基于SDN的物联网边缘节点间数据流零信任管理

肖警续; 郭渊博; 常朝稳; 吴平; 杨晨立

doi:10.11959/j.issn.1000-436x.2024060

您当前的位置：

首页 >

文章列表页 >

基于SDN的物联网边缘节点间数据流零信任管理

学术论文 | 更新时间：2024-08-09

- 基于SDN的物联网边缘节点间数据流零信任管理
- Zero trust management of data flow between IoT edge nodes based on SDN
- 通信学报 2024年45卷第7期页码：101-116
- 作者机构：
  
  信息工程大学密码工程学院，河南郑州 450001
- 作者简介：
  
  [ "肖警续（1994- ），男，吉林长春人，信息工程大学博士生，主要研究方向为网络安全、SDN安全等。" ]
  [ "郭渊博（1975- ），男，陕西周至人，博士，信息工程大学教授、博士生导师，主要研究方向为大数据安全、态势感知。" ]
  [ "常朝稳（1966- ），男，河南滑县人，博士，信息工程大学教授、博士生导师，主要研究方向为移动信息安全、物联网安全等。" ]
  [ "吴平（1979- ），男，安徽宿松人，信息工程大学博士生，主要研究方向为SDN安全、网络安全、数据平面编程。" ]
  [ "杨晨立（1997- ），男，河南郑州人，信息工程大学硕士生，主要研究方向为网络安全防御。" ]
- 基金信息：
  
  河南省科技攻关基金资助项目;Science and Technology Project of Henan Province(222102210070)
- DOI：10.11959/j.issn.1000-436x.2024060
  中图分类号： TP393
- 收稿日期：2023-11-10，
  
  修回日期：2024-01-04，
  
  纸质出版日期：2024-07-25
- 稿件说明：
移动端阅览
肖警续,郭渊博,常朝稳等.基于SDN的物联网边缘节点间数据流零信任管理[J].通信学报,2024,45(07):101-116.

XIAO Jingxu,GUO Yuanbo,CHANG Chaowen,et al.Zero trust management of data flow between IoT edge nodes based on SDN[J].Journal on Communications,2024,45(07):101-116.
肖警续,郭渊博,常朝稳等.基于SDN的物联网边缘节点间数据流零信任管理[J].通信学报,2024,45(07):101-116. DOI： 10.11959/j.issn.1000-436x.2024060.

XIAO Jingxu,GUO Yuanbo,CHANG Chaowen,et al.Zero trust management of data flow between IoT edge nodes based on SDN[J].Journal on Communications,2024,45(07):101-116. DOI： 10.11959/j.issn.1000-436x.2024060.

摘要

针对物联网缺少对数据流传输链路中恶意交换节点检测与定位的有效手段，提出了一种基于软件定义网络（SDN）的物联网边缘节点间数据流零信任管理方法。该方法将SDN架构应用到边缘节点间数据流的传输过程，使用固定长度的报头开销对数据流、节点和路径进行零信任管理，实现轻量级的数据包转发验证和恶意交换节点定位功能。在转发路径中，交换节点对数据包进行安全验证并统计验证信息，保证数据流传输的安全性和路径的一致性。根据异常数据包类型，控制器采用二分法标记执行验证操作的交换节点，逐步缩小恶意交换节点的范围，实现对多类型恶意交换节点的定位。最后，对所提方法进行了仿真与评估。实验结果表明，所提方法引入小于10%的转发时延和低于8%的吞吐量损失。

Abstract

Aiming at the lack of effective means for detecting and localizing malicious nodes in the data flow transmission link in Internet of things (IoT)

a zero trust management method of data flow between IoT edge nodes based on software defined network (SDN) was proposed. This method applied the architecture of SDN to the process of data flow transmission between edge nodes. A fixed-length header overhead was used for zero trust management of data flow

nodes

and paths to achieve lightweight packet forwarding verification and malicious node localization functions. In the forwarding path

the security verification of packets was performed by the switching node

and the verification information was counted to ensure the security of the data flow transmission and the consistency of the path. Based on the type of abnormal packets

the controller adopted dichotomous method to mark the switching node that performed the verification operation to gradually narrow down the scope of malicious nodes

and realized the localization of multiple types of malicious nodes. Finally

the proposed method was simulated and evaluated. The experimental results show that the method introduces a forwarding delay of less than 10% and a throughput loss of less than 8%.

关键词

Keywords

references

GUO F X , YU F R , ZHANG H L , et al . Enabling massive IoT toward 6G: a comprehensive survey [J ] . IEEE Internet of Things Journal , 2021 , 8 ( 15 ): 11891 - 11915 .

