本文選題：軟件定義網(wǎng)絡(luò) + 防火墻技術(shù)�。� 參考：《浙江工商大學(xué)》2017年碩士論文

【摘要】：網(wǎng)絡(luò)安全問題是當(dāng)前網(wǎng)絡(luò)面臨的一項亟待解決的問題,解決網(wǎng)絡(luò)安全問題最有效的手段之一是使用防火墻。而傳統(tǒng)防火墻網(wǎng)絡(luò)架構(gòu)存在的主要問題之一是防火墻安全策略是由網(wǎng)絡(luò)管理員逐一進(jìn)行配置。隨著網(wǎng)絡(luò)科技迅速發(fā)展,網(wǎng)絡(luò)應(yīng)用服務(wù)復(fù)雜化,使得安全策略的數(shù)量和復(fù)雜性不斷增加,因此配置安全策略給網(wǎng)絡(luò)管理員帶來龐大的負(fù)擔(dān)。而軟件定義網(wǎng)絡(luò)(Software Defined Networking,SDN)的出現(xiàn)可以很好的解決上述問題。SDN是一種新型網(wǎng)絡(luò)架構(gòu),實現(xiàn)了對全局網(wǎng)絡(luò)集中可編程化控制。在SDN網(wǎng)絡(luò)架構(gòu)下,網(wǎng)絡(luò)管理員通過SDN控制器,以一種集中管理的方式實現(xiàn)對安全策略批量處理,并且能夠根據(jù)底層網(wǎng)絡(luò)設(shè)備的狀態(tài)信息動態(tài)地設(shè)置網(wǎng)絡(luò)中防火墻的數(shù)量和位置。此外網(wǎng)絡(luò)管理員可以通過OpenFlow交換機(jī)提供的開發(fā)可編程接口,對網(wǎng)絡(luò)中異常流量或攻擊行為進(jìn)行動態(tài)處理。為了更加有效和準(zhǔn)確的對異常流量和攻擊行為進(jìn)行動態(tài)處理,因此需要對網(wǎng)絡(luò)用戶行為進(jìn)行分析。而近幾年,在大數(shù)據(jù)環(huán)境下的網(wǎng)絡(luò)用戶行為的分析被越來越多的學(xué)者和組織機(jī)構(gòu)研究,通過分析網(wǎng)絡(luò)用戶的行為數(shù)據(jù)可以發(fā)現(xiàn)網(wǎng)絡(luò)用戶的行為特征,阻止?jié)撛诘耐{,為增強(qiáng)安全策略提供依據(jù)。本文借助SDN網(wǎng)絡(luò)架構(gòu)和數(shù)據(jù)挖掘技術(shù),設(shè)計了一個SDN防火墻系統(tǒng)。用SDN交換機(jī)實現(xiàn)了部分防火墻功能,并使用統(tǒng)計分析和聚類分析兩種數(shù)據(jù)挖掘方法對網(wǎng)絡(luò)用戶行為數(shù)據(jù)進(jìn)行分析。分別獲取網(wǎng)絡(luò)用戶的個體行為特征和整個網(wǎng)絡(luò)的集體行為特征,將獲取到的行為特征信息應(yīng)用到安全策略上。并且通過設(shè)計防火墻算法實現(xiàn)安全策略的自動動態(tài)部署。最后通過動態(tài)設(shè)置用戶端口帶寬和基于身份類型的策略部署兩個實例對系統(tǒng)進(jìn)行了驗證。其中,前者驗證了系統(tǒng)自動動態(tài)部署安全策略以及對異常流量能夠動態(tài)處理的能力。后者驗證了將網(wǎng)絡(luò)用戶行為分析結(jié)果應(yīng)用到安全策略上的可行性。
[Abstract]:The problem of network security is an urgent problem that the network faces. One of the most effective methods to solve the problem of network security is to use firewall. One of the main problems in the traditional firewall network architecture is that the firewall security policy is configured by the network administrator one by one. With the rapid development of network technology and the complexity of network application services, the number and complexity of security policies are increasing, so configuring security policies brings a huge burden to network administrators. The emergence of Software defined Network (SDN) can solve the above problems well. SDN is a new type of network architecture, which realizes the centralized programmable control of global network. In the SDN network architecture, the network administrator processes the security policies in batches through SDN controllers in a centralized manner, and can dynamically set the number and location of firewalls in the network according to the state information of the underlying network devices. In addition, the network administrator can dynamically handle the abnormal traffic or attack behavior in the network by developing a programmable interface provided by the OpenFlow switch. In order to deal with the abnormal traffic and attack behavior more effectively and accurately, it is necessary to analyze the behavior of network users. In recent years, more and more scholars and organizations have studied the behavior of network users under the big data environment. By analyzing the behavior data of network users, we can find the behavior characteristics of network users and prevent the potential threats. To provide the basis for enhancing the security policy. This paper designs an SDN firewall system with the help of SDN network architecture and data mining technology. A part of firewall is implemented with SDN switch, and two kinds of data mining methods, statistical analysis and clustering analysis, are used to analyze the behavior data of network users. The individual behavior characteristics of the network users and the collective behavior characteristics of the whole network are obtained, and the obtained behavior characteristics information is applied to the security policy. And design firewall algorithm to realize the automatic dynamic deployment of security policy. Finally, the system is verified by dynamic setting of user port bandwidth and policy deployment based on identity type. The former verifies the ability of automatic dynamic deployment security policy and the ability to deal with abnormal traffic dynamically. The latter verifies the feasibility of applying the network user behavior analysis results to the security policy.
【學(xué)位授予單位】：浙江工商大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 Zheng Ruijuan;Chen Jing;Zhang Mingchuan;Zhu Junlong;Wu Qingtao;;User abnormal behavior analysis based on neural network clustering[J];The Journal of China Universities of Posts and Telecommunications;2016年03期

2 邱遠(yuǎn)興;;淺談下一代防火墻的發(fā)展趨勢[J];網(wǎng)絡(luò)與信息;2012年04期

，

本文編號：2093192