Aiming at the single point failure of control plane in SDN, a centralized network control environment, a controller architecture based on intrusion tolerance is proposed to improve network availability and reliability through redundant and diverse central controller platforms.The architecture detects intruded controllers using a method of comparing controller messages.Firstly, it specifies the key message types and fields that need to be compared; secondly, it compares the messages of different controllers using the consistency decision algorithm; finally, it isolates and restarts the controllers with abnormal messages.Mininet-based intrusion tolerance reliability test shows that the intrusion tolerance controller architecture can detect and filter anomaly controller messages.Mininet-based controller response delay test shows that when tolerance is set to 1 and 3, the request delay of lower network increases by 16% and 42%, respectively.The test of response delay and throughput of the controller based on Bench shows that the performance of the intrusion tolerance controller is between the performance levels of each sub-controller (Ryu, Floodlight), and tends to be a sub-controller with high performance.In practical applications, the number and type of sub-controllers can be configured according to the security level of application scenarios to meet the requirements of response speed and intrusion tolerance.Software Defined Network (SDN) architecture brings new opportunities for rapid network change. Under this architecture, network control plane and forwarding plane are decoupled and separated.Network intelligence and state monitoring are managed centrally by the network operation system (controller) of the control plane; the capacity of the network equipment of the forwarding plane is abstracted as an open interface and is called by the control plane.Figure 1 is a logical view of the SDN architecture depicted by the Open Network Fund, which was originally superscripted with 7, whether it was miswritten or not.From the bottom up, all the physical network devices in the infrastructure layer (data layer), such as switches and routers, constitute the forwarding plane.The forwarding plane communicates with the control layer through a southbound interface, such as OpenFlow protocol [2].The application layer implements user-level management and provides network services through northbound interfaces, such as RESTful [3].Because SDN architecture supports the management and control of software programming for devices outside nodes, and maintains the global network view, it brings the advantages that traditional networks can not match.For example, the control layer can dynamically configure the reactive network strategy according to the changes of network environment, and realize the seamless connection between network administrators/service providers, application services and network hardware facilities.However, SDN’s layered architecture and programmability also expose threats different from traditional networks.Literature [5] proposes seven main threat vectors in SDN network, among which the controller’s own vulnerability becomes the biggest hidden danger in SDN network.Because the middle-level controller not only undertakes the task of sending down network rules and modifying network policies, but also acts as a proxy for collecting network equipment information for application layer and submitting data stream forwarding requests for data layer.In traditional networks, multiple attackers need to deploy jointly across devices. In SDN networks, it can be easily realized by capturing and taking over the controller.For this reason, the control layer has become the primary target of the attacker.For example, attackers use the lack of trust mechanism between the application layer and the control layer to illegally control the control layer through malicious applications [5]. In addition, there is a lack of flow table item conflict detection management between SDN applications [6]. Flow table rules issued by common applications may interfere with the security policies deployed in the network.Once an attacker detects a vulnerable application, he can tamper with his working logic, override the security rules and manipulate the underlying network.In addition, policy deployment errors caused by human operations, server interruptions caused by hardware failures, and system crashes caused by controller code or upper application code errors will also seriously affect the normal operation of the network [7].In conclusion, in order to ensure the security of the control layer and protect the control right from illegal control, an effective scheme of threat defense and detection and system recovery is needed.At present, the related security research on SDN network control focuses on preventing attacks. It detects and prevents attacks or errors before and when they occur. It is less able to recover and restore the system after the attack, and it is difficult to guarantee the availability of the system after the attack.
