软件定义网络中流规则安全性研究进展

doi:10.19665/j.issn1001-2400.20230904

摘要/Abstract

摘要：

随着网络功能的日益多元化,具有集中控制与可编程性的软件定义网络(SDN)架构已在众多领域被广泛应用。然而,SDN特有的层次结构与运行机制也引入了新的安全挑战,其中,流规则作为控制平面管理决策的载体和数据平面网络行为的依据,已成为SDN网络攻防的重点。针对SDN中流规则的安全性问题,首先分析了SDN架构的特点及安全隐患。再基于SDN中的流规则机制,将针对流规则的攻击分为干扰控制平面决策和破坏数据平面执行两类,并介绍了攻击实例。对于提升流规则安全性的研究,分别从检验与增强两个方面展开分析,总结了现有的实现机制并简要分析了其存在的局限性。其中,分析探讨了基于建模检测和基于数据包探测的两种主流的检验方案,介绍讨论了基于权限控制、基于冲突解决和基于路径验证的3种具体的流规则增强思路。最后,展望了流规则安全性未来的发展方向。

关键词: 软件定义网络, 流规则, 网络安全, 网络验证, 网络测试

Abstract:

With the increasing diversification of network functions,the software-defined networking(SDN) architecture,which provides centralized network control and programmability,has been deployed in various fields.However,the unique hierarchical structure and operation mechanism of SDN also introduce new security challenges,among which as the carrier of control plane management decisions and the basis of data plane network behavior,flow rules have become the focus of SDN attack and defense.Aiming at the security issues of flow rules in SDN,this paper first reviews the characteristics and security risks of the SDN architecture.Based on the mechanism of flow rules in SDN,the attacks against flow rules are systematically divided into two categories,namely,interference of control plane decision and violation in data plane implementation,with the attack examples introduced.Then,the methods for improving the security of flow rules are analyzed and classified into two categories,i.e.,checking and enhancing the security of flow rules.Furthermore,existing implementation mechanisms are summarized with their limitations briefly analyzed.In terms of flow rule security checking,two mainstream methods,i.e.,model-based checking and test-packet-based checking,are analyzed and discussed.In terms of flow rule security enhancement,three specific ideas based on permission control,conflict resolution and path verification are introduced and discussed.Finally,the future research trends of flow rule security are prospected.

Key words: software-defined networking, flow rule, network security, network verification, network testing

中图分类号:

TP309

熊婉寅, 毛剑, 刘子雯, 刘文懋, 刘建伟. 软件定义网络中流规则安全性研究进展[J]. 西安电子科技大学学报, 2023, 50(6): 172-194.

XIONG Wanyin, MAO Jian, LIU Ziwen, LIU Wenmao, LIU Jianwei. Advances in security analysis of software-defined networking flow rules[J]. Journal of Xidian University, 2023, 50(6): 172-194.

