簡易檢索 / 詳目顯示

回結果列表
研究生: 洪浩鈞
Hao-Chun Hung
論文名稱: 軟體定義網路架構下的模組化網路安全服務實作
Implementation of a Modular Network Security Services for Software Defined Networks
指導教授: 鄧惟中
Wei-Chung Teng
口試委員: 林宗男
Tsung-nan Lin
雷欽隆
Chin-Laung Lei
沈上翔
Shan-Hsiang Shen
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2018
畢業學年度: 106
語文別: 中文
論文頁數: 55
中文關鍵詞: 軟體定義網路入侵偵測防禦系統模組化開發
外文關鍵詞: Software-Defined Networking, Intrusion Prevention System, Modulaize
相關次數: 點閱:256下載:14
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 軟體定義網路架構提供了透過控制平面 (Control Plane) 控制交換器的功能,因此比傳統網路架構有很大的彈性及方便性。另一方面,軟體定義網路架構在應用程式的開發相對困難許多,且缺乏對這些應用程式的管理機制。本研究參考FRESCO [1] 的模組化開發概念,提出了具有模組化開發特色的安全服務開發平台。本研究並參照 Xing 等人提出的設計要點 [2],將這個安全服務開發平台實作。
    模組化開發的概念讓使用者可以依據不同的網路需求組合不同的模組。為了實現模組化的開發概念,本系統透過撰寫腳本 (script) 以串接不同功能的模組。透過設計的腳本編譯器將腳本編譯為 python 語言下可運行的安全服務應用。在實驗部分,本研究透過封包檢測率來檢驗系統的運作效率,並模擬兩種不同的攻擊模式,撰寫相對應的防禦腳本,再以網路工具來進行實際攻擊,並觀察其結果。
    實驗結果顯示,在單機攻擊頻率為 35,000 封包/秒的網路狀況下,相較於傳統的入侵偵測防禦系統的 10% 的偵測率 [2],本系統可達 85% 的偵測率。而在攻擊頻率 70,000 封包/秒時,雖然偵測率會下降至 50%,但相較於傳統入侵偵測系統的5% 偵測率,本系統明顯的更有效率。而在攻擊模擬實驗下,透過模組化的腳本語言所建立的兩種防禦模式:阻斷服務式攻擊 (Denial-of-Service attack, DoS attack)防禦及 Port-Scan 防禦,實驗數據顯示本系統能在攻擊行為發生後的一秒內即偵測出攻擊行為並採取後續手段,如封鎖來自該攻擊者的所有封包。

    Software-Defined Networking (SDN) allows user to control switch through the ControlPlane, and provides more flexibility and programmability than traditional networkarchitecture. On the other hand, developing applications on SDN is more difficult thantraditional network architectures. Also, application management in SDN is not convenient.According to the concept of modular development proposed by FRESCO [1], Wedeveloped a network security service development platform with the concept of modulardeveloping. We also refer to design principle proposed by Xing et al. [2] to implementsecurity service development platform.
    The concept of modular development allows user to implement security functionsthrough composing modules, so as to easily adapt the functions for any specific networkenviroment. Upon implementing modular developing notation, to connect different modules.Then, the script compiler compiles script into security service applications intopython language code, which provides security services. To evaluate the performance,we realized few scenarios and measured the detection rate of abnormal packets. Scripts todefend from two types of network attacks were developed and used on the experiments.
    The result of the experiments show that when single attacker launch an attack with35,000 pkt/s attack rate, our platform performs detection rate with 85%, but traditionalintrusion detection system performs detection rate with 10%. When attack is rate up to70,000 pkt/s, our platform performs detection rate with 50%, which is better traditional intrusionsystem about 5%. In network attack experiment, we launched two types of networkattacks: Denial-of-Service attack and port-scan attack. The result shows that the scriptsare able to detect attacks within one second and execute the following process such likeblocking the attacker.

    論文摘要 I Abstract II 誌謝 III 目錄 IV 圖目錄 VII 表目錄 IX 1 緒論 1 1.1 研究背景 1 1.2 研究動機與目的 2 1.3 研究貢獻 3 1.4 論文架構 4 2 背景知識與相關研究 5 2.1 OpenFlow 協定 5 2.1.1 控制器 6 2.1.2 Flow Table 7 2.2 Open vSwitch 8 2.3 入侵偵測防禦系統 9 2.4 SDNIPS: Enabling Software-Defined Networking Based Intrusion Prevention System in Clouds 11 2.5 FRESCO: Modular Composable Security Services for Software-Defined Networks 13 3 研究方法 17 3.1 系統架構總覽 17 3.2 系統架構設計概念 18 3.3 系統運作流程 19 3.4 控制器 21 3.4.1 使 OpenSwitch 具有 port mirroring 功能 22 3.4.2 透過 RESTful API 修改 Flow Table 23 3.5 Packet Center 功能 24 3.5.1 剖析封包並擷取事件 25 3.5.2 事件 Socket 25 3.5.3 Instance 管理功能 26 3.5.4 警示通知中心 26 3.6 模組化的腳本語言 27 3.6.1 防禦功能模組化 27 3.6.2 腳本語言變數說明 28 3.6.3 腳本模組設計 28 3.6.4 腳本語言編譯器 29 4 實驗結果與分析 31 4.1 實驗環境 31 4.2 實驗設計 33 4.2.1 實驗一:入侵偵測率 33 4.2.2 實驗二:DoS 防禦 instance 34 4.2.3 實驗三:Port-Scan 防禦 instance 37 5 結論 41 參考文獻 42 授權書 45