Because the attack types and modes of SDN network control layer are varied and constantly updated, the corresponding defense strategies are difficult to be proposed and deployed in time, so the controller architecture of SDN should have the ability to tolerate unknown intrusions.From the perspective of intrusion tolerance, this paper proposes an intrusion tolerance controller architecture for SDN network, which relies on diversity and redundancy to ensure the security of SDN network control.For the two aspects of controller security and control right protection, we can classify and summarize them according to the mainstream classification of controller architecture: centralized and distributed.The security work of the centralized controller mainly starts with the application of the controller.Document [8] presents a container-based architecture, microNOS, which ensures application security through isolation measures and avoids system errors affecting the entire SDN stack.Reference [9] proposes a security application development framework FRESCO based on OpenFlow, which allows security researchers to implement, share and combine different functional modules for threat detection and elimination.Porras et al. [10] proposed a secure mandatory kernel layer based on Floodlight, which controls all kinds of applications in application layer hierarchically. Rules issued by low-level common applications can not violate the rules of high-level security application deployment.A rule conflict judgment mechanism [11] is proposed to prevent attackers from bypassing rules and achieving illegal purposes in an indirect way.Literature [12] introduces a system programming language, which allows programmers to capture the structure and mandatory rules of network protocol messages, identify and eliminate the vulnerabilities of network protocols.Because of the single point failure of centralized controllers [13], the other part of the study starts with distributed controllers to protect network security through redundancy and diversity.Pankaj et al. [14] proposed an open source Open Network Operating System (ONOS) architecture to enhance network availability through redundant controllers.When the main controller can not work, Zookeeper is used to switch the controller, and the backup controller is converted to the main controller to replace its work.Onix proposed by Koponen et al.
[15], and a cluster-based distributed control architecture proposed by Yazici et al. [16], mainly consider the single point failure problem caused by overload of the controller when dealing with a large number of data streams, and use multiple controllers to coordinate work, balance load and increase the scalability of the network control layer.The above research on distributed controller mainly considers the problem of system crash and network failure caused by overload of network, and less considers the impact of attack intrusion on the whole network.The application of intrusion tolerance in SDN network is described below. When the control layer is tampered with, system intrusion can be detected and recovered.The traditional three elements of security are integrity, availability and confidentiality. Its Security Paradigm includes preventing attacks, eliminating the vulnerability of the system and eliminating the system intrusion caused by vulnerability.Integrity means tampering with the defense system and confidentiality means preventing any data leakage.However, considering the cost of system protection, the level of system vulnerability and the possibility of system being attacked, another paradigm of intrusion tolerance for security protection has emerged, which allows a certain degree of vulnerability of the system, allows some components of the system to be attacked, but ensures that the whole system remains in normal operation.Literature [18] puts forward the basic concept of intrusion tolerance: allowing vulnerabilities (software code errors, human configuration errors, etc.) within the system. Attackers can harm the system through the above vulnerabilities (component-level threats, etc.), but the system has error response mechanisms (defense, elimination, prediction, etc.), which can prevent system crash failures and ensure the system to perform basic tasks.Literature [18] considers that the risk of system intrusion originates from the defects exposed by the system and the degree of vulnerability embodied by the defects.The size of the damage to the system after being invaded depends on the cost (political, economic).When the cost of reducing system security risk to zero is high and the implementation of technology is too complex, an intrusion tolerance model should be built to meet the requirements, allowing acceptable risks and ensuring a certain degree of security.Intrusion tolerance has been applied to control layer, data layer and communication channel between control layer and data layer in SDN network.In the control layer, intrusion tolerance is achieved mainly through redundancy of the controller.Reference [19] proposes a Byzantine usability security based multi-controller architecture, which allocates different numbers of controllers according to the status of switches in the network and their security requirements.Document [7] Based on OpenFlow 1.3 protocol, a master-slave controller architecture is proposed for small and medium-sized networks. At the same time, only one master controller communicates with the lower switch. When the master controller fails, a new master controller is selected from the backup slave controller.In data layer, communication is guaranteed mainly through link redundancy between communication nodes.Document [20] calculates several available paths for both parties requesting communication. Once the current communication path is detected to be interrupted, it is switched to another alternate path.In terms of communication channels between control layer and data layer, document [21] uses redundant network interfaces of switches to construct multiple redundant paths between control layer and data layer switches. Once a link is interrupted, backup interfaces are used to transmit data from another link to achieve the goal of rapid recovery of control flow.The research on