图/表 18

图1

图2

表1

表2

图3

图4

图5

图6

图7

图8

图9

表3

表4

图10

表5

表6

图11

表7

参考文献 85

[1]	GREENBERG A, HJALMTYSSON G, MALTZ D A, et al. A Clean Slate 4d Approach to Network Control and Management[J]. ACM SIGCOMM Computer Communication Review, 2005, 35(5):41-54. doi: 10.1145/1096536.1096541
[2]	CASADO M, GARFINKEL T, AKELLA A, et al. Sane:A Protection Architecture for Enterprise Networks[C]// Proceedings of the 15th conference on USENIX Security Symposium.Berkeley:USENIX, 2006:137-151.
[3]	CASADO M, FREEDMAN M J, PETTIT J, et al. Ethane:Taking Control of the Enterprise[J]. ACM SIGCOMMComputer Communication Review, 2007, 37(4):1-12.
[4]	JAIN S, KUMAR A, MANDAL S, et al. B4:Experience with a Globally-Deployed Software Defined Wan[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4):3-14.
[5]	PATEL P, BANSAL D, YUAN L, et al. Ananta:Cloud Scale Load Balancing[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4):207-218. doi: 10.1145/2534169.2486026
[6]	NATARAJAN S, RAMAIAH A, MATHEN M. A Software Defined Cloud-Gateway Automation System Using Openflow[C]// Proceedings of the 2013 IEEE 2nd International Conference on Cloud Networking(CloudNet).Piscataway:IEEE, 2013:219-226.
[7]	LI Y, CHEN M. Software-Defined Network Function Virtualization:A Survey[J]. IEEE Access, 2015, 3:2542-2553. doi: 10.1109/ACCESS.2015.2499271
[8]	JAIN R, PAUL S. Network Virtualization and Software Defined Networking for Cloud Computing:A Survey[J]. IEEE Communications Magazine, 2013, 51(11):24-31.
[9]	BIZANIS N, KUIPERS F A. Sdn and Virtualization Solutions for the Internet of Things:A Survey[J]. IEEE Access, 2016, 4:5591-5606. doi: 10.1109/ACCESS.2016.2607786
[10]	陈金涛, 梁俊, 郭子桢, 等. 软件定义卫星网络多控制器部署策略[J]. 西安电子科技大学学报, 2022, 49(3):59-67.
	CHEN Jintao, LIANG Jun, GUO Zizhen, et al. Research on Deployment Strategy of Multiple Controllers in the Software-Defined Satellite Network[J]. Journal of Xidian University, 2022, 49(3):59-67.
[11]	GREENE K. Tr10:Software-Defined Networking[R]. Technology Review(MIT).Massachusetts:MIT, 2009.
[12]	UJCICH B E, JERO S, SKOWYRA R, et al. Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking[C]// Proceedings of the 2020 Network and Distributed System Security Symposium(NDSS).Alexandria:NSF, 2020:1-18.
[13]	UJCICH B E, JERO S, EDMUNDSON A, et al. Cross-App Poisoning in Software-Defined Networking[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS18). New York: ACM, 2018:648-663.
[14]	CANINI M, VENZANO D, PEREŠÍNI P, et al. A Nice Way to Test Openflow Applications[C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12). Berkeley: USENIX Association, 2012:127-140.
[15]	WEN X, YANG B, CHEN Y, et al. Sdnshield:Reconciliating Configurable Application Permissions for Sdn App Markets[C]// Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2016).Piscataway:IEEE, 2016:121-132.
[16]	PORRAS P, SHIN S, YEGNESWARAN V, et al. A Security Enforcement Kernel for Openflow Networks[C]// Proceedings of theFirst Workshop on Hot Topics In Software Defined Networks. New York: ACM, 2012:121-126.
[17]	LEE S, YOON C, SHIN S. The Smaller,the Shrewder:A Simple Malicious Application Can Kill an Entire Sdn Environment[C]// Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. New York: ACM, 2016:23-28.
[18]	ZENG H, KAZEMIAN P, VARGHESE G, et al. Automatic Test Packet Generation[C]// Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies. New York: ACM, 2012:241-252.
[19]	AHMAD I, NAMAL S, YLIANTTILA M, et al. Security in Software Defined Networks:A Survey[J]. IEEE Communications Surveys & Tutorials, 2015, 17(4):2317-2346.
[20]	KUŹNIAR M, PEREŠÍNI P, KOSTIĆ D. What You Need to Know About Sdn Flow Tables[C]// Proceedings of the 16th International Conference on Passive and Active Network Measurement.Heidelberg:Springer, 2015:347-359.
[21]	MISEREZ J, BIELIK P, EL-HASSANY A, et al. Sdnracer:Detecting Concurrency Violations in Software-Defined Networks[C]// Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research. New York: ACM, 2015:1-7.
[22]	PEREŠÍNI P, KUŹNIAR M, KOSTIĆ D. Monocle:Dynamic,Fine-Grained Data Plane Monitoring[C]// Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. New York: ACM, 2015:1-13.
