一种面向安全的虚拟网络功能动态异构调度方法

网络功能虚拟化(NFV)为服务链构建带来了灵活性与动态性，然而，软件化与虚拟化环境可能存在软件漏洞、后门等安全风险，对服务链(SC)的安全产生影响。为此，该文提出一种服务链上虚拟网络功能(VNF)调度方法。首先，为虚拟网络功能构建异构镜像池，避免利用共模漏洞的大范围攻击；随后，以特定周期选择服务链虚拟网络功能进行调度，加载异构镜像对该网络功能的执行实体进行替换；最后，考虑调度对网络功能性能的影响，应用斯坦科尔伯格博弈对攻防过程建模，以最优化防御者收益为目标求解服务链上各网络功能的调度概率。实验表明，该方法能够降低攻击者攻击成功率，同时将调度产生的开销控制在可接受范围内。

A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function

Network Function Virtualization (NFV) brings flexibility and dynamics to the construction of service chain. However, the software and virtualization may cause security risks such as vulnerabilities and backdoors, which may have impact on Service Chain (SC) security. Thus, a Virtual Network Function (VNF) scheduling method is proposed. Firstly, heterogeneous images are built for every virtual network function in service chain, avoiding widespread attacks using common vulnerabilities. Then, one network function is selected dynamically and periodically. The executor of this network function is replaced by loading heterogeneous images. Finally, considering the impact of scheduling on the performance of network functions, Stackelberg game is used to model the attack and defense process, and the scheduling probability of each network function in the service chain is solved with the goal of optimizing the defender’s benefit. Experiments show that this method can reduce the rate of attacker’s success while controlling the overhead generated by the scheduling within an acceptable range.