CN108011865B - SDN flow tracing method, device and system based on flow watermarking and random sampling - Google Patents

SDN flow tracing method, device and system based on flow watermarking and random sampling Download PDF

Info

Publication number
CN108011865B
CN108011865B CN201711036813.6A CN201711036813A CN108011865B CN 108011865 B CN108011865 B CN 108011865B CN 201711036813 A CN201711036813 A CN 201711036813A CN 108011865 B CN108011865 B CN 108011865B
Authority
CN
China
Prior art keywords
flow
watermark
stream
sdn
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711036813.6A
Other languages
Chinese (zh)
Other versions
CN108011865A (en
Inventor
张连成
宇文慧强
王振兴
郭毅
孔亚洲
辜苛峻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201711036813.6A priority Critical patent/CN108011865B/en
Publication of CN108011865A publication Critical patent/CN108011865A/en
Application granted granted Critical
Publication of CN108011865B publication Critical patent/CN108011865B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of security defense of an SDN switch. An SDN flow tracing method based on flow watermarking and random sampling comprises the following steps: constructing an SDN switch topological graph; generating a stream watermark for the data stream which can only identify the data stream; making a flow rule for forwarding the data flow; embedding a stream watermark for the data stream; removing the stream watermark for the data stream; and if the forwarding is abnormal, tracing the SDN switch generating the abnormal forwarding behavior. SDN flow trace tracking device based on flow watermark and random sampling includes: a topology information collection module; a pipeline print generation module; a flow rule installation module; a stream watermark embedding module; a stream watermark removal module; and an exception forwarding discovery module. SDN flow tracing tracking system based on flow watermarking and random sampling comprises: a plurality of SDN switches and any SDN flow trace tracking device based on flow watermarking and random sampling. The invention can effectively detect malicious forwarding behaviors in various SDN networks.

