CN108199906B - Abnormal traffic processing method and device in SDN framework and user terminal - Google Patents
Abnormal traffic processing method and device in SDN framework and user terminal Download PDFInfo
- Publication number
- CN108199906B CN108199906B CN201810122369.8A CN201810122369A CN108199906B CN 108199906 B CN108199906 B CN 108199906B CN 201810122369 A CN201810122369 A CN 201810122369A CN 108199906 B CN108199906 B CN 108199906B
- Authority
- CN
- China
- Prior art keywords
- flow
- abnormal
- data information
- abnormal flow
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
Abstract
The invention provides an abnormal flow processing method, an abnormal flow processing device and a user terminal in an SDN framework, wherein the method comprises the following steps: analyzing the data flow of the message to obtain analyzed data information; carrying out flow detection on the analyzed data information according to the abnormal flow template library to generate a flow detection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow; and if the flow detection result indicates that the analyzed data information is abnormal flow, processing the message corresponding to the abnormal flow according to the abnormal flow template library. The method provided by the invention provides a coping mechanism for abnormal flow for the SDN framework, avoids the conditions of out-of-control and paralysis of the network caused by the abnormal flow, effectively enhances the safety of the SDN framework, and further provides great convenience for users and maintenance personnel to use the network.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for processing abnormal traffic in an SDN framework, and a user terminal.
Background
The SDN framework was first proposed by the ONF organization, and SDN is divided from bottom to top (or south to north) into a data plane, a control plane, and an application plane. Unlike traditional network architectures, SDN architectures separate the control plane and the data plane of a network. While the control plane is the core of the SDN architecture, providing centralized control of the network. The control plane collects the state of the network equipment by using the service provided by the data plane network equipment through the southbound interface of the control plane or configures the network equipment; the application plane sends a request through a northbound interface provided by the control plane to realize the configuration or information acquisition of the network equipment. The SDN framework provides an open programmable interface, enabling fast deployment of new applications with simple programming.
The centralized control of the SDN framework and the provision of open-programmable features present security issues to the SDN. The abnormal network flow can cause more network bandwidth consumption, occupies the processing time of a CPU, can cause the reduction of the link utilization rate, causes network congestion, and can cause serious influence on the network service quality. In the SDN framework, abnormal traffic may cause an SDN controller to fail to provide external services, so that a network is in an out-of-control state, and meanwhile, abnormal traffic may also cause network devices to fail to operate normally, so that the network is in a paralysis state. Therefore, the SDN network needs to have a capability of detecting and defending against abnormal traffic.
In summary, in the current SDN framework, due to the existence of network abnormal traffic and no related coping mechanism, a large amount of bandwidth is consumed in the network, system CPU resources are occupied, and external services cannot be provided, so that the network is out of control and broken down, and great potential safety hazards and inconvenience are brought to users and maintenance personnel to use the network.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for processing abnormal traffic in an SDN framework, and a user terminal to solve the deficiencies of the prior art.
In order to solve the above problem, the present invention provides an abnormal traffic processing method in an SDN framework, including:
analyzing the data flow of the message to obtain analyzed data information;
carrying out flow detection on the analysis data information according to an abnormal flow template library to generate a flow detection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
and if the flow detection result indicates that the analyzed data information is abnormal flow, processing the message corresponding to the abnormal flow according to the abnormal flow template library.
Preferably, if the traffic inspection result indicates that the analyzed data information is abnormal traffic, processing the packet corresponding to the abnormal traffic according to the abnormal traffic template library includes:
if the flow detection result indicates that the analysis data information is abnormal flow, judging whether the analysis data information is high-risk abnormal flow according to the abnormal flow template base;
and if the analyzed data information is the high-risk abnormal flow, discarding or isolating the message corresponding to the data information.
Preferably, after the step of determining whether the analyzed data information is high-risk abnormal traffic according to the abnormal traffic template library, the method further includes:
if the analyzed data information is not the high-risk abnormal flow, sending prompt information corresponding to the analyzed data information to an external safety APP, so that the message corresponding to the analyzed data information is processed according to decision information returned by the external safety APP to the prompt information.