[23]	SCOTT-HAYWARD S, NATARAJAN S, SEZER S. A Survey of Security in Software Defined Networks[J]. IEEE Communications Surveys & Tutorials, 2015, 18(1):623-654.
[24]	BU K, WEN X, YANG B, et al. Is Every Flow on the Right Track?:Inspect Sdn Forwarding with Rulescope[C]// Proceedings of the IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications.Piscataway:IEEE, 2016:1-9.
[25]	ZHANG P, LI H, HU C, et al. Mind the Gap:Monitoring the Control-Data Plane Consistency in Software Defined Networks[C]// Proceedings of the 12th International on Conference on Emerging Networking EXperiments and Technologies. New York: ACM, 2016:19-33.
[26]	MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. Openflow:Enabling Innovation in Campus Networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2):69-74.
[27]	FUNDATION O N. Software-Defined Networking:The New Norm for Networks[J]. ONF White Paper, 2012, 2(2-6):11.
[28]	GUDE N, KOPONEN T, PETTIT J, et al. Nox:Towards an Operating System for Networks[J]. ACM SIGCOMM computer communication review, 2008, 38(3):105-110. doi: 10.1145/1384609.1384625
[29]	MEDVED J, VARGA R, TKACIK A, et al. Opendaylight:Towards a Model-Driven Sdn Controller Architecture[C]// Proceeding of the IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks 2014.Piscataway:IEEE, 2014:1-6.
[30]	ERICKSON D. The Beacon Openflow Controller[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013:13-18.
[31]	BERDE P, GEROLA M, HART J, et al. Onos:Towards an Open,Distributed Sdn Os[C]// Proceedings of the Third Workshop on Hot Topics in Software defined Networking. New York: ACM, 2014:1-6.
[32]	李可欣, 王兴伟, 易波, 等. 智能软件定义网络[J]. 软件学报, 2021, 32(1):118-136.
	LI Kexin, WANG Xingwei, YI Bo, et al. Survey of Intelligent Software Defined Networking[J]. Journal of Software, 2021, 32(1):118-136.
[33]	杨洋, 吕光宏, 赵会, 等. 深度学习在软件定义网络研究中的应用综述[J]. 软件学报, 2020, 31(7):2184-2204.
	YANG Yang, LV Guanghong, ZHAO Hui, et al. Survey on Deep Learning Applications in Software Defined Networking Research[J]. Journal of Software, 2020, 31(7):2184-2204.
[34]	HALEPLIDIS E, SALIM J H, HALPERN J M, et al. Network Programmability with Forces[J]. IEEE Communications Surveys & Tutorials, 2015, 17(3):1423-1440.
[35]	BOSSHART P, DALY D, GIBB G, et al. P4:Programming Protocol-Independent Packet Processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3):87-95.
[36]	于洋, 王之梁, 毕军, 等. 软件定义网络中北向接口语言综述[J]. 软件学报, 2016, 27(04):993-1008.
	YU Yang, WANG Zhiliang, BI Jun, et al. Survey on the Languages in the Northbound Interface of Software Defined Networking[J]. Journal of Software, 2016, 27(4):993-1008.
[37]	王蒙蒙, 刘建伟, 陈杰, 等. 软件定义网络:安全模型,机制及研究进展[J]. 软件学报, 2016, 27(4):969-992.
	WANG Mengmeng, LIU Jianwei, CHEN Jie, et al. Software Defined Networking:Security Model,Threats and Mechanism[J]. Journal of Software, 2016, 27(4):969-992.
[38]	SCOTT-HAYWARD S, O'CALLAGHAN G, SEZER S. Sdn Security:A Survey[C]// Proceedings of the 2013 IEEE SDN For Future Networks and Services(SDN4FNS).Piscataway:IEEE, 2013:1-7.
[39]	KREUTZ D, RAMOS F M, VERISSIMO P. Towards Secure and Dependable Software-Defined Networks[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot topics in Software Defined Networking. New York: ACM, 2013:55-60.
[40]	YOON C, LEE S, KANG H, et al. Flow Wars:Systemizing the Attack Surface and Defenses in Software-Defined Networks[J]. IEEE/ACM Transactions on Networking, 2017, 25(6):3514-3530. doi: 10.1109/TNET.2017.2748159
[41]	SHIN S, GU G. Attacking Software-Defined Networks:A First Feasibility Study[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013:165-166.
[42]	AZZOUNI A, BRAHAM O, NGUYEN T M T, et al. Fingerprinting Openflow Controllers:The First Step to Attack a Sdn Control Plane[C]// Proceedings of the 2016 IEEE Global Communications Conference(GLOBECOM).Piscataway:IEEE, 2016:1-6.
[43]	CAO J, YANG Z, SUN K, et al. Fingerprinting Sdn Applications Via Encrypted Control Traffic[C]// Proceedings of the 22nd International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2019).Berkeley:USENIX, 2019:501-515.
[44]	HANMER R, LIU S, JAGADEESAN L, et al. Death by Babble:Security and Fault Tolerance of Distributed Consensus in High-Availability Softwarized Networks[C]// Proceedings of the 2019 IEEE Conference on Network Softwarization(NetSoft).Piscataway:IEEE, 2019:266-270.
