{"title":"具有内在动态防御能力的业务功能链部署","authors":"Ran Wang;Lundan Cai;Qiang Wu;Dusit Niyato","doi":"10.1109/TMC.2025.3532210","DOIUrl":null,"url":null,"abstract":"The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.","PeriodicalId":50389,"journal":{"name":"IEEE Transactions on Mobile Computing","volume":"24 6","pages":"5418-5432"},"PeriodicalIF":7.7000,"publicationDate":"2025-01-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Service Function Chain Deployment With Intrinsic Dynamic Defense Capability\",\"authors\":\"Ran Wang;Lundan Cai;Qiang Wu;Dusit Niyato\",\"doi\":\"10.1109/TMC.2025.3532210\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.\",\"PeriodicalId\":50389,\"journal\":{\"name\":\"IEEE Transactions on Mobile Computing\",\"volume\":\"24 6\",\"pages\":\"5418-5432\"},\"PeriodicalIF\":7.7000,\"publicationDate\":\"2025-01-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Mobile Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10848358/\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10848358/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
SFC (Service Function Chain)业务功能链,利用NFV (Network Function Virtualization)和SDN (software defined Networking)技术灵活部署,为特定应用创建定制化的业务功能链。由于NFV和SDN技术在SFC实现中起着至关重要的作用,因此NFV/SDN网络中出现的任何安全风险都可能对SFC构成威胁,使SFC容易受到网络安全攻击。为了解决这个问题,固有的安全技术,包括移动目标防御和模拟防御,提供了针对已知和未知威胁的主动保护。有望突破“增强”、“外挂”、“被动”防御等传统安全防护机制。本文提出了一种内在动态防御体系结构,使SFC具备主动防御能力,从基于先验知识的被动反应机制转变为主动防御各种攻击。该体系结构包括两个模型和五个模块,其中包括子池分区算法,该算法通过将异构复制池划分为副本VNFs中的多个子池来增强子池之间的异构性。为了满足服务质量(QoS)需求,如延迟、成本和安全性,我们制定了一个多目标优化问题,其中包含三个目标:延迟、成本和防御成功率。随后,我们提出了一种基于深度强化学习(DRL)的动态部署算法。该算法根据异构性和历史信息选择合适的VNF,提高了SFC和VNF抵御外部攻击的安全性。大量的实验验证了我们的架构显著增强了网络安全性,前提是这种改进是以有限的成本和延迟为代价的。
Service Function Chain Deployment With Intrinsic Dynamic Defense Capability
The Service Function Chain (SFC) leverages Network Function Virtualization (NFV) and Software-Defined Networking (SDN) for flexible deployment, creating customized service chains tailored to specific applications. As NFV and SDN technologies play crucial roles in the SFC implementation, any security risk that arises in an NFV/SDN network can potentially pose a threat to SFC. Thus, SFC becomes vulnerable to network security attacks. To address this, intrinsic security technologies, including moving target defense and mimic defense, offer proactive protection against both known and unknown threats. It is expected to break through traditional security protection mechanisms such as “enhanced”, “plug-in” and “passive” defense. This paper proposes an intrinsic dynamic defense architecture to equip SFC with active defense capabilities, shifting from passive reactive mechanism based on prior knowledge to an active defense against various attacks. The architecture comprises two models and five modules, including a sub-pool partitioning algorithm that enhances heterogeneity across sub-pools by splitting the heterogeneous replica pool into several sub-pools among replica VNFs. To meet Quality of Service (QoS) requirements like latency, cost, and security, we formulate a multi-objective optimization problem with three objectives: latency, cost, and defense success rate. Following that, we propose a dynamic Deep Reinforcement Learning (DRL)-based deployment algorithm. This algorithm selects appropriate VNFs based on heterogeneity and historical information, improving SFC and VNF security against external attacks. Extensive experiments validate that our architecture significantly enhances network security, provided that this improvement comes at the expense of limited cost and latency.
期刊介绍:
IEEE Transactions on Mobile Computing addresses key technical issues related to various aspects of mobile computing. This includes (a) architectures, (b) support services, (c) algorithm/protocol design and analysis, (d) mobile environments, (e) mobile communication systems, (f) applications, and (g) emerging technologies. Topics of interest span a wide range, covering aspects like mobile networks and hosts, mobility management, multimedia, operating system support, power management, online and mobile environments, security, scalability, reliability, and emerging technologies such as wearable computers, body area networks, and wireless sensor networks. The journal serves as a comprehensive platform for advancements in mobile computing research.