CHEN F , LUO D M , XIANG T , et al . IoT cloud security review: a case study approach using emerging consumer-oriented applications [J ] . ACM Computing Surveys , 2021 , 54 ( 4 ): 1 - 36 .

OMETOV A , MOLUA O L , KOMAROV M , et al . A survey of security in cloud, edge, and fog computing [J ] . Sensors (Basel) , 2022 , 22 ( 3 ): 927 .

CAO K Y , LIU Y F , MENG G J , et al . An overview on edge computing research [J ] . IEEE Access , 2020 , 8 : 85714 - 85728 .

COSTA B , Jr BACHIEGA J , DE CARVALHO L R , et al . Orchestration in fog computing: a comprehensive survey [J ] . ACM Computing Surveys , 2023 , 55 ( 2 ): 1 - 34 .

XIAO Y H , JIA Y Z , LIU C C , et al . Edge computing security: state of the art and challenges [J ] . Proceedings of the IEEE , 2019 , 107 ( 8 ): 1608 - 1631 .

ALWAKEEL A M . An overview of fog computing and edge computing security and privacy issues [J ] . Sensors , 2021 , 21 ( 24 ): 8226 .

RANAWEERA P , JURCUT A D , LIYANAGE M . Survey on multi-access edge computing security and privacy [J ] . IEEE Communications Surveys & Tutorials , 2021 , 23 ( 2 ): 1078 - 1124 .

KANG J J , FAHD K , VENKATRAMAN S , et al . Hybrid routing for man-in-the-middle (MITM) attack detection in IoT networks [C ] // Proceedings of the 2019 29th International Telecommunication Networks and Applications Conference (ITNAC) . Piscataway : IEEE Press , 2019 : 1 - 6 .

MCKEOWN N . Software-defined networking [C ] // Proceedings of the IEEE International Conference on Computer Communications . Piscataway : IEEE Press , 2009 : 30 - 32 .

JAVANMARDI S , SHOJAFAR M , MOHAMMADI R , et al . An SDN perspective IoT-Fog security: a survey [J ] . Computer Networks , 2023 , 229 : 109732 .

KIRAN N , PAN C Y , WANG S H , et al . Joint resource allocation and computation offloading in mobile edge computing for SDN based wireless networks [J ] . Journal of Communications and Networks , 2020 , 22 ( 1 ): 1 - 11 .

吕军 , 栾文鹏 , 刘日亮 , 等 . 基于全面感知和软件定义的配电物联网体系架构 [J ] . 电网技术 , 2018 , 42 ( 10 ): 3108 - 3115 .

LYU J , LUAN W P , LIU R L , et al . Architecture of distribution Internet of things based on widespread sensing & software defined technology [J ] . Power System Technology , 2018 , 42 ( 10 ): 3108 - 3115 .

DAS D , BANERJEE S , DASGUPTA K , et al . Blockchain enabled sdn framework for security management in 5g applications [C ] // Proceedings of the 24th International Conference on Distributed Computing and Networking . Piscataway : IEEE Press , 2023 : 414 - 419 .

BOSSHART P , DALY D , GIBB G , et al . P4: programming protocol-independent packet processors [J ] . ACM SIGCOMM Computer Communication Review , 2014 , 44 ( 3 ): 87 - 95 .

SADIQ K A , THOMPSON A F , AYENI O A . Mitigating DDoS attacks in cloud network using fog and SDN: a conceptual security framework [J ] . International Journal of Applied Information Systems , 2020 , 12 ( 32 ): 11 - 16 .

NGUYEN T G , PHAN T V , NGUYEN B T , et al . SeArch: a collaborative and intelligent NIDS architecture for SDN-based cloud IoT networks [J ] . IEEE Access , 2019 , 7 : 107678 - 107694 .

KHAN M T , AKHUNZADA A , ZEADALLY S . Proactive defense for fog-to-things critical infrastructure [J ] . IEEE Communications Magazine , 2022 , 60 ( 12 ): 44 - 49 .

GAO J B , OBOUR AGYEKUM K O B , SIFAH E B , et al . A blockchain-SDN-enabled Internet of vehicles environment for fog computing and 5G networks [J ] . IEEE Internet of Things Journal , 2020 , 7 ( 5 ): 4278 - 4291 .

XIE L X , DING Y , YANG H Y , et al . Blockchain-based secure and trustworthy Internet of things in SDN-enabled 5G-VANETs [J ] . IEEE Access , 2019 , 7 : 56656 - 56666 .

OH J , LEE J , KIM M , et al . A secure data sharing based on key aggregate searchable encryption in fog-enabled IoT environment [J ] . IEEE Transactions on Network Science and Engineering , 2022 , 9 ( 6 ): 4468 - 4481 .