[45]	ZHANG M, LI G, XU L, et al. Control Plane Reflection Attacks in Sdns:New Attacks and Countermeasures[C]// Proceedings of the 21st International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2018).Heidelberg:Springer, 2018:161-183.
[46]	ALHARBI T, PORTMANN M, PAKZAD F.The(in) Security of Topology Discovery in Software Defined Networks[C]//Proceedings of the 2015 IEEE 40th Conference on Local Computer Networks(LCN 2015).Piscataway:IEEE, 2015:502-505.
[47]	SHIN S, YEGNESWARAN V, PORRAS P, et al. Avant-Guard:Scalable and Vigilant Switch Flow Management in Software-Defined Networks[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS13). New York: ACM, 2013:413-424.
[48]	AMBROSIN M, CONTI M, DE GASPARI F, et al. Lineswitch:Tackling Control Plane Saturation Attacks in Software-Defined Networking[J]. IEEE/ACM Transactions on Networking, 2016, 25(2):1206-1219. doi: 10.1109/TNET.2016.2626287
[49]	RÖPKE C, HOLZ T. Sdn Rootkits:Subverting Network Operating Systems of Software-Defined Networks[C]// Proceedings of the 18th International Symposium on Research in Attacks,Intrusions and Defenses(RAID 2015).Heidelberg:Springer, 2015:339-356.
[50]	THIMMARAJU K, SHASTRY B, FIEBIG T, et al. Taking Control of Sdn-Based Cloud Systems Via the Data Plane[C]// Proceedings of the Symposium on SDN Research. New York: ACM, 2018:1-15.
[51]	HONG S, XU L, WANG H, et al. Poisoning Network Visibility in Software-Defined Networks:New Attacks and Countermeasures[C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS). San Diego: NDSS, 2015:8-11.
[52]	UJCICH B E, THAKORE U, SANDERS W H. Attain:An Attack Injection Framework for Software-Defined Networking[C]// Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN2017).Piscataway:IEEE, 2017:567-578.
[53]	YU Y, LI X, LENG X, et al. Fault Management in Software-Defined Networking:A Survey[J]. IEEE Communications Surveys & Tutorials, 2018, 21(1):349-392.
[54]	DACIER M C, KÖNIG H, CWALINSKI R, et al. Security Challenges and Opportunities of Software-Defined Networking[J]. IEEE Security & Privacy, 2017, 15(2):96-100.
[55]	AL-SHAER E, AL-HAJ S. Flowchecker:Configuration Analysis and Verification of Federated Openflow Infrastructures[C]// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York: ACM, 2010:37-44.
[56]	MAI H, KHURSHID A, AGARWAL R, et al. Debugging the Data Plane with Anteater[J]. ACM SIGCOMM Computer Communication Review, 2011, 41(4):290-301. doi: 10.1145/2043164.2018470
[57]	KAZEMIAN P, VARGHESE G, MCKEOWN N. Header Space Analysis:Static Checking for Networks[C]// Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).Berkeley:USENIX, 2012:113-126.
[58]	KAZEMIAN P, CHANG M, ZENG H, et al. Real Time Network Policy Checking Using Header Space Analysis[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX, 2013:99-111.
[59]	KHURSHID A, ZOU X, ZHOU W, et al. Veriflow:Verifying Network-Wide Invariants in Real Time[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation(NSDI 13).Berkeley:USENIX, 2013:15-27.
[60]	SON S, SHIN S, YEGNESWARAN V, et al. Model Checking Invariant Security Properties in Openflow[C]// Proceedings of the 2013 IEEE International Conference on Communications(ICC).Piscataway:IEEE, 2013:1974-1979.
[61]	ZENG H, ZHANG S, YE F, et al. Libra:Divide and Conquer to Verify Forwarding Tables in Huge Networks[C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX, 2014:87-99.
[62]	LOPES N P, BJØRNER N, GODEFROID P, et al. Checking Beliefs in Dynamic Networks[C]// Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation(NSDI 15).Berkeley:USENIX, 2015:499-512.
[63]	YANG H, LAM S S. Real-Time Verification of Network Properties Using Atomic Predicates[J]. IEEE/ACM Transactions on Networking, 2015, 24(2):887-900. doi: 10.1109/TNET.2015.2398197
[64]	YANG H, LAM S S. Scalable Verification of Networks with Packet Transformers Using Atomic Predicates[J]. IEEE/ACM Transactions on Networking, 2017, 25(5):2900-2915. doi: 10.1109/TNET.2017.2720172
[65]	HORN A, KHERADMAND A, PRASAD M. Delta-Net:Real-Time Network Verification Using Atoms[C]// Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation(NSDI 17).Berkeley:USENIX, 2017:735-749.
