SDN/NFV-Based Security Service Function Tree for Cloud

摘要

Network security for cloud computing is very important. Service function chain (SFC) that integrates software defined network (SDN) and network function virtualization (NFV) can provide a new approach for solving the network security issues for cloud computing. In this paper, we combine multiple SFCs into a security service function tree (or SecSFT, for short) to reduce requirement for resources in allocating virtual security functions. According to the idea of decision tree used for classification, we assign decision rules and detection rules to the nodes of the SecSFT so that they can identify and split suspicious flows from the mixed traffic and detect/prevent intrusions in the suspicious ones. The nodes of the SecSFT implement various virtualized functions including security-related network functions (e.g., load balancing, and traffic shaping), network security functions (e.g., intrusion detection, firewall), and virtualized network security hardware. Finally, we build a SecSFT in an experiment cloud and test and validate its security services in detection and mitigation of network attacks.