TORRES-CHARLES C A , CARRIZALES-ESPINOZA D E , SANCHEZ-GALLEGOS D D , et al . SecMesh: an efficient information security method for stream processing in edge-fog-cloud [C ] // Proceedings of the 2022 7th International Conference on Cloud Computing and Internet of Things . New York : ACM Press , 2022 : 8 - 16 .

MOHAN K V M , KODATI S , KRISHNA V . Securing SDN enabled IoT scenario infrastructure of fog networks from attacks [C ] // Proceedings of the 2022 Second International Conference on Artificial Intelligence and Smart Energy (ICAIS) . Piscataway : IEEE Press , 2022 : 1239 - 1243 .

HU C L , HSU C Y , SUNG W M . FitPath: QoS-based path selection with fittingness measure in integrated edge computing and software-defined networks [J ] . IEEE Access , 2022 , 10 : 45576 - 45593 .

ABSARDI Z N , JAVIDAN R . A QoE-driven SDN traffic management for IoT-enabled surveillance systems using deep learning based on edge cloud computing [J ] . The Journal of Supercomputing , 2023 , 79 ( 17 ): 19168 - 19193 .

LIU B Y , XU G A , XU G S , et al . Deep reinforcement learning-based intelligent security forwarding strategy for VANET [J ] . Sensors , 2023 , 23 ( 3 ): 1204 .

ZHANG P , XU S M , YANG Z R , et al . FOCES: detecting forwarding anomalies in software defined networks [C ] // Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS) . Piscataway : IEEE Press , 2018 : 830 - 840 .

HESSAM G , SABA G , ALKHAYAT M I . A new approach for detecting violation of data plane integrity in software defined networks [J ] . Journal of Computer Security , 2021 , 29 ( 3 ): 341 - 358 .

KIM T H J , BASESCU C , JIA L M , et al . Lightweight source authentication and path validation [C ] // Proceedings of the 2014 ACM Conference on SIGCOMM . New York : ACM Press , 2014 : 271 - 282 .

SASAKI T , PAPPAS C , LEE T , et al . SDNsec: forwarding accountability for the SDN data plane [C ] // Proceedings of the 2016 25th International Conference on Computer Communication and Networks (ICCCN) . Piscataway : IEEE Press , 2016 : 1 - 10 .

ZUO Z B , CHANG C W , ZHANG Y , et al . P4Label: packet forwarding control mechanism based on P4 for software-defined networking [J ] . Journal of Ambient Intelligence and Humanized Computing , 2020 , doi: 10.1007/s12652-020-01719-3 http://dx.doi.org/10.1007/s12652-020-01719-3 .

吴平 , 常朝稳 , 左志斌 , 等 . 基于地址重载的SDN分组转发验证 [J ] . 通信学报 , 2022 , 43 ( 3 ): 88 - 100 .

WU P , CHANG C W , ZUO Z B , et al . Address overloading-based packet forwarding verification in SDN [J ] . Journal on Communications , 2022 , 43 ( 3 ): 88 - 100 .

REN Q , HU T , WU J X , et al . Multipath resilient routing for endogenous secure software defined networks [J ] . Computer Networks , 2021 , 194 : 108134 .

BELLARE M , KILIAN J , ROGAWAY P . The security of the cipher block chaining message authentication code [J ] . Journal of Computer and System Sciences , 2000 , 61 ( 3 ): 362 - 399 .

SCOTT-HAYWARD S . Design and deployment of secure, robust, and resilient SDN controllers [C ] // Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft) . Piscataway : IEEE Press , 2015 : 1 - 5 .

MIDHA S , TRIPTAHI K . Extended TLS security and defensive algorithm in OpenFlow SDN [C ] // Proceedings of the 2019 9th International Conference on Cloud Computing , Data Science & Engineering (Confluence) . Piscataway : IEEE Press , 2019 : 141 - 146 .

MAHALLE P N , ANGGOROJATI B , PRASAD N R , et al . Identity authentication and capability based access control (IACAC) for the Internet of things [J ] . Journal of Cyber Security and Mobility , 2013 , 1 ( 4 ): 309 - 348 .

MIELE A , LENSTRA A K . Efficient ephemeral elliptic curve cryptographic keys [C ] // International Conference on Information Security . Berlin : Springer , 2015 : 524 - 547 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

网络异常检测中的流量表示研究

基于深度学习的SDN异常流量分布式检测方法

基于数字孪生的工业互联网安全检测与响应研究

ADAFT：SDN大规模流表的适应性深度聚合存储架构

基于内存增强自编码器的轻量级无人机网络异常检测模型