Description

SDN flow tracing method, device and system based on flow watermarking and random sampling
Technical Field
The invention relates to the technical field of security defense of an SDN switch, in particular to an SDN flow tracing tracking method, device and system based on flow watermarking and random sampling.
Background
The current malicious forwarding behaviors threatening the SDN network data plane are mainly seven kinds:
(1) packet loss
A malicious switch may randomly or selectively drop the data packets flowing through, causing a severe degradation of network performance or a denial of service attack, etc.
(2) Flow forgery
A malicious switch can arbitrarily make packets and forward them to the control plane or data plane.
(3) Flow modification
A malicious switch may modify the content of the traffic, i.e., the overhead or payload of the data packet. Traffic modification may often cause other traffic anomalies, for example, modifying a Time To Live (TTL) value of an ip (internet protocol) packet header may cause the packet to be normally dropped in other SDN switches.
(4) Traffic replication
The malicious switch can copy the flow or a specific flow flowing into a port and send the flow or the specific flow to a specified port or a specified address, so as to achieve the purpose of monitoring or sniffing.
(5) Traffic routing
The malicious switch modifies the destination address of the flow-through traffic and deviates from the original forwarding port when forwarding.
(6) Flow delay
Malicious switches can delay traffic and increase jitter, which can be fatal to time-sensitive traffic. In addition, the delay of TCP (Transmission Control Protocol) flows can cause spurious timeouts and unnecessary retransmissions, thereby severely undermining TCP throughput.
(7) Flow reordering
A malicious switch can alter the order of packets while being legitimate in terms of content, routing and delay (or at least reordering over a range of errors in delay), and can also be seen as an expression of traffic delay, i.e. some packets are sent with delay while subsequent packets are sent with advance, causing the packet order to be disturbed. In terms of traffic delay, continuous TCP packet reordering can be particularly severe in disrupting TCP throughput.
In research for detecting a malicious SDN switch, the current mainstream data plane extraction technology includes the following three types:
(1) statistical information extraction technology based on OpenFlow flow table counter
SDN switches typically maintain counters, including port counters and flow counters, to track the number of packets and bytes received and forwarded by ports and flows. The port counter counts the number of received, forwarded and discarded packets and the number of bytes at each port of the switch. While these counters do not directly provide a case of flow through each link, over time they may poll periodically to infer link utilization.
(2) Active flow detection technique
The active flow detection technology is to send a specific flow to the network, and check the forwarding path, forwarding state, and flow content of the flow to find the abnormality of the flow in the forwarding process.
(3) Network measurement technique
The data plane is also used for extracting data, and the network measurement technologies such as packet sampling and port mirroring are also used, and the network measurement technologies are mostly applied to the charging of flow, the flow engineering, the attack/intrusion detection, the monitoring of network service quality and the like.
The counter value statistical technology is most applied, but the counter value acquisition has the defects of unfriendliness to a quick polling mode and difficult synchronization, and the efficiency and the accuracy in the abnormal detection process are difficult to meet the requirements. The active flow detection technology detects the abnormal forwarding behavior of the specified flow path by using a detection packet, is suitable for detecting the abnormal flow forwarding behavior of the specified path, and is not suitable for detecting the abnormal behavior of the whole data plane. The packet sampling and port mirroring technology is relatively efficient in data plane information extraction, but is difficult to apply to detection of the SDN malicious switch.
Disclosure of Invention
The invention provides a SDN flow trace tracking method, a device and a system based on flow watermark and random sampling aiming at the condition that the current data plane extraction technology is difficult to detect the data flow on the non-original path, the flow watermark capable of uniquely identifying the data flow is hidden in the data flow, the purpose of monitoring the flow direction of the data flow is achieved, and an online detection flow copying, flow deviation routing and flow counterfeiting method is provided according to the sampling characteristics. The method can effectively detect malicious forwarding behaviors in various SDN networks, and is superior to the current mainstream data plane extraction technology in performance.
In order to achieve the purpose, the invention adopts the following technical scheme:
an SDN flow tracing method based on flow watermarking and random sampling comprises the following steps:
step 1: collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and constructing an SDN switch topological graph;
step 2: generating a unique flow watermark capable of identifying the data stream for the data stream, and storing the flow watermark and a flow path of the corresponding data stream into a flow watermark-flow path hash table;
and step 3: establishing a flow rule for forwarding the data flow for an SDN switch flow table on a flow path of the data flow, installing the flow rule with the embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with the flow watermark removal operation to an end SDN switch flow table of the data flow path;
and 4, step 4: embedding a stream watermark for the data stream;
and 5: removing the stream watermark for the data stream;
step 6: and requesting a flow path of the data flow corresponding to the flow watermark from a flow watermark-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the forwarding is abnormal, tracing the SDN switch generating the abnormal forwarding behavior.