Preferably, after the sending, to the external security APP, the prompt information corresponding to the analyzed data information if the analyzed data information is not the high-risk abnormal traffic, so as to process the packet corresponding to the analyzed data information according to the decision information returned by the external security APP to the prompt information, "the method further includes:
obtaining the decision information returned by the external safety APP according to the prompt information;
converting the decision information into flow strategy information;
and changing the route of the abnormal traffic or prohibiting the abnormal traffic from entering a network according to the traffic policy information.
Preferably, after the "performing the traffic inspection on the analysis data information according to the abnormal traffic template library to generate the traffic inspection result", the method further includes:
if the flow detection result indicates that the analysis data information is not abnormal flow, acquiring behavior statistical data of the analysis data information corresponding to the message within preset time, and performing flow behavior characteristic detection on the analysis data information of the message according to the abnormal flow template base based on the behavior statistical data to generate a behavior characteristic detection result;
and if the behavior characteristic detection result indicates that the analyzed data information is abnormal flow, processing the message corresponding to the abnormal flow according to the abnormal flow template library.
Preferably, after the "if the flow rate verification result indicates that the analytic data information is not an abnormal flow rate, performing flow rate behavior feature detection on the analytic data information, and generating a behavior feature detection result", the method further includes:
and if the behavior characteristic detection result indicates that the analysis data information is not abnormal flow, recording the analysis data information as normal flow.
Preferably, the parsing data information includes message header information and message content information.
In addition, to solve the above problem, the present invention further provides an abnormal traffic processing apparatus in an SDN framework, including: the system comprises an analysis module, a detection module and a processing module;
the analysis module is used for analyzing the data stream of the message to obtain analysis data information;
the inspection module is used for carrying out flow inspection on the analysis data information according to an abnormal flow template library to generate a flow inspection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
and the processing module is used for processing the message corresponding to the abnormal flow according to the abnormal flow template library if the flow inspection result shows that the analyzed data information is the abnormal flow.
In addition, to solve the above problem, the present invention further provides a user terminal, which includes a memory and a processor, where the memory is used to store an abnormal traffic handling program in an SDN framework, and the processor runs the abnormal traffic handling program in the SDN framework to make the user terminal execute the abnormal traffic handling method in the SDN framework.
In addition, to solve the above problem, the present invention further provides a computer-readable storage medium, where an abnormal traffic handling program in an SDN framework is stored, and when executed by a processor in the SDN framework, the abnormal traffic handling program implements the abnormal traffic handling method in the SDN framework.
The invention provides a method and a device for processing abnormal traffic in an SDN framework and a user terminal. The method provided by the invention aims at the safety deficiency of the existing SDN framework, carries out flow detection on the analyzed data information of the message, further judges whether the message is abnormal flow according to methods such as a flow detection result and the like, further processes the message according to a flow hazard strategy if the message is abnormal flow, provides a response mechanism for the abnormal flow for the SDN framework, avoids the situations of out-of-control and paralysis of the network caused by the abnormal flow, effectively enhances the safety of the SDN framework, and further provides great convenience for the use of the network by users and maintenance personnel.
Drawings
Fig. 1 is a schematic structural diagram of a hardware operating environment according to an embodiment of an abnormal traffic processing method in an SDN framework of the present invention;
fig. 2 is a schematic flowchart of a first embodiment of an abnormal traffic processing method in an SDN framework according to the present invention;
fig. 3 is a flowchart illustrating a second embodiment of an abnormal traffic processing method in an SDN framework according to the present invention;
fig. 4 is a flowchart illustrating a third embodiment of an abnormal traffic processing method in an SDN framework according to the present invention;
fig. 5 is a flowchart illustrating a fourth embodiment of an abnormal traffic processing method in an SDN framework according to the present invention;
fig. 6 is a schematic functional block diagram of an abnormal traffic processing apparatus in an SDN framework according to the present invention;
fig. 7 is a schematic diagram of abnormal traffic processing of an application plane, an SDN controller, an abnormal traffic management server, and a data plane of an SDN security framework on which the abnormal traffic processing method in the SDN framework is based according to the present invention;
fig. 8 is a schematic diagram of an abnormal traffic processing flow of an SDN controller of an SDN security architecture based on which the abnormal traffic processing method in the SDN architecture is based according to the present invention;
fig. 9 is a schematic view of processing abnormal traffic of an application layer, a control layer, and a data layer of an SDN security architecture based on the abnormal traffic processing method in the SDN architecture of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
Reference will now be made in detail to the embodiments of the present invention, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
In the present invention, unless otherwise expressly stated or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly through intervening media, either internally or in any other relationship. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a hardware operating environment of a terminal according to an embodiment of the present invention.