intrusion tolerance in SDN network is relatively few, and it is mainly based on error tolerance. It is difficult to solve random and arbitrary component-level faults or tampering.In this paper, a master-slave intrusion tolerance controller architecture is proposed, which can detect the attack or abnormal situation of the controller system in real time, eliminate the threat in time, and recover and restore the system afterwards.The architecture of intrusion tolerance controller proposed in this paper refers to an intrusion tolerance architecture of Web server described in reference [22].This architecture is a three-tier model of client proxy server, using redundant Web servers and message proxies.For client requests, all servers respond at the same time. Only when the message broker detects that the content of the response pages returned by more than a certain number of servers is consistent, will one of the pages be returned to the client.In this process, in order to reduce the data transmission load, the message agent first requires the server to transmit the message digest algorithm (MD5) of the response page. After the agent calculates the most consistent MD5 values, the corresponding server is required to transmit the complete page to the client.Thus, two request/response communications are required between the message broker and the server to complete one response to the client request.Moreover, the architecture does not give a specific scheme for how to compare Web pages with various elements and dynamic changes.This paper applies the intrusion tolerance architecture of the above Web servers to SDN network for the first time, and combines the network communication characteristics of SDN to achieve the following optimization: 1) By defining the key message content to be compared, the scope of message content to be compared is narrowed, so that only one request/response communication between the message broker and the controller can send network control information and reduce response time; Message comparison content and algorithm, and quantitative evaluation of system intrusion tolerance and performance.The architecture and working principle of intrusion tolerant controller is as follows: the whole architecture is composed of control layer and message agent layer. The message broker layer is transparent to control layer and data layer; the control layer consists of multiple controllers, which receive lower layer network information and respond to lower level network request, but at the same time, only one controller’s feedback message can be sent to the switch; message agent. Layer also configures redundant message proxy server. At the same time, only one master proxy participates in the work of the system. Other proxies monitor the running status of the proxy. Once they find that the proxy is abnormal, they switch it and other proxy servers replace its work.For an OpenFlow request from a switch, the agent sends the request to multiple controllers in the control layer at the same time according to the current system policy.The proxy layer judges the consistency of each response message after obtaining the response of the controller: if most of the response messages are consistent, it returns one of them, and at the same time isolates the controller sending inconsistent messages to start its self-recovery process; if the majority of the responses are inconsistent, it carries out system alarm.As a supplementary security measure, this paper adopts host-based intrusion detection system.
There are only 22 articles in this paper. Please verify which article Ossec [23] is cited here. Install Ossec Server on message proxy server and Ossec Agent on each controller.Agent transmits the running status information of each controller to Server in real time. When Server detects an exception, it will isolate the exception controller and restore it offline through the proxy server.
All controllers run the same application logic.Because different controllers and lower network communication formats are different, it is impossible to directly compare strings.Therefore, it is required that the processing logic be the same (that is, according to different lower network requests, the upper controller adopts the same feedback strategy semantically) in order to define effective comparison criteria.The system is defined as intruded only when the controller makes abnormal modifications to the application logic and control strategy of the underlying network.Considering that the query behavior of network information will not affect the normal operation of the network, it is not considered as intrusion.At the same time, only less than half of the controllers will be invaded.Because this architecture adopts the most consistent idea to implement intrusion tolerance strategy, if more than half of the controllers are intruded at the same time, it can not be detected.Considering that there are many different types of controllers in the architecture, the possibility that an attacker can invade more than half of the controllers in a short time with the same scheme is very low, so this assumption is reasonable.This part models the intrusion behavior that the prototype system of this architecture can tolerate.The intrusion that the system can deal with can be divided into external intrusion and internal intrusion.External invasion.The system can tolerate the intrusion from outside to the controller based on the southward interface.For example, a distributed denial of service (DDoS) attack is implemented on a single controller using a lower layer switch.The system can tolerate external intrusion to the controller based on the northbound interface.For example, Hyper Text Transport Protocol (HTTP) requests sent to the system from the illegal IP address range.The system can tolerate intrusion from outside to the controller.For example, after the remote login of the controller, the data tampering behavior is implemented.Internal invasion.The system tolerates malicious tampering of the controller by the controller administrator, resulting in abnormal system behavior.The architecture consists of control layer and message broker layer.As shown in Figure 2.The control layer uses many open source controllers, such