Preferably, the stream watermark is 32 bits, i.e. 4 bytes; the stream watermark is embedded in the IPv4 message header field, and at least 4 bytes of the IPv4 message header option field remain unused.
Preferably, the flow rules are an ingress flow rule and a non-ingress flow rule, the non-ingress flow rule having an installation time before the installation time of the ingress flow rule.
Preferably, the ingress flow rule is active before the earliest time that the non-ingress flow rule is active and expires after the latest time that the non-ingress flow rule is active.
Preferably, before the step 4, the method further comprises: and starting sFlow random sampling for each SDN switch, and collecting sampling packets.
Preferably, the step 4 comprises:
step 4.1: modifying the length of the IPv4 message header;
step 4.2: modifying the total length of the IPv4 message;
step 4.3: and inserting the stream watermark between the tail end of the IPv4 message header and the message data.
Preferably, the step 5 comprises:
step 5.1: modifying the length of the IPv4 message header;
step 5.2: modifying the total length of the IPv4 message;
step 5.3: and deleting the stream watermark at the tail of the IPv4 message header.
SDN flow trace tracking device based on flow watermark and random sampling includes:
the topology information collection module is used for collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol and constructing an SDN switch topology graph;
the stream watermark generating module is used for generating a stream watermark which can only identify the data stream for the data stream and storing the stream watermark and a stream path of the corresponding data stream into a stream watermark-stream path hash table;
the flow rule installation module is used for establishing a flow rule for forwarding the data flow for an SDN switch flow table on a flow path of the data flow, installing the flow rule with the embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with the flow watermark removal operation to an end SDN switch flow table of the data flow path;
the stream watermark embedding module is used for embedding a stream watermark into the data stream;
a stream watermark removal module for removing a stream watermark for the data stream;
and the abnormal forwarding discovery module is used for requesting a flow path of the data flow corresponding to the flow watermark from the flow watermark-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the abnormal forwarding is discovered, tracing the SDN switch generating the abnormal forwarding behavior.
Preferably, the method further comprises the following steps:
and the sampling packet collection module is used for starting sFlow random sampling for each SDN switch and collecting sampling packets.
Preferably, the stream watermark embedding module includes:
the first modification module is used for modifying the length of the IPv4 message header;
the second modification module is used for modifying the total length of the IPv4 message;
and the flow watermark inserting sub-module is used for inserting the flow watermark between the tail end of the IPv4 message header and the message data.
Preferably, the stream watermark removing module includes:
the third modification module is used for modifying the length of the IPv4 message header;
the fourth modification module is used for modifying the total length of the IPv4 message;
and the stream watermark removing submodule is used for deleting the stream watermark at the tail of the IPv4 message header.
SDN flow tracing tracking system based on flow watermarking and random sampling comprises: a plurality of SDN switches and any one of the SDN flow trace tracking devices based on flow watermarking and random sampling.
Compared with the prior art, the invention has the following beneficial effects:
1. the method and the device combine the stream watermarking and the sFlow random sampling mode, effectively solve the problem that the traditional SDN malicious switch detection technology is difficult to detect the abnormal forwarding behavior of each data stream deviating from the original stream path, and expand the application range of the SDN malicious switch detection technology.
2. The invention adopts the stream watermark embedding mode, so that the stream printing network user is transparent, and the adding and removing of the stream watermark in the data stream can not influence the forwarding behavior of the data stream.
3. The method and the device can effectively detect the traffic deviation routing, traffic copying and traffic forgery forwarding behaviors on the malicious switch in the SDN network.
4. The SDN flow tracing method based on flow watermarking and random sampling adopts a mode of embedding the flow watermarking in an IPv4 message header field. The method can be completed through OpenFlow flow table operation, and no new software needs to be additionally deployed on the switch. On the other hand, the method has little influence on the network and the traffic forwarding performance.
5. In this way, the data stream will carry a 32-bit uniquely identified watermark when flowing through the SDN network, and the watermark is removed after leaving the SDN network. The benefits of embedding a stream watermark are, on the one hand, concealment, that the presence of the stream watermark is not detected by the network user, and, on the other hand, that the integrity of the data packet itself is not destroyed.
Drawings
Fig. 1 is a schematic diagram of a basic flow of an SDN flow trace tracking method based on flow watermarking and random sampling according to the present invention.
Fig. 2 is a second basic flowchart of the SDN flow trace tracking method based on flow watermarking and random sampling according to the present invention.
Fig. 3 is a schematic diagram of an IPv4 message header format of the SDN flow trace tracing method based on flow watermarking and random sampling according to the present invention.
Fig. 4 is a schematic diagram illustrating installation and expiration times of ingress rule and non-ingress rule of the SDN flow trace tracing method based on flow watermarking and random sampling according to the present invention.
Fig. 5 is a schematic structural diagram of an SDN flow trace tracking apparatus based on flow watermarking and random sampling according to the present invention.
