Towards Attack-Resistant Service Function Chain Migration: A Model-Based Adaptive Proximal Policy Optimization Approach

Network function virtualization (NFV) supports the rapid development of service function chain (SFC), which efficiently connects a sequence of network virtual function instances (VNFIs) placed into physical infrastructures. Current SFC migration mechanisms usually keep static SFC deployment after finishing certain objectives, and deployment methods mostly provide static resource allocation for VNFIs. Therefore, the adversary has enough time to plan for devastating attacks for in-service SFCs. Fortunately, moving target defense (MTD) was proposed as a game-changing solution to dynamically adjust network configurations. However, existing MTD methods mostly depend on attack-defense models, and lack adaptive mutation period. In this article, we propose an Intelligence-Driven Service Function Chain Migration (ID-SFCM) scheme. First, we model a Markov decision process (MDP) to formulate the dynamic arrival or departure of SFCs. To remove infeasible actions from the action space of MDP, we formalize the SFC deployment as a constrained satisfaction problem. Then, we design a deep reinforcement learning (DRL) algorithm named model-based adaptive proximal policy optimization (MA-PPO) to enable attack-resistant migration decisions and adaptive migration period. Finally, we evaluate the defense performance by multiple attack strategies and two realistic datasets called CICIDS-2017 and LYCOS-IDS2017 respectively. Simulation results highlight the effectiveness of ID-SFCM compared with representative solutions.