    [1] S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson, “FRESCO: Modular
    Composable Security Services for Software-Defined Networks,” in ISOC Network
    and Distributed System Sercurity Symposium, NDSS Symposium, Feb. 2013.
    [2] T. Xing, Z. Xiong, and D. Huang, “SDNIPS: Enabling Software-Defined Networking
    based intrusion prevention system in clouds,” in 10th International Conference
    on Network and Service Management (CNSM) and Workshop, pp. 308–311, Nov.
    2014.
    [3] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,
    S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,”
    ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69–74, 2008.
    [4] “SNORT.” https://www.snort.org/.
    [5] R. U. Rehman, Intrusion detection systems with Snort: advanced IDS techniques
    using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall Professional, 2003.
    [6] “OpenFlow Switch Specification Version 1.3.1.” https://www.opennetworking.org/
    images/ stories/ downloads/ sdn-resources/ onf-specifications/ openflow/ openflowspec-v1.3.1.pdf,
    Sept. 2012.
    [7] C. Ching-Hao and D. Y.-D. Lin, “OpenFlow Version Roadmap.” http://speed.
    cis.nctu.edu.tw/~ydlin/miscpub/indep_frank.pdf, Sept. 2015.
    [8] “2016 SDN Controller Landscape Is there a Winner?.” https://events.
    linuxfoundation.org/sites/events/files/slides/3%20%202016%20ONS%
    20ONF%20Mkt%20Opp%20Controller%20Landscape%20RChua%20Mar%2014%
    202016.pdf, 2016.
    [9] “Ryu SDN Framwork.” https://osrg.github.io/ryu/.
    [10] “The OpenDaylight Platform| OpenDaylight.” https://www.opendaylight.
    org/.
    [11] “ONOS-A new carrier-grade SDN network operating system designed for high availability,
    performance, scale-out.” http://onosproject.org/.
    [12] “RYU SDN Framework-Ryubook 1.0 documentation.” https://osrg.github.
    io/ryu-book/en/html/.
    [13] “ryu/ryu/app at master osrg/ryu GitHub.” https://github.com/osrg/ryu/tree/
    master/ryu/app.
    [14] “Open vSwitch.” http://openvswitch.org/.
    [15] “GitHub-openvswitch/ ovs:OpenvSwitch.” https://github.com/openvswitch/
    ovs.
    [16] “Intrusion detection system.” https://en.wikipedia.org/wiki/Intrusion_
    detection_system.
    [17] “OpenFlowSec.org.” http://www.openflowsec.org/.
    [18] “Denial-of-service attack-Wikipedia.” https://en.wikipedia.org/wiki/
    Denial-of-service_attack.
    [19] “Snort Intergration-Ryu 4.14 documentation.” http://ryu.readthedocs.io/en/
    latest/snort_integrate.html.
    [20] “Scapy v2.1.1-dev documentation.” http://www.secdev.org/projects/scapy/
    doc/usage.html.
    [21] “Low-level networking interface-Python 2.7.13 documentation.” https://docs.
    python.org/2/library/socket.html.
    [22] “GitHub-CoreSecurity/pcapy:Pcapy is a Python extension module that interfaces
    with the libpcap packet capture library.” https://github.com/CoreSecurity/
    pcapy.
    [23] “Programming with pcap.” http://www.tcpdump.org/pcap.html.
    [24] “Berkeley sockets-Wikipedia.” https://en.wikipedia.org/wiki/Berkeley_
    sockets.
    [25] “GitHub-westes/flex:The Fast Lexical Analyzer.” https://github.com/westes/
    flex.
    [26] “GNU bison-Wikipedia.” https://en.wikipedia.org/wiki/GNU_bison.
    [27] “Hping-Active Network Security Tool.” http://www.hping.org/.
    [28] “Denial-of-service attack-Wikipedia.” https://en.wikipedia.org/wiki/
    Denial-of-service_attack.
    [29] “Port scanner-Wikipedia.” https://en.wikipedia.org/wiki/Port_scanner.
    [30] “List of TCP and UDP port numbers-Wikipedia.” https://en.wikipedia.org/
    wiki/List_of_TCP_and_UDP_port_numbers.
    [31] “Advanced Port Scanner – free and fast port scanner.” http://www.
    advanced-port-scanner.com/.
    [32] “Free Port Scanner 3.4.6 Download-TechSpot.” http://www.techspot.com/
    downloads/6478-free-port-scanner.html.
    [33] “GitHub-mrash/psad:psad: Intrusion Detection and Log Analysis with iptables.”
    https://github.com/mrash/psad.

    QR CODE