Fig. 6 is a second schematic structural diagram of an SDN flow trace tracking apparatus based on flow watermarking and random sampling according to the present invention.
Detailed Description
For the sake of understanding, some terms appearing in the detailed description of the invention are explained below:
an SDN controller: is an application in SDN, i.e. in a software defined network, responsible for flow control to ensure an intelligent network, the SDN controller is based on protocols like OpenFlow, allowing the server to tell the switch where to send packets.
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
the first embodiment is as follows:
as shown in fig. 1, an SDN flow trace tracking method based on flow watermarking and random sampling of the present invention includes the following steps: step S101: collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and constructing an SDN switch topological graph;
step S102: generating a unique flow watermark capable of identifying the data stream for the data stream, and storing the flow watermark and a flow path of the corresponding data stream into a flow watermark-flow path hash table;
step S103: establishing a flow rule for forwarding the data flow for an SDN switch flow table on a flow path of the data flow, installing the flow rule with the embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with the flow watermark removal operation to an end SDN switch flow table of the data flow path;
step S104: embedding a stream watermark for the data stream;
step S105: removing the stream watermark for the data stream;
step S106: and requesting a flow path of the data flow corresponding to the flow watermark from a flow watermark-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the forwarding is abnormal, tracing the SDN switch generating the abnormal forwarding behavior.
It is worth noting that the stream watermark is 32 bits, i.e. 4 bytes; the stream watermark is embedded in the IPv4 message header field, and at least 4 bytes of the IPv4 message header option field remain unused. The flow rules are inlet flow rules and non-inlet flow rules, and the installation time of the non-inlet flow rules is before the installation time of the inlet flow rules. The ingress flow rule is active before the earliest time that the non-ingress flow rule is active and expires after the latest time that the non-ingress flow rule is active.
Example two:
as shown in fig. 2 to 4, another SDN flow trace tracking method based on flow watermarking and random sampling according to the present invention includes the following steps:
step S201: collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and constructing an SDN switch topological graph, wherein the SDN switch topological graph comprises the following steps:
step S2011: the SDN controller packages the LLDP message into a PACKET _ OUT message and distributes the LLDP message to each SDN switch;
step S2012: the SDN switch broadcasts the LLDP message to each port according to an instruction in the PACKET _ OUT message, and other SDN switches connected with the SDN switch receive the LLDP message sent by the SDN switch;
step S2013: the SDN switch receiving the LLDP message searches a flow table, but because the flow table of the SDN switch has no content at the moment, the SDN switch encapsulates the message into a PACKET _ IN message and forwards the PACKET to the SDN controller;
step S2014: the SDN controller receives a PACKET _ IN message uploaded by the SDN switches, provides an LLDP message from the message, and obtains a topological relation between the SDN switches by analyzing a link record between the two SDN switches IN a stored link discovery table, so that a switch topological graph is constructed according to the link discovery table.
Step S202: generating a flow watermark which can uniquely identify each data flow, and saving the flow watermark and the flow path of the data flow into a flow watermark-flow path hash table; the stream watermark is 32 bits, i.e. 4 bytes; the stream watermark is embedded in the IPv4 message header field, at least 4 bytes of the IPv4 message header option field remain unused, the IPv4 message header option field is an extensible field, the maximum length can reach 40 bytes, and the field is difficult to be fully utilized in reality. The IPv4 message header format is shown in fig. 3, in which options fields are associated with a message header Length IHL (Internet header Length) field and a Total Length TL (TL) field. The IHL is expressed by 4 bits and is used for expressing the length of the header of the IPv4 message. The TL field is 16 bits and represents the total length of the IPv4 message. The option field length is a multiple of 4 bytes. As one possible implementation, the IPv4 message header option field remains unused for 8 bytes.
Step S203: establishing a flow rule for forwarding each data flow for an SDN switch flow table on a flow path of the data flow, simultaneously installing the flow rule with embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with flow watermark removal operation to an end SDN switch flow table of the data flow path, wherein the flow rules are an ingress flow rule and a non-ingress flow rule, the installation time of the non-ingress flow rule is before the installation time of the ingress flow rule, the ingress flow rule is effective before the earliest effective time of the non-ingress flow rule and expires after the latest effective time of the non-ingress flow rule;
and on the basis of generating the forwarding rule, adding an action of embedding the stream watermark to the stream rule at the inlet of the stream path and adding an action of removing the stream watermark to the stream rule at the outlet of the stream path for each data stream. These flow rules are divided into two categories, the first being the ingress flow rule rinThe second class is the non-ingress flow rule rrest. Can know rrestContaining the flow rules of all switches except the first switch of the flow path. These two flow rules are installed on the switch with different hard timeouts. First installed rrestAfter mounting rin,i1And i2Respectively show the installation rrestAnd rinTime of (t)1And t2Respectively, indicating a hard timeout thereof. Using dmaxIndicating the maximum forwarding delay between network devices, such as hosts, switches, and controllers. As shown in fig. 4, then rrestRespectively has an onset time and an expiration time in the range of [ i1,i1+dmax]And [ i1+t1,i1+t1+dmax]. Corresponding rinRespectively has an onset time and an expiration time in the range of [ i2,i2+dmax]And [ i2+t2,i2+t2+dmax]. To ensure the quilt rinThe stream watermarked data stream can be rrestFor correct watermarking of streams, r needs to be guaranteedinAt i1Front effect, where i1Is rrestEarliest time of onset, rinAt i1+dmax+t1+dmaxLate term, wherein i1+dmax+t1Is rrestThe latest time of expiration. This constraint can be expressed as:
Figure GDA0002411560090000071
step S204: and starting sFlow random sampling for each SDN switch, and collecting sampling packets.
Step S205: by utilizing the characteristics of the OpenFlow multi-flow table, when all data packets of a data flow enter a first SDN switch of a network, besides the execution of forwarding behaviors, a flow watermark is embedded, and the embedding of the flow watermark is divided into 3 steps, including:
step S2051: modifying the length of the header of the IPv4 message, namely modifying IHL (IHL + 1);
step S2052: the total length of the IPv4 message is modified, namely TL is modified, and TL is TL + 4;
step S2053: and inserting a 32-bit stream watermark between the tail end of the IPv4 message header and the message data.
Step S206: when all data packet flows of the data flow pass through the last SDN switch of the data path, the flow watermark is removed, and the removal of the flow watermark is divided into 3 steps:
step S2061: modifying the length of the header of the IPv4 message, namely modifying IHL (IHL + 1);
step S2062: the total length of the IPv4 message is modified, namely TL is modified, and TL is TL + 4;
step S2063: and deleting the 32-bit stream watermark at the tail of the IPv4 message header.
Step S207: and requesting a flow path of the data flow corresponding to the flow stamp from a flow stamp-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the forwarding is abnormal, tracing the switch generating the abnormal forwarding behavior.
Example three:
as shown in fig. 5, an SDN flow trace tracking apparatus based on flow watermarking and random sampling according to the present invention includes:
a topology information collection module 301, configured to collect topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and construct an SDN switch topology map;
the running watermark generating module 302 is configured to generate a running watermark that is unique and capable of identifying a data stream for the data stream, and store the running watermark and a stream path of a corresponding data stream into a running watermark-stream path hash table;
a flow rule installing module 303, configured to formulate a flow rule for forwarding a data flow for an SDN switch flow table on a flow path of the data flow, install a flow rule with an embedded flow watermarking operation to a first SDN switch flow table of the flow path of the data flow, and install a flow rule with a flow watermarking removing operation to an end SDN switch flow table of the data flow path;
a watermark embedding module 304 for embedding a watermark into the data stream;
a watermark removal module 305 for removing a watermark from the data stream;
an exception forwarding discovery module 306, configured to request a flow path of a data flow corresponding to a flow watermark from a flow watermark-flow path hash table, so as to verify whether the data flow is forwarded on a correct data path, and if a forwarding exception is discovered, trace back an SDN switch that generates an exception forwarding behavior.
Example four:
as shown in fig. 6, another SDN flow trace tracking apparatus based on flow watermarking and random sampling according to the present invention includes:
a topology information collection module 401, configured to collect topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and construct an SDN switch topology map;
the flow watermark generating module 402 is configured to generate a flow watermark that is unique and capable of identifying the data stream for the data stream, and store the flow watermark and a flow path of a corresponding data stream into a flow watermark-flow path hash table;
a flow rule installing module 403, configured to formulate a flow rule for forwarding a data flow for an SDN switch flow table on a flow path of the data flow, install a flow rule with an embedded flow watermarking operation to a first SDN switch flow table of the flow path of the data flow, and install a flow rule with a flow watermarking removal operation to an end SDN switch flow table of the data flow path;
a sampling packet collection module 404, configured to start sFlow random sampling for each SDN switch, and collect a sampling packet;
a watermark embedding module 405 for embedding a watermark into a data stream;
a watermark removal module 406 for removing a watermark from the data stream;
an exception forwarding discovery module 407, configured to request a flow path of a data flow corresponding to a flow watermark from a flow watermark-flow path hash table, so as to verify whether the data flow is forwarded on a correct data path, and if a forwarding exception is discovered, trace back an SDN switch that generates an exception forwarding behavior.
The watermark embedding module 405 further comprises:
the first modification module is used for modifying the length of the IPv4 message header;
the second modification module is used for modifying the total length of the IPv4 message;
and the flow watermark inserting sub-module is used for inserting the flow watermark between the tail end of the IPv4 message header and the message data.
The flow print removal module 406 further comprises:
the third modification module is used for modifying the length of the IPv4 message header;
the fourth modification module is used for modifying the total length of the IPv4 message;
and the stream watermark removing submodule is used for deleting the stream watermark at the tail of the IPv4 message header.
Example five:
the invention relates to an SDN flow trace tracking system based on flow watermarking and random sampling, which comprises: a plurality of SDN switches and any of the apparatus of embodiments three and four; as one implementable example, the number of SDN switches is 20.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (10)