[66]	ZHANG P, LIU X, YANG H, et al. Apkeep:Realtime Verification for Real Networks[C]// Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation(NSDI 20).Berkeley:USENIX, 2020:241-255.
[67]	HANDIGOL N, HELLER B, JEYAKUMAR V, et al. I Know What Your Packet Did Last Hop:Using Packet Histories to Troubleshoot Networks[C]// Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation(NSDI 14).Berkeley:USENIX, 2014:71-85.
[68]	AGARWAL K, ROZNER E, DIXON C, et al. Sdn Traceroute:Tracing Sdn Forwarding without Changing Network Behavior[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014:145-150.
[69]	TAMMANA P, AGARWAL R, LEE M. Simplifying Datacenter Network Debugging with Pathdump[C]// Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation(OSDI 16).Berkeley:USENIX, 2016:233-248.
[70]	SHUKLA A, SAIDI S J, SCHMID S, et al. Toward Consistent Sdns:A Case for Network State Fuzzing[J]. IEEE Transactions on Network and Service Management, 2019, 17(2):668-681. doi: 10.1109/TNSM.4275028
[71]	ZHANG P, WU H, ZHANG D, et al. Verifying Rule Enforcement in Software Defined Networks with Rev[J]. IEEE/ACM Transactions on Networking, 2020, 28(2):917-929. doi: 10.1109/TNET.90
[72]	ZHANG P, ZHANG F, XU S, et al. Network-Wide Forwarding Anomaly Detection and Localization in Software Defined Networks[J]. IEEE/ACM Transactions on Networking, 2021, 29(1):332-345. doi: 10.1109/TNET.90
[73]	LI Y, YIN X, WANG Z, et al. A Survey on Network Verification and Testing with Formal Methods:Approaches and Challenges[J]. IEEE Communications Surveys & Tutorials, 2018, 21(1):940-969.
[74]	XIE G G, ZHAN J, MALTZ D A, et al. On Static Reachability Analysis of Ip Networks[C]// Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM).Piscataway:IEEE, 2005:2170-2183.
[75]	LI Q, LIU Y, LIU Z, et al. Efficient Forwarding Anomaly Detection in Software-Defined Networks[J]. IEEE Transactions on Parallel and Distributed Systems, 2021, 32(11):2676-2690. doi: 10.1109/TPDS.2021.3068135
[76]	SHIN S W, PORRAS P, YEGNESWARA V, et al. FRESCO:Modular Composable Security Services for Software-Defined Networks[C]// Proceedings of the 20th Annual Network & Distributed System Security Symposium(NDSS). San Diego: NDSS, 2013:1-16.
[77]	PORRAS P A, CHEUNG S, FONG M W, et al. Securing the Software Defined Network Control Layer[C]// Proceedings of the 2015 Network and Distributed System Security Symposium(NDSS). San Diego: NDSS, 2015:1-15.
[78]	WANG M, LIU J, CHEN J, et al. Perm-Guard:Authenticating the Validity of Flow Rules in Software Defined Networking[J]. Journal of Signal Processing Systems, 2017, 86(2-3):157-173. doi: 10.1007/s11265-016-1115-8
[79]	HU H, HAN W, AHN G-J, et al. FLOWGUARD:Building Robust Firewalls for Software-Defined Networks[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2014:97-102.
[80]	王鹃, 王江, 焦虹阳, 等. 一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J]. 计算机学报, 2015, 38(4):872-883.
	WANG Juan, WANG Jiang, JIAO Hongyang, et al. A Method of Openflow-Based Real-Time Conflict Detection and Resolution for SDN Access Control Policies[J]. Chinese Journal of Computers, 2015, 38(4):872-883.
[81]	SASAKI T, PAPPAS C, LEE T, et al. SDNsec:Forwarding Accountability for the Sdn Data Plane[C]// Proceedings of the 2016 25th International Conference on Computer Communication and Networks(ICCCN).Piscataway:IEEE, 2016:1-10.
[82]	LI Q, LIU Y, LIU Z, et al. Efficient Forwarding Anomaly Detection in Software-Defined Networks[J]. IEEE Transactions on Parallel and Distributed Systems, 2021, 32(11):2676-2690. doi: 10.1109/TPDS.2021.3068135
[83]	XI S, BU K, MAO W, et al. RuleOut Forwarding Anomalies for SDN[J]. IEEE/ACM Transactions on Networking, 2023, 31(1):395-407. doi: 10.1109/TNET.2022.3194970
[84]	左青云, 陈鸣, 王秀磊, 等. 一种基于SDN的在线流量异常检测方法[J]. 西安电子科技大学学报, 2015, 42(1):155-160.
	ZUO Qingyun, CHEN Ming, WANG Xiulei, et al. Online Traffic Anomaly Detection Method for SDN[J]. Journal of Xidian University, 2015, 42(1):155-160.
[85]	刘益岑, 陈兴凯, 卢昱, 等. 一种软件定义网络的安全服务路径优化构建机制[J]. 西安电子科技大学学报, 2019, 46(1):158-165.
	LIU Yicen, CHEN Xingkai, LU Yu, et al. SDN-Based Optimal Security Service Path Construction Mechanism[J]. Journal of Xidian University, 2019, 46(1):158-165.