The terminal of the embodiment of the invention can be a PC, and can also be a mobile terminal device with a display function, such as a smart phone, a tablet computer, an electronic book reader, a portable computer and the like.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may comprise a display screen, an input unit such as a keyboard, a remote control, and the optional user interface 1003 may also comprise a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high speed RAM memory or a stable memory such as a disk memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the terminal may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. In addition, the mobile terminal may further be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which are not described herein again.
Those skilled in the art will appreciate that the terminal shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer readable storage medium, may include therein an operating system, a data interface control program, a network connection program, and an abnormal traffic handling program in an SDN framework.
The invention provides a method and a device for processing abnormal traffic in an SDN framework and a user terminal. The method provides a response mechanism for abnormal flow for the SDN framework, avoids the conditions of out-of-control and paralysis of the network caused by the abnormal flow, effectively enhances the safety of the SDN framework, and further provides great convenience for users and maintenance personnel to use the network.
Example 1:
referring to fig. 2, a first embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework, including:
step S10, analyzing the data flow of the message to obtain analyzed data information;
in the above, it should be understood that a Software Defined Network (SDN) is a novel Network innovation framework of an Emulex Network, and is an implementation manner of Network virtualization, and a core technology OpenFlow separates a control plane and a data plane of a Network device, so that flexible control of Network traffic is realized, and a Network becomes more intelligent as a pipeline.
As mentioned above, it should be understood that a message (message) is a data unit exchanged and transmitted in the network, i.e. a data block that a station sends at a time. The message contains complete data information to be sent, and the message is very inconsistent in length, unlimited in length and variable. The message is also a unit of network transmission, and can be continuously encapsulated into packets, packets and frames for transmission in the transmission process, wherein the encapsulation mode is to add some information sections, namely data with message headers organized in a certain format. In this embodiment, the packet is a data unit for performing data interaction in the network.
In the SDN framework, messages sent by different sending ends are collected in real time or at regular time, and the SDN controller monitors data streams of all the messages, analyzes the data streams, and obtains analyzed data information. The parsed data information may include characteristic information of the message or related data record information.
Step S20, flow detection is carried out on the analysis data information according to the abnormal flow template library to generate a flow detection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
the flow template library is a template library used for identifying whether the flow is abnormal flow in preset flow monitoring, and can store the abnormal flow, wherein the template library includes content characteristics, behavior characteristics, hazard levels, suggested processing modes and the like of the abnormal flow. And describing the abnormal flow in the abnormal flow template library by using a set of simple and easy-to-understand description language according to the content characteristics or the behavior characteristics of the flow. Such as: land attacks are characterized by the same source and destination IP and can be described as ip.src ═ ip.dst; a SYNFlood attack is characterized by a number of syn packets exceeding 10000 times in 5 seconds and can be described as tcp.syn ═ 1& & totalssn (10000, 5).
And finally, checking the analysis data information according to the abnormal flow template library to further obtain a flow checking result generated according to the checking.
And step S30, if the flow inspection result is that the analyzed data information is abnormal flow, processing the message corresponding to the abnormal flow according to the abnormal flow template library.
The abnormal traffic template library is a preset strategy which can classify the traffic according to the content characteristics and the behavior characteristics of the traffic or the combination of the content characteristics and the behavior characteristics according to the analyzed data information of the message; and then, the data streams corresponding to the messages can be processed according to different grades and classifications, for example, the data streams are divided into several grades, namely high-risk abnormal traffic, dangerous abnormal traffic, common abnormal traffic and normal traffic, the analyzed data information is classified according to different grades, and then the processing methods corresponding to different classifications are processed.
The method provided by the embodiment is used for carrying out flow detection on the analyzed data information of the message aiming at the safety defect of the existing SDN framework, further judging whether the message is abnormal flow according to methods such as a flow detection result and the like, further processing the message according to a flow hazard strategy if the message is abnormal flow, providing a response mechanism for the abnormal flow for the SDN framework, avoiding the situations of out-of-control and paralysis of the network caused by the abnormal flow, effectively enhancing the safety of the SDN framework, and further providing great convenience for users and maintenance personnel to use the network.
