摘要： 为提升软件定义网络(SDN)的网络控制力和安全性,通常利用SDN集中管控及流表控制特性开发大量安全应用,但此类安全应用实现功能单一、防护粒度粗,无法对整个网络形成综合防护。针对该问题,设计多粒度流量检测系统。借鉴组策略(GBP)的分组思想对基础设施层进行分组管理,基于模块链实现安全检测功能由硬件设备向软件服务的转型,定义安全检测模块的概念并将其划分为统计型检测、关联匹配型检测以及正则匹配型检测3类模块。利用GBP生成模块链,由模块链调动不同的安全检测模块组合,从而实现多粒度安全检测。通过实验验证了该系统在SDN环境下的可用性,并表明其具有检测粒度细、可扩展性好等特点。

关键词: 软件定义网络, 基于组策略, 模块链, 安全检测模块, 流量检测

Abstract: In order to improve the network control ability and security,researchers usually utilize the features of centralized control and flow table control of Software Defined Network(SDN) to develop a lot of security applications.However,those security applications concentrate on single function and have coarse protection granularity,which cannot form comprehensive protection for the whole network.Aiming at the problem,this paper designs multi-granularity traffic identification system.It manages the infrastructure layer by group based on the thinking of Group Based Policy(GBP),defines the notion of module chain to realize the transition from hardware to software service for security detection,defines the notion of security detection module and classifies it into three modules including statistical detection module,correlation matching module and regular expression matching module.DBP is used to generate module chain and then the different security detection combination module is mobilized by the module chain to implement multi-granularity security detection.The usability of the system in SDN environment is verified by experiments,and it has the characteristics of fine granularity and good expansibility.

Key words: Software Defined Network(SDN), Group Based Policy(GBP), module chain, security detection module, traffic detection

中图分类号: 

• TP309