网络与信息安全学报 (Aug 2022)

Design and analysis of intelligent service chain system for network security resource pool

  • Zenan WANG,
  • Jiahao LI,
  • Chaohong TAN,
  • Dechang PI

Journal volume & issue
Vol. 8
pp. 175 – 181

Abstract

Read online

The traditional network security architecture ensures network security by directing traffic through hardware based network security function devices.Since the architecture consists of fixed hardware devices, it leads to a single form of network security area deployment and poor scalability.Besides, the architecture cannot be flexibly adjusted when facing network security events, making it difficult to meet the security needs of future networks.The intelligent service chain system for network security resource pool was based on software-defined network and network function virtualization technologies, which can effectively solve the above problems.Network security functions of virtual form were added based on network function virtualization technology, combined with the existing hardware network elements to build a network security resource pool.In addition, the switching equipment connected to the network security elements can be flexibly controlled based on software-defined network technology.Then a dynamically adjustable network security service chain was built.Network security events were detected based on security log detection and a expert library consisting of security rules.This enabled dynamic and intelligent regulation of the service chain by means of centralized control in the face of network security events.The deployment process of the service chain was mathematically modeled and a heuristic algorithm was designed to realize the optimal deployment of the service chain.By building a prototype system and conducting experiments, the results show that the designed system can detect security events in seconds and automatically adjust the security service chain in minutes when facing security events, and the designed heuristic algorithm can reduce the occupation of virtual resources by 65%.The proposed system is expected to be applied to the network security area at the exit of the campus and data center network, simplifying the operation and maintenance of this area and improving the deployment flexibility of this area.

Keywords