Example 2:
referring to fig. 3, a second embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework, based on the first embodiment shown in fig. 2, where in step S30, "if the traffic verification result indicates that the analyzed data information is abnormal traffic, processing a packet corresponding to the abnormal traffic according to the abnormal traffic template library" includes:
step S31, if the flow rate check result is that the analytic data information is abnormal flow rate, judging whether the analytic data information is high-risk abnormal flow rate according to the abnormal flow rate template base;
as described above, in this embodiment, different processing is performed on the detected abnormal traffic for different traffic inspection results of the traffic processing. And after the abnormal flow is judged, confirming the damage level of the analyzed data information of the message according to a related classification processing module in the SDN framework.
Above-mentioned, harm grade and corresponding harm grade processing method can be according to network environment and demand through the manual setting of outside safe APP. The abnormal flow in the abnormal flow template library has corresponding hazard levels, and meanwhile, the corresponding relation can be modified through an external safety APP. And once the abnormal flow is detected, corresponding treatment is carried out according to the hazard level of the abnormal flow.
Step S32, if the analyzed data information is the high-risk abnormal traffic, discarding or isolating the packet corresponding to the data information.
Step S33, if the analytic data information is not the high-risk abnormal flow, sending prompt information corresponding to the analytic data information to an external security APP, so as to process the message corresponding to the analytic data information according to decision information returned by the external security APP to the prompt information.
As mentioned above, the external security APP may provide for managing security related modules. The specific functions include: providing management (adding/deleting/modifying) on an abnormal flow template, and setting the hazard level of the abnormal flow; providing management on the hazard level of the abnormal flow, mainly a mode of processing the abnormal flow; receiving abnormal flow alarm information, and processing unprocessed abnormal flow; and checking abnormal flow log information.
If the analyzed data information of the message is determined to be the high-risk abnormal flow when judging whether the analyzed data information is the high-risk abnormal flow, that is, the abnormal flow is the abnormal flow with high hazard level which directly harms the normal functions of the operating system and the equipment terminal, the message corresponding to the abnormal flow is discarded or isolated.
If the analyzed data information is not high-risk abnormal data traffic, it is determined that the abnormal traffic does not directly harm the normal functions of the operating system and the device terminal, and is normal abnormal traffic with a harm grade, and the message determined as the abnormal traffic is processed by the abnormal traffic through strategy information generated by the external APP. The classified registration can comprise high-risk abnormal flow and non-high-risk abnormal flow, and the classified processing is carried out, so that the waste of system resources is further prevented.
Example 3:
referring to fig. 4, a third embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework, based on the second embodiment shown in fig. 3, where in step S33, "if the analysis data information is not the high-risk abnormal traffic, sending, to an external security APP, prompt information corresponding to the analysis data information, so as to process the packet corresponding to the analysis data information according to decision information returned by the external security APP to the prompt information," then the method further includes:
step S34, obtaining decision information returned by the external safety APP according to the prompt information;
the decision information is received data information of processing decision returned by the user according to the prompt information.
Step S35, converting the decision information into flow strategy information;
in the above, the decision information is converted into the traffic policy information which can be directly interpreted in the SDN framework.
And step S36, changing the route of the abnormal traffic or prohibiting the abnormal traffic from entering the network according to the traffic policy information.
And notifying the detected abnormal flow with relatively low harm level to an external safety APP in an alarm mode, making a decision by a user according to the alarm content, translating the decision content of the user into a flow strategy by an SDN controller, and then issuing the flow strategy into network equipment to change the route of the abnormal flow in the network or forbid the abnormal flow from entering the network. For example, if traffic from an address or certain segments is found to be anomalous, it may be desirable to isolate traffic from those locations. Through a processing mode set by an external APP, the SDN controller generates corresponding access control rules to isolate the flows.