as Ryu, Opendaylight and Floodlight.By increasing the number of controllers to improve the system tolerance, only when more than half of the controllers are tampered with at the same time, the intrusion tolerance fails, and the system can not maintain normal operation; by increasing the diversity of controllers, it is difficult for the attacker to destroy the whole system, and it is difficult for the attacker to attack the controllers of different platforms by the same means, so the diversity can limit the scope of attack.The same application needs to be run on each controller.The agent layer forwards the underlying information to each controller, that is, each controller has the same global view of the network.When the controller receives the configuration or operation request of the underlying network, it will send the same logic strategy, and the proxy layer will control the message comparison.There is no actual status difference among the controllers, and only a logical master-slave relationship exists. That is, when each message is sent down, the message broker layer randomly chooses the controller to which the message is sent to belong to the master controller.In addition, each controller runs Ossec Agent, which collects the log information and anomaly detection, file integrity detection data of the running state of the system, and passes them to Ossec Server running on the message broker.Message Agent Layer is based on Flowvisor. There are only 22 articles in this paper. Please verify that the reference here is the construction of document [24]. It needs to upload messages from Agent Data Layer, compare messages from Control Layer, filter correct controller messages and send them down, detect, thermostatic element isolate and restore the intruded controllers.Flowvisor is a network virtualization layer, which can construct different network spaces for network users on the same physical network infrastructure and isolate network applications.This architecture relies on Flowvisor’s communication agent function between the control layer and the data layer, that is, to upload the message of the data layer to each controller of the control layer, and all the controllers have access to the network.On this basis, the message proxy layer of this architecture adds the function of comparing and filtering the messages of the control layer: caching and comparing the control messages of the same logical semantics sent by multiple controllers in the upper layer. When the messages sent by the controllers are detected to be inconsistent with most controllers, the controllers are judged to be intruded, isolated from the network and restarted from most controllers. One of the consistent control messages is randomly selected and sent down to the data layer.In the same time period, only one master controller has write access to the network.In addition, when Ossec Server located in the message proxy server detects abnormal operation status information of the controllers transmitted by the agents, the abnormal controllers can be isolated and restarted through the control side of the message proxy.Considering the monotonous failure of the message broker itself, this layer also contains multiple message broker servers. At the same time, only one server is in the primary proxy role and the others are in the auxiliary role.Auxiliary agents detect primary agents by means of finite state monitoring. There are only 22 articles in this paper. Here 25 refer to which one [25]. Once it is found that its state is abnormal or the order of state change is not in accordance with the predefined, it is considered to be invaded, isolated and selected a backup proxy server as the primary agent.The key technologies of this architecture are mainly focused on the message broker layer, whose working logic is shown in Figure 3.The message broker layer first needs to upload the message of the underlying data network to each controller of the control layer, and then aggregate the messages from all the controllers for message comparison.According to the tolerance of custom settings, consistency checking is implemented, and election strategy (selecting logical master controller), download configuration (isolating anomaly controller) is executed. Finally, the strategy of the master controller is sent to the data layer.Because different controllers communicate with lower network elements in a slightly different form of message, it is necessary to extract their common key fields for message comparison.This architecture is based on OpenFlow 1.0 protocol. Under this protocol, the message types between the controller and the switch can be divided into three categories: 1) symmetrical message, which is mainly used to establish and maintain the connection between the two sides; 2) asynchronous message, which is initiated by the switch, is used to report the changes of the lower network state to the controller; 3) the message sent by the controller to the switch, which is mainly used to read the network state, modify the configuration, and download the network strategy.In the above threat assumption, system intrusion is defined as network application logic being tampered with and control strategy abnormal.The types of controller messages that can achieve this goal are OFPT_FLOW_MOD and OFPT_PACKET_OUT in Class 3. These two types of messages control the direction of network data flow and command the switch to send packets to the network.Therefore, when intrusion detection is carried out, the system only processes these two sub-classes of messages.In addition, in order to minimize the performance degradation caused by message alignment module, this paper only selects specific fields in each type of message for alignment, ignoring other unrelated and general fields.In OFPT_FLOW_MOD messages, this paper only focuses on four special fields: command, out_port, actions and match. The above fields affect the operation of adding, deleting and changing flow tables on switches, and the processing behavior of incoming and outgoing data packets on switches.In OFPT_PACKET_OUT messages, this paper only focuses on in_port and actions, which affect the port of the switch sending data packets and the behavior of the data packets.