SDN架构层级	主要安全问题
应用层	恶意应用程序、应用程序篡改、未授权访问、身份假冒
北向API	虚假规则注入、未授权访问
控制层	未授权访问、数据篡改、控制器劫持
南向API	窃听、中间人攻击
基础设施层	恶意控制信息注入、流量及拓扑伪造、泛洪攻击、信息泄露

攻击后果	分类	攻击效果	典型攻击
信息泄露	探测网络架构	推断当前网络架构(传统架构或SDN架构)	基于数据包额外延时推断网络架构^[41]
	探测控制器	推断当前SDN网络采用的具体控制器	SDN控制器指纹技术^[42]
	探测应用程序	推断SDN控制器上安装的应用程序	基于底层和加密的控制流量推断应用程序^[43]
资源耗尽	控制平面DoS	SDN控制器处理负荷过量,无法正常提供服务	针对ONOS控制器Raft算法的babble攻击^[44]
拒绝服务	数据平面DoS	转发设备计算或存储资源耗尽,无法正常通信	控制平面反射攻击^[45]
	系统性DoS	SDN控制平面与数据平面相互作用,影响其他组件功能	控制平面饱和攻击^[46?-48]
策略修改	控制平面造成	修改SDN网络预期的网络策略,包括访	基于恶意应用的rootkit^[49]、跨应用投毒攻击^[13]
	数据平面造成	问控制策略、资源分配规则等	虚拟交换机漏洞^[50]、创建虚假链路^[51]

