具有内在动态防御能力的业务功能链部署

IF 7.7 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Ran Wang;Lundan Cai;Qiang Wu;Dusit Niyato
{"title":"具有内在动态防御能力的业务功能链部署","authors":"Ran Wang;Lundan Cai;Qiang Wu;Dusit Niyato","doi":"10.1109/TMC.2025.3532210","DOIUrl":null,"url":null,"abstract":"The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.","PeriodicalId":50389,"journal":{"name":"IEEE Transactions on Mobile Computing","volume":"24 6","pages":"5418-5432"},"PeriodicalIF":7.7000,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Service Function Chain Deployment With Intrinsic Dynamic Defense Capability\",\"authors\":\"Ran Wang;Lundan Cai;Qiang Wu;Dusit Niyato\",\"doi\":\"10.1109/TMC.2025.3532210\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.\",\"PeriodicalId\":50389,\"journal\":{\"name\":\"IEEE Transactions on Mobile Computing\",\"volume\":\"24 6\",\"pages\":\"5418-5432\"},\"PeriodicalIF\":7.7000,\"publicationDate\":\"2025-01-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Mobile Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10848358/\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10848358/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

SFC (Service Function Chain)业务功能链,利用NFV (Network Function Virtualization)和SDN (software defined Networking)技术灵活部署,为特定应用创建定制化的业务功能链。由于NFV和SDN技术在SFC实现中起着至关重要的作用,因此NFV/SDN网络中出现的任何安全风险都可能对SFC构成威胁,使SFC容易受到网络安全攻击。为了解决这个问题,固有的安全技术,包括移动目标防御和模拟防御,提供了针对已知和未知威胁的主动保护。有望突破“增强”、“外挂”、“被动”防御等传统安全防护机制。本文提出了一种内在动态防御体系结构,使SFC具备主动防御能力,从基于先验知识的被动反应机制转变为主动防御各种攻击。该体系结构包括两个模型和五个模块,其中包括子池分区算法,该算法通过将异构复制池划分为副本VNFs中的多个子池来增强子池之间的异构性。为了满足服务质量(QoS)需求,如延迟、成本和安全性,我们制定了一个多目标优化问题,其中包含三个目标:延迟、成本和防御成功率。随后,我们提出了一种基于深度强化学习(DRL)的动态部署算法。该算法根据异构性和历史信息选择合适的VNF,提高了SFC和VNF抵御外部攻击的安全性。大量的实验验证了我们的架构显著增强了网络安全性,前提是这种改进是以有限的成本和延迟为代价的。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Service Function Chain Deployment With Intrinsic Dynamic Defense Capability
The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
IEEE Transactions on Mobile Computing
IEEE Transactions on Mobile Computing 工程技术-电信学
CiteScore
12.90
自引率
2.50%
发文量
403
审稿时长
6.6 months
期刊介绍: IEEE Transactions on Mobile Computing addresses key technical issues related to various aspects of mobile computing. This includes (a) architectures, (b) support services, (c) algorithm/protocol design and analysis, (d) mobile environments, (e) mobile communication systems, (f) applications, and (g) emerging technologies. Topics of interest span a wide range, covering aspects like mobile networks and hosts, mobility management, multimedia, operating system support, power management, online and mobile environments, security, scalability, reliability, and emerging technologies such as wearable computers, body area networks, and wireless sensor networks. The journal serves as a comprehensive platform for advancements in mobile computing research.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信