Each message to be compared is regarded as an object, which contains three member parameters: message content, receiving time, and message source.Message content is the key field in the two types of message defined above; receiving time is the time when the agent receives the message; and the source is the controller that sends the message.The goal of consistency decision is to determine whether the message policies issued by the controllers are consistent for the same underlying network request.Therefore, the message broker is required to distinguish the controller message responses for different requests, and store the messages for comparison effectively, so as to execute the consistency decision.Table 1 shows how messages are stored for comparison in a message broker.A list of messages is stored in the memory of the message broker and is recorded as MsgLst.Different messages are identified as content, treated as different elements in the list, and recorded as Content (n).Under the same content message category, we need to record its sending source, Contr (n), and the receiving time Tcn, and accumulate the number of times Count has received the content message, and the content message from the start of creation in memory to the current time Clock.Each time the message broker receives the same content message from different controllers, the Count of the message content is added by 1.
There are only three descriptions in this paper. Should the ellipsis be deleted or not?The algorithm can be applied to more than three controllers, for example, five controllers are used in the experiment in the following paper.Use 3 here just for a concise example.Take the first message in Table 1 as an example.The message broker currently receives the same message content Content (1) from three controllers.The three controllers are Contr (1), Contr (2) and Contr (3), and the receiving time is Tc1, Tc2 and Tc3 respectively.Therefore, the number of times the message is currently in uppercase or in italic prefix, and here it is also uppercase.
Please verify that this section describes which is in italic, counts and clocks are in italics.In my opinion, marker Tc1 seems to be italicized too? This is not a variable, it does not need italics, and it belongs to the same kind of marker as Content (1) and Contr (1).Count = 3, and the time that the message is stored in memory Clock subtracts the time when the message is first received from the current time.The consistency decision algorithm used by the proxy layer for message comparison is given below.Define why not use D as tolerance D as system tolerance, n as the number of system controllers, D >(n 1)/2, D as integer.If and only if more than half of the controllers send the same policy, the policy is forwarded to the underlying switch; otherwise, the policy is defined as an exception policy and the controllers sending the policy are isolated.The content of consistency decision algorithm is shown in algorithm 1.Algorithms 1 consistency adjudication.Whenever a message broker receives a controller message nMsg, the if statement in step 2 determines whether there is the same content message in the memory message list.Processing according to the judgment results.The message content already exists in memory.Find the corresponding message content MSG in memory, and determine whether the controller sending nMsg message already exists in the source record of the memory MSG message through step 4.If it already exists, compare the time difference between two sending by step 6: If the time difference is less than the interval, it means that the message is already a duplicate message sent by the current controller, so only the corresponding Tcn in memory needs to be updated; if the time difference is greater than the interval, it means that it is a message sent by the controller for another request, and that the previous message has not been processed, then the previous message will be viewed. For exception messages.The controller that sends the message should be isolated.The value of time interval is derived from the average response time of different controllers to a message request. In this paper, the average response delay data of different controllers are obtained according to the experimental results = 2ms (see Table 5, Intrusion Tolerance Controller (ITC) (five sub-controllers).If step 4 determines that the controller sending the nMsg message does not exist in the source record of the memory MSG message, it is added to the record and the number of times of the message is accumulated.At the same time, step 15 is used to determine whether the number of messages in memory is greater than D. If the result is true, it means that most of the messages are identical and can be sent down, and the record of the message in memory can be deleted.There is no message content in memory.Steps 18 to 22) Add a new record to the message content. Opening Clock should be changed to capitalize the variable count. If the message exists longer than a specific value, does the interval between the front and the front mean the same or new variable? If the variable is not found in the program, it should be separated from the controller that sent the message when it is not processed in step 21 and when it is not in step 6?The specific value of needs to be set according to the network security status and attack situation.
