdf, Sept. 2015.
[8] “2016 SDN Controller Landscape Is there a Winner?.” https://events.
linuxfoundation.org/sites/events/files/slides/3%20%202016%20ONS%
20ONF%20Mkt%20Opp%20Controller%20Landscape%20RChua%20Mar%2014%
202016.pdf, 2016.
[9] “Ryu SDN Framwork.” https://osrg.github.io/ryu/.
[10] “The OpenDaylight Platform| OpenDaylight.” https://www.opendaylight.
org/.
[11] “ONOS-A new carrier-grade SDN network operating system designed for high availability,
performance, scale-out.” http://onosproject.org/.
[12] “RYU SDN Framework-Ryubook 1.0 documentation.” https://osrg.github.
io/ryu-book/en/html/.
[13] “ryu/ryu/app at master osrg/ryu GitHub.” https://github.com/osrg/ryu/tree/
master/ryu/app.
[14] “Open vSwitch.” http://openvswitch.org/.
[15] “GitHub-openvswitch/ ovs:OpenvSwitch.” https://github.com/openvswitch/
ovs.
[16] “Intrusion detection system.” https://en.wikipedia.org/wiki/Intrusion_
detection_system.
[17] “OpenFlowSec.org.” http://www.openflowsec.org/.
[18] “Denial-of-service attack-Wikipedia.” https://en.wikipedia.org/wiki/
Denial-of-service_attack.
[19] “Snort Intergration-Ryu 4.14 documentation.” http://ryu.readthedocs.io/en/
latest/snort_integrate.html.
[20] “Scapy v2.1.1-dev documentation.” http://www.secdev.org/projects/scapy/
doc/usage.html.
[21] “Low-level networking interface-Python 2.7.13 documentation.” https://docs.
python.org/2/library/socket.html.
[22] “GitHub-CoreSecurity/pcapy:Pcapy is a Python extension module that interfaces
with the libpcap packet capture library.” https://github.com/CoreSecurity/
pcapy.
[23] “Programming with pcap.” http://www.tcpdump.org/pcap.html.
[24] “Berkeley sockets-Wikipedia.” https://en.wikipedia.org/wiki/Berkeley_
sockets.
[25] “GitHub-westes/flex:The Fast Lexical Analyzer.” https://github.com/westes/
flex.
[26] “GNU bison-Wikipedia.” https://en.wikipedia.org/wiki/GNU_bison.
[27] “Hping-Active Network Security Tool.” http://www.hping.org/.
[28] “Denial-of-service attack-Wikipedia.” https://en.wikipedia.org/wiki/
Denial-of-service_attack.
[29] “Port scanner-Wikipedia.” https://en.wikipedia.org/wiki/Port_scanner.
[30] “List of TCP and UDP port numbers-Wikipedia.” https://en.wikipedia.org/
wiki/List_of_TCP_and_UDP_port_numbers.
[31] “Advanced Port Scanner – free and fast port scanner.” http://www.
advanced-port-scanner.com/.
[32] “Free Port Scanner 3.4.6 Download-TechSpot.” http://www.techspot.com/
downloads/6478-free-port-scanner.html.
[33] “GitHub-mrash/psad:psad: Intrusion Detection and Log Analysis with iptables.”
https://github.com/mrash/psad.