Service Function Chain Deployment With Intrinsic Dynamic Defense Capability

The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.