Based on the above architecture, this paper implements a prototype system of intrusion tolerance controller. The control layer uses two Floodlight controllers, two Opendaylight controllers and one Ryu controller.The message broker layer uses two Flowvisor-based message brokers, one as the main agent for connection communication and the other as the auxiliary agent.An Ossec intrusion detection system is built between the controller and the message agent. The lower data layer simulates the forwarding network through Mininet.The security of the system is analyzed below, and the related experimental results are described.Invasion prevention.The host-based intrusion detection system Ossec is installed in the system controllers and message agents, which can intercept suspicious external access connections.Intrusion detection.Through Ossec file integrity detection, rootkit detection, registry detection and other functions, we can find the abnormal state of each component of the system itself.Invasion tolerance.Through the redundancy of the controller, when a single controller is subjected to denial of service attack and system failure, it can be replaced and restarted; through the diversity of the controllers, the same type of attack can be limited while affecting multiple controllers.By setting tolerance, the system performance and security level can be customized.When the attack occurs, the tolerance is improved and more controllers are required to send messages consistently before forwarding.In addition, different administrator identities are set for different controllers, which can tolerate internal personnel operating errors or malicious operations.An attacker can control the whole system only when he acquires most administrator identities.
The message broker layer also guarantees security through multi-agent.To verify the reliability of system intrusion tolerance, a simple inconsistent flow table download experiment is designed to simulate the scene where the application logic of the controller is tampered with.When the host in the network sends the request packet of the Internet Control Messages Protocol (ICMP) to the edge switch, the forwarding module of the controller will instruct the switch to forward the packet according to the flow table under the agreed logic.In this experiment, by modifying the controller application logic, four of the controllers send consistent flow tables, while the other one sends abnormal flow tables to detect the message filtering ability of the message broker.As shown in Table 2, Contr1 sends Flow1, while Contr2-Contr5 sends Flow2. At this point, check the installation of the flow table on the Mininet end switch.When the message broker does not perform message alignment and filtering and only forwards messages, the results of the flow table query of the switch at the Mininet end are shown in Figure 4.According to the relationship between the sending time of two kinds of flow tables, the former one will be covered by the latter one.When the message broker performs message matching and filtering, the Mininet end queries the flow table of the switch as shown in Figure 5.Message brokers can ensure that most consistent flow tables can be sent down to the switch, so the flow table on the switch can only be a result.According to the results, because the matches of the flow tables are the same and the actions are different, when the message broker does not take effect, the flow tables arriving at the switch will cover the previous flow tables, and the tampered application will affect the network. When the message broker takes effect, only the most consistent messages can be sent, and the exception messages are shielded, while the message broker will detect the controller sending the exception messages. And isolate it.In this paper, the intrusion tolerance controller prototype system is tested based on tolerance.The test environment is based on Mininet and CBENCH, respectively.There are 8 servers, including 2 message agents, 5 controllers and 1 tester.Single server parameters are shown in Table 3.Test scenario description.This test considers that the response time of the intrusion tolerance controller proposed in this paper is different according to the tolerance settings when executing typical data layer network requests.At the same time, the time is compared with the response time required by the general controller to process the request, in order to verify the performance of the controller system.The underlying network receives configuration messages.That is, the time required for steps 1 to 6.Table 4 shows the global feedback time test results of the controller when the system is in tolerance D of 1 (control layer has three controllers), 3 (control layer has five controllers), and direct mode (common controller mode, data message without intrusion tolerance agent).The underlying network is a simple topology of one switch and two hosts simulated by Mininet.The recording time is from the time when the host H1 sends ICMP request to the time when it receives the ICMP response from the host H2 reply.Data records are shown in Table 4.Data analysis.In direct mode, due to the different processing performance of different controllers, the time taken by the three controllers to process the request is tested and the average time is calculated. In D = 1 and D = 3 mode, when three and five controllers are connected respectively after access to the message broker, the average