|
|
Frontiers of Information Technology & Electronic Engineering
ISSN 2095-9184 (print), ISSN 2095-9230 (online)
2025 Vol.26 No.12 P.2550-2568
Dynamic trust-based service function chain deployment method for disrupting attack chains
Abstract: Enhancement of service function chain (SFC) security ability by composing virtual network functions (VNFs) and allocating resources considering their security attributes can address the vulnerability threats in cloud environments, which is an important means of attempting to secure SFCs at the deployment stage. However, existing works do not consider the vulnerability correlation of the multi-step attack chains when completing SFC deployment based on trustworthiness. This results in existing security orchestration methods ignoring the differences in trustworthiness among network entities and focusing only on local trust optimization; these steps effectively disrupt the attack chains to secure SFCs. In this article, an innovative hierarchical trust model is proposed to assess the differentiated trustworthiness among network entities caused by vulnerability correlation. On the basis of trustworthiness assessment, both virtual trust of VNF combinations at the SFC composition stage and physical trust of physical node (PN) selections at the SFC placement stage are globally considered to disrupt the attack chains in SFCs as much as possible. To this end, the security-aware and cost-efficient SFC composition and placement (SCSCP) problem is formulated as an integer linear programming (ILP) problem, which is NP-hard. To tackle the SCSCP problem, the joint trust and cost global optimization (JTCGO) algorithm is proposed to dynamically update the trustworthiness and globally find the SFC deployment solutions including the VNF combination schemes and PN selection schemes. Simulation results demonstrate that our proposed algorithm can provide the optimal SFC deployment solutions for requests and can guarantee the SFC trustworthiness at a controllable cost, thereby protecting SFCs from network attacks in complex security environments.
Key words: Service function chain (SFC); Attack chain; Vulnerability correlation; Trustworthiness; SFC composition and placement
1信息工程大学信息技术研究所,中国郑州市,450002
2紫金山实验室,中国南京市,211111
摘要:通过组合虚拟网络功能(VNF)并基于其安全属性分配资源来增强服务功能链(SFC)的安全能力,可有效应对云环境中的漏洞威胁,这是在部署阶段保障SFC安全的重要手段。然而,现有研究在基于信任度部署SFC时,未考虑多步攻击路径中漏洞间的关联性。这导致现有安全编排方法忽略网络实体间的信任度差异,仅聚焦优化局部信任度。这些步骤通过有效切断攻击路径来保障SFC安全。本文提出一种创新的分层信任模型,用于评估网络实体由漏洞关联性造成的差异化信任度。基于信任度评估,在SFC组合阶段全面考虑VNF组合的虚拟信任度,在SFC部署阶段全面考虑物理节点(PN)选择的物理信任度,最大限度破坏SFC中的攻击路径。为此,将安全感知且成本优化的SFC组合与部署(SCSCP)问题建模为整数线性规划(ILP)问题,该问题具有NP难特性。为解决SCSCP问题,本文提出联合信任与成本全局优化(JTCGO)算法,通过动态更新信任度参数,全局求解包含VNF组合方案与PN选取方案的SFC部署解。仿真结果表明,所提算法既能为请求提供最优SFC部署方案,又能以可控成本保障SFC信任度,从而在复杂安全环境中有效抵御网络攻击。
关键词组:
References:
Open peer comments: Debate/Discuss/Question/Opinion
<1>
DOI:
10.1631/FITEE.2500218
CLC number:
TP393
Download Full Text:
Downloaded:
434
Clicked:
526
Cited:
0
On-line Access:
2026-01-09
Received:
2025-04-17
Revision Accepted:
2025-10-15
Crosschecked:
2026-01-11