核心工作	网络类型		应用方案	主要功能
核心工作	传统	SDN	应用方案	可达性	无环路	无黑洞	复杂策略查询
FlowChecker^[55]		√	BDD编码流表,符号模型检查建模网络行为	√	NA	NA	时序逻辑
Anteater^[56]	√		布尔函数表示数据平面状态和不变量,SAT 求解器分析	√	√	√	Ruby、SLang
Hassel^[57]	√		HSA框架,网络传递函数建模网络行为	√	√	NA	基于内部函数的代码
NICE^[14]		√	模型检查及符号执行搜索系统状态空间	NA	√	√	内部函数& Python
NoD^[62]		√	使用Datalog作为规范语言和建模语言	√	√	√	Datalog
FLOVER^[60]		√	流规则与安全策略转换为断言集,Yices SMT求解器分析	NA	NA	NA	一阶逻辑表达式

核心工作	网络类型		加速思想	应用方案		主要功能
核心工作	传统	SDN	加速思想	应用方案		可达性		无环路		无黑洞		复杂策略查询
NetPlumber^[58]		√	增量网络验证	HSA框架建立网络模型,增量更新网络依赖关系图	√		√		√		FlowExp
VeriFlow^[59]		√	EC划分数据包	采用trie增量更新EC,为每个EC构建转发图	√		√		√		内部API & C++
Libra^[61]		√	EC划分数据包,并行处理	获取数据平面快照构建有向图,MapReduce分割图并行验证	√		√		√		内部函数
AP Verifier^[63]	√	√	EC计算加速	使用BDD表示、运算端口的原子谓词,划分EC,计算可达性树	√		√		√		内部函数
APT^[64]	√	√	EC重新划分	划分数据包的最粗EC,计算可达性树	√		√		√		CTL
Delta-net^[65]	√	√	EC计算加速, 增量验证,利用网络相似性	基于IP范围划分EC并使用原子的集合表示,维护全局转发图增量更新	√		√		√		内部API
APKeep^[66]	√		EC计算加速	以逻辑功能为单位建模,新型EC计算、维护方法	NA		√		√		内部函数

核心工作	测试数据包生成方案	流量来源
核心工作	测试数据包生成方案	规则内流量	随机流量
ATPG^[18]	使用HSA计算每条路径的EC,并选取能覆盖所有规则的最小测试数据包集	√
Monocle^[22]	将交换机流表逻辑构造为SAT问题,快速生成针对特定流规则的探测包	√
RuleScope^[24]	将流表拆分为若干子集,针对每个子集中的错误规则生成探测数据包	√
PAZZ^[70]	从控制平面信息生成生产流量,并使用模糊测试思想生成异常流量	√	√