当前位置:
X-MOL 学术
›
IEEE Trans. Netw. Serv. Manag.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
MLSNet: A Policy Complying Multilevel Security Framework for Software Defined Networking
IEEE Transactions on Network and Service Management ( IF 4.7 ) Pub Date : 2020-01-01 , DOI: 10.1109/tnsm.2020.3045998 Stefan Achleitner , Quinn Burke , Patrick McDaniel , Trent Jaeger , Thomas La Porta , Srikanth Krishnamurthy
IEEE Transactions on Network and Service Management ( IF 4.7 ) Pub Date : 2020-01-01 , DOI: 10.1109/tnsm.2020.3045998 Stefan Achleitner , Quinn Burke , Patrick McDaniel , Trent Jaeger , Thomas La Porta , Srikanth Krishnamurthy
Ensuring that information flowing through a network is secure from manipulation and eavesdropping by unauthorized parties is an important task for network administrators. Many cyber attacks rely on a lack of network-level information flow controls to successfully compromise a victim network. Once an adversary exploits an initial entry point, they can eavesdrop and move laterally within the network (e.g., scan and penetrate internal nodes) to further their malicious goals. In this paper, we propose a novel multilevel security (MLS) framework to enforce a secure inter-node information flow policy within the network and therein vastly reduce the attack surface available to an adversary who has penetrated it. In contrast to prior work on multilevel security in computer networks which relied on enforcing the policy at network endpoints, we leverage the centralization of software-defined networks (SDNs) by moving the task to the controller and providing this service transparently to all nodes in the network. Our framework, MLSNet, formalizes the generation of a policy compliant network configuration (i.e., set of flow rules on the SDN switches) as network optimization problems, with the objectives of (1) maximizing the number of flows satisfying all security constraints and (2) minimizing the security cost of routing any remaining flows to guarantee availability. We demonstrate that MLSNet can securely route flows that satisfy the security constraints (e.g., >80% of flows in a performed benchmark) and route the remaining flows with a minimal security cost.
中文翻译:
MLSNet:软件定义网络的符合策略的多级安全框架
确保流经网络的信息不受未经授权方的操纵和窃听是网络管理员的一项重要任务。许多网络攻击依赖于缺乏网络级信息流控制来成功破坏受害网络。一旦对手利用初始入口点,他们就可以窃听并在网络内横向移动(例如,扫描和渗透内部节点)以进一步实现其恶意目标。在本文中,我们提出了一种新颖的多级安全 (MLS) 框架,以在网络内实施安全的节点间信息流策略,并在其中大大减少渗透到它的对手可用的攻击面。与先前依赖于在网络端点执行策略的计算机网络中的多级安全性工作相比,我们通过将任务转移到控制器并向网络中的所有节点透明地提供此服务来利用软件定义网络 (SDN) 的集中化。我们的框架 MLSNet 将符合策略的网络配置(即 SDN 交换机上的流规则集)的生成正式化为网络优化问题,其目标是(1)最大化满足所有安全约束的流数量和(2 ) 最小化路由任何剩余流的安全成本以保证可用性。我们证明了 MLSNet 可以安全地路由满足安全约束的流(例如,在执行的基准测试中 >80% 的流)并以最小的安全成本路由剩余的流。
更新日期:2020-01-01
中文翻译:
MLSNet:软件定义网络的符合策略的多级安全框架
确保流经网络的信息不受未经授权方的操纵和窃听是网络管理员的一项重要任务。许多网络攻击依赖于缺乏网络级信息流控制来成功破坏受害网络。一旦对手利用初始入口点,他们就可以窃听并在网络内横向移动(例如,扫描和渗透内部节点)以进一步实现其恶意目标。在本文中,我们提出了一种新颖的多级安全 (MLS) 框架,以在网络内实施安全的节点间信息流策略,并在其中大大减少渗透到它的对手可用的攻击面。与先前依赖于在网络端点执行策略的计算机网络中的多级安全性工作相比,我们通过将任务转移到控制器并向网络中的所有节点透明地提供此服务来利用软件定义网络 (SDN) 的集中化。我们的框架 MLSNet 将符合策略的网络配置(即 SDN 交换机上的流规则集)的生成正式化为网络优化问题,其目标是(1)最大化满足所有安全约束的流数量和(2 ) 最小化路由任何剩余流的安全成本以保证可用性。我们证明了 MLSNet 可以安全地路由满足安全约束的流(例如,在执行的基准测试中 >80% 的流)并以最小的安全成本路由剩余的流。
京公网安备 11010802027423号