1. The SDN flow tracing method based on flow watermarking and random sampling is characterized by comprising the following steps:
step 1: collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol, and constructing an SDN switch topological graph;
step 2: generating a unique flow watermark capable of identifying the data stream for the data stream, and storing the flow watermark and a flow path of the corresponding data stream into a flow watermark-flow path hash table;
and step 3: establishing a flow rule for forwarding the data flow for an SDN switch flow table on a flow path of the data flow, installing the flow rule with the embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with the flow watermark removal operation to an end SDN switch flow table of the data flow path;
and 4, step 4: embedding a stream watermark for the data stream;
and 5: removing the stream watermark for the data stream;
step 6: and requesting a flow path of the data flow corresponding to the flow watermark from a flow watermark-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the forwarding is abnormal, tracing the SDN switch generating the abnormal forwarding behavior.
2. The SDN flow tracing method based on flow watermarking and random sampling according to claim 1, wherein the flow watermarking is 32 bits (4 bytes); the stream watermark is embedded in the IPv4 message header field, and at least 4 bytes of the IPv4 message header option field remain unused.
3. The SDN flow tracing method based on flow watermarking and random sampling according to claim 1, wherein the flow rules are ingress flow rules and non-ingress flow rules, and an installation time of the non-ingress flow rules is before an installation time of the ingress flow rules.
4. The SDN flow tracing method based on flow watermarking and random sampling according to claim 3, wherein the ingress flow rules are active before an earliest time of active of the non-ingress flow rules and expire after a latest time of active of the non-ingress flow rules.
5. The SDN flow tracing method based on flow watermarking and random sampling according to claim 1, further comprising, before the step 4: and starting sFlow random sampling for each SDN switch, and collecting sampling packets.
6. The SDN flow tracing method based on flow watermarking and random sampling according to claim 1, wherein the step 4 comprises:
step 4.1: modifying the length of the IPv4 message header;
step 4.2: modifying the total length of the IPv4 message;
step 4.3: and inserting the stream watermark between the tail end of the IPv4 message header and the message data.
7. The SDN flow tracing method based on flow watermarking and random sampling according to claim 1, wherein the step 5 comprises:
step 5.1: modifying the length of the IPv4 message header;
step 5.2: modifying the total length of the IPv4 message;
step 5.3: and deleting the stream watermark at the tail of the IPv4 message header.
8. SDN flow trace tracking device based on flow watermark and random sampling is characterized by comprising:
the topology information collection module is used for collecting topology information from a data plane through an OpenFlow protocol and an LLDP protocol and constructing an SDN switch topology graph;
the stream watermark generating module is used for generating a stream watermark which can only identify the data stream for the data stream and storing the stream watermark and a stream path of the corresponding data stream into a stream watermark-stream path hash table;
the flow rule installation module is used for establishing a flow rule for forwarding the data flow for an SDN switch flow table on a flow path of the data flow, installing the flow rule with the embedded flow watermark operation to a first SDN switch flow table of the flow path of the data flow, and installing the flow rule with the flow watermark removal operation to an end SDN switch flow table of the data flow path;
the stream watermark embedding module is used for embedding a stream watermark into the data stream;
a stream watermark removal module for removing a stream watermark for the data stream;
and the abnormal forwarding discovery module is used for requesting a flow path of the data flow corresponding to the flow watermark from the flow watermark-flow path hash table so as to verify whether the data flow is forwarded on a correct data path, and if the abnormal forwarding is discovered, tracing the SDN switch generating the abnormal forwarding behavior.
9. The SDN flow trace tracing apparatus based on flow watermarking and random sampling according to claim 8, further comprising:
the sampling packet collection module is used for starting sFlow random sampling for each SDN switch and collecting sampling packets;
preferably, the stream watermark embedding module includes:
the first modification module is used for modifying the length of the IPv4 message header;
the second modification module is used for modifying the total length of the IPv4 message;
the flow printing inserting sub-module is used for inserting the flow printing between the tail of the IPv4 message header and the message data;
preferably, the stream watermark removing module includes:
the third modification module is used for modifying the length of the IPv4 message header;
the fourth modification module is used for modifying the total length of the IPv4 message;
and the stream watermark removing submodule is used for deleting the stream watermark at the tail of the IPv4 message header.
10. SDN flow tracing system based on flow watermarking and random sampling is characterized by comprising the following steps: a plurality of SDN switches and the apparatus of any one of claims 8 and 9.
CN201711036813.6A 2017-10-28 2017-10-28 SDN flow tracing method, device and system based on flow watermarking and random sampling Active CN108011865B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711036813.6A CN108011865B (en) 2017-10-28 2017-10-28 SDN flow tracing method, device and system based on flow watermarking and random sampling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711036813.6A CN108011865B (en) 2017-10-28 2017-10-28 SDN flow tracing method, device and system based on flow watermarking and random sampling