time required to process the message is measured.With the increase of system tolerance, the security performance is enhanced, but the delay of processing the same type of network requests increases.When tolerance D = 1, the system delay is 16%, and when tolerance D = 3, the delay reaches 42%.The above results show that the tolerance value can be adaptively selected according to the security state in order to balance the demand of response speed and safety index.Using Cbench Controller Testing Tool, the intrusion tolerance controller prototype system (redundancy is 3 and 5) in this paper is compared with open source controller Ryu and Floodlight (in this paper, when using Cbench to test Opendaylight performance, Cbench can not get the test results, so it does not test Opendaylight performance), and its throughput and delay performance are analyzed.Each type of test collects 16 sets of data, and discards the first set of machine preheating data and the last set of machine cooling data, and takes the average value.Test the delay of each controller system.The test uses Cbench to construct a network of 10,000 hosts connected by a switch in the data layer. The test results are shown in Table 5.As can be seen from Table 5, Ryu has the smallest delay and the intrusion tolerance controller has a delay between Ryu and Floodlight.This is because intrusion tolerant controllers respond to the underlying network after receiving more than half of the consistent feedback messages from the sub-controllers, so their delay tends to be less than that of the sub-controllers in the redundant controllers.
Therefore, in practical application, the performance of the controller can be adjusted by controlling the proportion of different types of controllers in the platform.The throughput of the two controllers changes with the number of switches.This test uses Cbench to construct the underlying network with 1,2,4,8,16 switches in the data layer. Each switch connects 100,000 hosts.The throughput of the three controllers varies with the number of hosts.The test uses Cbench to construct the underlying network with 4 switches in the data layer and 100,1000,10000 hosts per switch.From the two sets of throughput data in Figures 6-7, it can be seen that the intrusion tolerance controller prototype built in this paper has the same trend of throughput value changing with the number of switches and hosts in the network as that of single open source controller, and the values are between those of single open source controller.Therefore, it can be concluded that the intrusion tolerance controller does not overburden the network processing after adding a message comparison mechanism.On the contrary, it can neutralize the performance difference of multi-controllers in the network and obtain an intermediate value. At the same time, it also makes up for the unstable performance of a single controller.Current research on redundancy schemes for SDN control layer based on intrusion tolerance focuses on different aspects.In the architecture of document [19], each switch is managed by a number of controllers, and the number of controllers required depends on the important position of the switch in the network and the maximum tolerable delay.In this paper, an efficient controller allocation scheme is proposed, which can quickly allocate the minimum number of controllers for network switches to meet security requirements.Literature [7] presents a master-slave controller architecture, in which only the master controller can write to the network at the same time.At the same time, a communication protocol between master and slave controllers is proposed, which enables master and slave controllers to update and synchronize the network information.When the communication between master controller and slave controller fails, the master controller is considered to be invalid, and the slave controller notifies the switch to switch roles.In this case, if the attacker can invade the master controller and tamper with the network under the premise of following the communication protocol proposed in this paper, the slave controller will be difficult to find.In this paper, a two-tier architecture model is proposed, which uses a third-party message broker to determine whether the controller is abnormal or not, so that any active tampering by the attacker through the controller can be detected and the credibility is higher.
In addition, by specifying specific message comparison content and comparison algorithm, the feasibility of the system is proved, and the research results can be quantitatively evaluated.This paper proposes a two-tier intrusion tolerance controller architecture for SDN, and implements a prototype system. It improves system security through diversity and redundancy. It is the theory and practice work of applying the idea of intrusion tolerance to SDN architecture.In addition, the controller platform based on this architecture is more advanced than the current defense based on error tolerance (tolerance for system destructive failure), which can tolerate and detect different degrees of intrusion attacks.In the follow-up study, the types and fields of message alignment will be defined according to the higher version of Openflow protocol.At the same time, we need to optimize the consistency decision algorithm to improve system performance, and consider the problem of data consistency storage for redundant controllers and message agents.