论文信息 - A SDN Proactive Defense Mechanism Based on IP Transformation

A SDN Proactive Defense Mechanism Based on IP Transformation

In order to improve the security of SDN, a proactive defense mechanism based on encrypted IP address transformation is proposed in this paper. The IP address protection method based on cryptographic transformation is designed to ensure the confusion of the source addresses of both senders and receivers. An effective key update method is designed to improve the randomness of the encryption transformation process. Based on the long prefix of IPv6, a new method of constructing IPv6 data packet with encrypted IPv4 address is proposed. Finally, P4 language is used to simulate the function of address protection and data forwarding in data layer. The evaluation results of the prototype system based on P4 language show that the proposed scheme can proactively defense the DoS attack, without significant performance degradation.

[1] Ejaz Ahmed,et al. Securing software defined networks: taxonomy, requirements, and open issues , 2015, IEEE Communications Magazine.

[2] Basil S. Maglaris,et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[3] Yao Zheng,et al. DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[4] Minghui Zhu,et al. Comparing Different Moving Target Defense Techniques , 2014, MTD '14.

[5] Hamid Farhadi,et al. Software-Defined Networking: A survey , 2015, Comput. Networks.

[6] Andrei V. Gurtov,et al. Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[7] Tuomas Aura,et al. Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch , 2014, NordSec.