Pseudo-defense framework and a method for SDN/NFV service deployment

Abstract

The invention discloses a pseudo-defense framework and a method for SDN / NFV service deployment. The framework comprises a user service request layer, a control layer and a network layer. The method mainly carries out pseudo-design on the key part of the control layer, and adds an executor pool, a decider and a scheduler in the control layer. Compared with the traditional service deployment method,this method is more effective against external attacks. The method utilizes the dynamic heterogeneous redundancy architecture to implement the service deployment process, thereby increasing the attack difficulty and improving the security of the service deployment.

Description

technical field [0001] The invention relates to the field of service deployment and mimic security defense, in particular to a mimic defense framework and method for SDN / NFV service deployment. Background technique [0002] A Service Function Chain (SFC) is a collection of ordered service functions. For traditional service function chain deployment, first obtain specific service function requirements according to business requests issued by users, generate an initial service function logic chain, and then manually deploy specific physical devices into the network. In the traditional network architecture, network address translation (NAT), firewall (FW), and intrusion detection (IDS) are all implemented using professional physical devices, but they are expensive, difficult to upgrade, and placed in a fixed location. Therefore, network administrators need to carry out complex and rigorous design of how the physical network is deployed. When the network topology changes, it i...

AI Technical Summary

Problems solved by technology

[0006] (1) The attacker tampers with the service orchestration result, causing the service path to change, or selecting the wrong service function, resulting in the formation of a service function chain inconsistent with the user's requirements, or even disguising the attacker's own server as a service function to join the service function chain , resulting in deployment failure and business traffic being intercepted

[0007] (2) The attacker may directly attack the forwarding rule generation process of the SDN controller, thereby tampering with the forwarding rules, causing network layer traffic to fail to pass through correct service functions, and even affecting the normal operation of the entire network

[0008] (3) Hackers directly conduct DDOS or other resource consumption attacks on the service deployment system, causing the SDN controller and NFV orchestrator to process messages very slowly, causing the service deployment process to become very slow or even fail directly

[0009] (4) When the forwarding rules of the SDN controller are delivered to the network layer switch, the attacker may intercept, tamper or forge the forwarding rules during the delivery process.

[0010] (5) The VNF instantiation process of the server may be attacked by an attacker, that is, the attacker directly attacks the underlying server or instance service function

Images