Publications (2)

Publication Number Publication Date
CN108011865A CN108011865A (en) 2018-05-08
CN108011865B true CN108011865B (en) 2020-05-05

Family

ID=62052057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711036813.6A Active CN108011865B (en) 2017-10-28 2017-10-28 SDN flow tracing method, device and system based on flow watermarking and random sampling

Country Status (1)

Country Link
CN (1) CN108011865B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600167A (en) * 2018-03-19 2018-09-28 中国电子科技集团公司第三十研究所 A kind of communication device and method of the network watermark based on OpenFlow
CN108965288A (en) * 2018-07-09 2018-12-07 中国人民解放军战略支援部队信息工程大学 A method of it is traced to the source based on stream the cross-domain of fingerprint
CN110912895B (en) * 2019-11-26 2022-03-04 华侨大学 Network data flow tracing method based on perceptual hash
CN114338568B (en) * 2020-09-30 2024-03-01 中车株洲电力机车研究所有限公司 Data stream statistics method and Ethernet switch
CN112261052B (en) * 2020-10-23 2022-10-25 中国人民解放军战略支援部队信息工程大学 SDN data plane abnormal behavior detection method and system based on flow rule analysis
CN112887984B (en) * 2020-12-25 2022-05-17 广州中海电信有限公司 Data monitoring system and method for wireless communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777091A (en) * 2004-11-17 2006-05-24 英特尔公司 Techniques to manage digital media
CN106411820A (en) * 2015-07-29 2017-02-15 中国科学院沈阳自动化研究所 Industrial communication flow transmission safety control method based on SDN architecture

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160006663A1 (en) * 2014-07-02 2016-01-07 Telefonaktiebolaget L M Ericsson (Publ) Method and system for compressing forward state of a data network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1777091A (en) * 2004-11-17 2006-05-24 英特尔公司 Techniques to manage digital media
CN106411820A (en) * 2015-07-29 2017-02-15 中国科学院沈阳自动化研究所 Industrial communication flow transmission safety control method based on SDN architecture

Also Published As

Publication number Publication date
CN108011865A (en) 2018-05-08

Similar Documents

Publication Publication Date Title
CN108011865B (en) SDN flow tracing method, device and system based on flow watermarking and random sampling
US7636305B1 (en) Method and apparatus for monitoring network traffic
US9009830B2 (en) Inline intrusion detection
CN1953392B (en) Detection method for abnormal traffic and packet relay apparatus
CN108063765B (en) SDN system suitable for solving network security
CN106416171B (en) Characteristic information analysis method and device
US8732833B2 (en) Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof
US9722926B2 (en) Method and system of large flow control in communication networks
US20070248084A1 (en) Symmetric connection detection
JP2012050090A5 (en)
CN104243237B (en) P2P flow detection method and device
JP4988632B2 (en) Packet relay device and traffic monitoring system
WO2009059504A1 (en) Method and system for defending against tcp attack
CN108141387B (en) Length control for packet header samples
CN111970211A (en) Elephant flow processing method and device based on IPFIX
CN112637015A (en) Packet loss detection method and device for realizing RDMA (remote direct memory Access) network based on PSN (packet switched network)
US8964763B2 (en) Inter-router communication method and module
Wang et al. A bandwidth-efficient int system for tracking the rules matched by the packets of a flow
KR20130022506A (en) Distribution system for analysing massive traffic in real time and method thereof
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
CN109495311B (en) Network fault detection method and device
CN114938308B (en) Method and device for detecting IPv6 network attack based on address entropy self-adaptive threshold
JP4246238B2 (en) Traffic information distribution and collection method
CN106817268B (en) DDOS attack detection method and system
CN109104437B (en) Routing domain, method and device for processing IP message in routing domain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant