基于DPDK的内网动态网关关键技术设计

陈福才; 何威振; 程国振; 霍树民; 周大成

doi:10.11959/j.issn.1000-436x.2020126

您当前的位置：

首页 >

文章列表页 >

基于DPDK的内网动态网关关键技术设计

学术论文 | 更新时间：2024-06-05

- 基于DPDK的内网动态网关关键技术设计
- Design of key technologies for intranet dynamic gateway based on DPDK
- 通信学报 2020年41卷第6期页码：139-151
- 作者机构：
  
  国家数字交换系统工程技术研究中心，河南郑州 450002
- 作者简介：
  
  [ "陈福才（1974- ），男，江西高安人，国家数字交换系统工程技术研究中心研究员，主要研究方向为网络通信、网络安全" ]
  [ "何威振（1996- ），男，安徽亳州人，国家数字交换系统工程技术研究中心硕士生，主要研究方向为网络安全" ]
  [ "程国振（1986- ），男，山东菏泽人，博士，国家数字交换系统工程技术研究中心副教授，主要研究方向为云数据中心、SDN、网络安全" ]
  [ "霍树民（1985- ），男，山西长治人，博士，国家数字交换系统工程技术研究中心副研究员，主要研究方向为网络安全" ]
  [ "周大成（1996- ），男，河南信阳人，国家数字交换系统工程技术研究中心硕士生，主要研究方向为网络安全、SDN" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2018YFB080400);国家自然科学基金创新群体基金资助项目(61521003)
- DOI：10.11959/j.issn.1000-436x.2020126
  中图分类号： TN915.08
- 网络出版日期：2020-06，
  
  纸质出版日期：2020-06-25
- 稿件说明：
移动端阅览
陈福才, 何威振, 程国振, 等. 基于DPDK的内网动态网关关键技术设计[J]. 通信学报, 2020,41(6):139-151.

Fucai CHEN, Weizhen HE, Guozhen CHENG, et al. Design of key technologies for intranet dynamic gateway based on DPDK[J]. Journal on communications, 2020, 41(6): 139-151.
陈福才, 何威振, 程国振, 等. 基于DPDK的内网动态网关关键技术设计[J]. 通信学报, 2020,41(6):139-151. DOI： 10.11959/j.issn.1000-436x.2020126.

Fucai CHEN, Weizhen HE, Guozhen CHENG, et al. Design of key technologies for intranet dynamic gateway based on DPDK[J]. Journal on communications, 2020, 41(6): 139-151. DOI： 10.11959/j.issn.1000-436x.2020126.

摘要

针对 IP 跳变技术导致数据分组处理时延高、开销大的问题，基于数据平面开发套件设计并实现了一种多层次网络部署结构的主动防御网关系统。首先，基于DPDK快速转发框架优化了系统的转发和处理性能；其次，针对具有3种不同类型IP地址的动态化随机映射网关，设计了高效的IP地址分配算法以及具有不可预测性的IP地址变换算法。实验结果表明，所设计的系统在有效减少嗅探攻击信息获取速率的同时，大幅提升了动态跳变导致的处理时延大的问题。

Abstract

Aiming at the problems of high packet processing delay and high overhead caused by IP hopping

active defense gateway system with multi-layer network deployment structure was designed and implemented based on the data plane development kit (DPDK).Firstly

based on the DPDK fast forwarding framework

forwarding and processing performance of the system were optimized.Secondly

for the dynamic random mapping gateway with three different types of IP addresses

an efficient IP address allocation algorithm and an unpredictable IP address conversion algorithm were designed.The experimental results show that the designed system can effectively reduce the rate of information acquisition of sniffing attack

while greatly improving the processing delay caused by dynamic hopping.

关键词

Keywords

references

YADAV T , RAO A M . Technical aspects of cyber kill chain [C ] // Proceedings of the International Symposium on Security in Computing and Communication . Berlin:Springer , 2015 : 438 - 452 .

BOU-HARB E , DEBBABI M , ASSI C . Cyber scanning:a comprehensive survey [J ] . IEEE Communications Surveys ＆ Tutorials , 2013 , 16 ( 3 ): 1496 - 1519 .

WEAVER N , PAXSON V , STANIFORD S , et al . A taxonomy of computer worms [C ] // Proceedings of the 2003 ACM Workshop on Rapid malcode . New York:ACM Press , 2003 : 8 - 11 .

ANTONATOS S , AKRITIDIS P , MARKATOS E P , et al . Defending against hitlist worms using network address space randomization [J ] . Computer Networks , 2007 , 51 ( 12 ): 3471 - 3490 .

AI J , GUO Z , CHEN H . Thwarting worm spread in heterogeneous networks with diverse variant placement [J ] . IEEE Communications Letters , 2018 , 22 ( 7 ): 1346 - 1349 .

CHO J-H , SHARMA D P , ALAVIZADEH H , et al . Toward proactive,adaptive defense:a survey on moving target defense [J ] . IEEE Communications Surveys ＆ Tutorials , 2020 , 22 ( 10 ): 709 - 745 .

JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks [J ] . IEEE Transactions on Information Forensics and Security , 2015 , 10 ( 12 ): 2562 - 2577 .

KEWLEY D , FINK R , LOWRY J , et al . Dynamic approaches to thwart adversary intelligence gathering [C ] // Proceedings of the DARPA Information Survivability Conference and Exposition II DISCEX'01 . Piscataway:IEEE Press , 2001 : 176 - 185 .

DUNLOP M , GROAT S , URBANSKI W , et al . Mt6d:a moving target ipv6 defense; proceedings of the 2011-MILCOM [C ] // 2011 Military Communications Conference . Piscataway:IEEE Press , 2011 : 1321 - 1326 .

LEI C , ZHANG H Q , MA D H , et al . Network moving target defense technique based on self-adaptive end-point hopping [J ] . Arabian Journal for Science and Engineering , 2017 , 42 ( 8 ): 3249 - 3262 .

REHMANI M H , DAVY A , JENNINGS B , et al . Software defined networks-based smart grid communication:a comprehensive survey [J ] . IEEE Communications Surveys ＆ Tutorials , 2019 , 21 ( 3 ): 2637 - 2670 .

JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking [C ] // Proceedings of the First Workshop on Hot Topics in Software Defined Networks . New York:ACM Press , 2012 : 127 - 132 .

JAFARIAN J H H , AL-SHAER E , DUAN Q . Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers [C ] // Proceedings of the First ACM Workshop on Moving Target Defense MTD '14 . New York:ACM Press , 2014 : 69 - 78 .

SHARMA D P , KIM D S , YOON S , et al . FRVM:flexible random virtual ip multiplexing in software-defined networks [C ] // 2018 17th IEEE International Conference On Trust,Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE) . Piscataway:IEEE Press , 2018 : 579 - 587 .

CHANG S Y , PARK Y , BABU B B A . Fast IP hopping randomization to secure hop-by-hop access in sdn [J ] . IEEE Transactions on Network and Service Management , 2018 , 16 ( 1 ): 308 - 320 .

胡毅勋 , 郑康锋 , 杨义先 , 等 . 基于OpenFlow的网络层移动目标防御方案 [J ] . 通信学报 , 2017 , 38 ( 10 ): 103 - 112 .

HU Y X , ZHENG K F , YANG Y X , et al . Moving target defense solution on network layer based on OpenFlow [J ] . Journal on Communication , 2017 , 38 ( 10 ): 103 - 112 .

王鹏超 , 陈福才 , 程国振 , 等 . 软件定义的 L2/L3 地址协同拟态伪装策略研究 [J ] . 电子学报 , 2019 , 47 ( 10 ): 2032 - 2039 .

WANG P C , CHEN F C , CHENG G Z , et al . L2/L3 address cooperative mimicry strategy research based on SDN [J ] . Acta Electronica Sinica , 2019 , 47 ( 10 ): 2032 - 2039 .

陈扬 , 扈红超 , 程国振 . 软件定义的内网动态防御系统设计与实现 [J ] . 电子学报 , 2018 , 46 ( 11 ): 2604 - 2611 .

CHEN Y , HU H C , CHENG G Z . The design and implementation of a software-defined intranet dynamic defense system [J ] . Acta Electronica Sinica , 2018 , 46 ( 11 ): 2604 - 2611 .

浏览量

819

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于OpenFlow的网络层移动目标防御方案

基于深度学习的拟态裁决方法研究

对抗智能干扰的主动防御技术

自适应的时空多样性联合调度策略设计

基于深度确定性策略梯度的随机路由防御方法