Example 4:
referring to fig. 5, a fourth embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework, based on the first embodiment shown in fig. 2, after "performing traffic inspection on the analyzed data information according to an abnormal traffic template library to generate a traffic inspection result" in step S20, the method further includes:
step S40, if the flow rate test result is that the analytic data information is not abnormal flow rate, acquiring behavior statistical data of the analytic data information corresponding to the message within a preset time, and performing flow rate behavior feature detection on the analytic data information of the message according to the abnormal flow rate template base based on the behavior statistical data to generate a behavior feature detection result;
as described above, if the flow rate verification result generated in the flow rate verification indicates that the analysis data information corresponding to the data stream of the packet is not an abnormal flow rate, further behavior characteristic detection is required. And acquiring behavior statistical data of the analyzed data information of the message within preset time, wherein the statistical data is the received message data stream, the analyzed data stream is acquired, and the characteristic data in the analyzed data information is extracted for statistics, so that the statistical data is acquired. The statistical data may include, but is not limited to, data such as flow rate, characteristic value, and the like of a data stream of the packet within a preset time, and when the behavior characteristic is detected, the characteristic data is compared with related data in the abnormal flow template library, so that a behavior characteristic detection result is obtained.
The behavior feature test may be to, after extracting a feature value of the traffic, compare the extracted feature value with content feature information set in an abnormal traffic template library, and perform classification statistics on the traffic. And according to the statistical information of the quantity of certain flow in a period of time, if the quantity reaches the upper limit value set by the corresponding type of flow in the abnormal flow template library, the abnormal flow is considered. For example, if more than 100 thousands of icmp messages are sent in 1 second, a ddos attack is considered to have occurred.
Step S50, if the behavior feature detection result indicates that the analyzed data information is an abnormal traffic, processing a packet corresponding to the abnormal traffic according to the abnormal traffic template library.
If the data flow of the message is abnormal flow according to the detection result of the behavior characteristics of the statistical data of the behavior characteristics of the data flow, the step of processing the message corresponding to the abnormal flow according to the abnormal flow template library is returned, further judgment on whether the data flow is high-risk abnormal flow is carried out on the data flow, and then corresponding processing is carried out according to the judgment result.
Step S60, if the behavior feature detection result indicates that the analytic data information is not an abnormal flow, marking the analytic data information as a normal flow.
The analysis data information comprises message header information and message content information.
After the information of the message is analyzed, if the analyzed data information is determined not to be abnormal flow, the data flow of the message is comprehensively judged to be normal flow, and further data interaction can be performed.
As mentioned above, the message header information may include, but is not limited to, the packet length, protocol type (ICMP, IGMP, TCP, UDP, etc.), source IP, destination IP, etc.; the message content information may include specific transmission content.
In addition, referring to fig. 6, the present invention further provides an abnormal traffic processing apparatus in an SDN framework, including: the analysis module 10, the inspection module 20 and the processing module 30;
the analysis module 10 is configured to analyze a data stream of the packet to obtain analysis data information;
the inspection module 20 is configured to perform traffic inspection on the analysis data information according to an abnormal traffic template library to generate a traffic inspection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
the processing module 30 is configured to, if the flow detection result indicates that the analyzed data information is an abnormal flow, process a packet corresponding to the abnormal flow according to the abnormal flow template library.
In addition, the present invention also provides a user terminal, which includes a memory and a processor, where the memory is used to store an abnormal traffic handling program in an SDN framework, and the processor runs the abnormal traffic handling program in the SDN framework to make the user terminal execute the abnormal traffic handling method in the SDN framework.
In addition, the present invention also provides a computer-readable storage medium, where an abnormal traffic handling program in an SDN framework is stored on the computer-readable storage medium, and when executed by a processor in the SDN framework, the abnormal traffic handling program implements the abnormal traffic handling method in the SDN framework.
In addition, referring to fig. 7-9, the present invention further provides an SDN security framework, in order to better understand the SDN security framework provided by the present invention, and an abnormal traffic handling method in the SDN framework implemented based on an abnormal traffic handling program in the SDN framework running in the SDN security framework, where the SDN security framework includes the following parts: the system comprises an external security APP, SDN network equipment, an SDN controller and an abnormal flow management server;
the method comprises the steps that an external security APP is arranged at the top of an SDN framework, SDN network equipment is arranged at the bottom of the SDN framework, and an SDN controller in the middle and an abnormal flow management server connected with the SDN controller are core parts of the SDN framework;
the functions of the external security APP mainly include: managing the abnormal flow template library to realize the functions of adding, modifying and dynamically loading the abnormal flow template library; monitoring the alarm information of the abnormal flow, and performing corresponding processing on the abnormal flow found in the network according to the alarm information;
the SDN network device provides service for the control plane through a southbound interface of the control plane or receives configuration strategy of the control plane for configuration.
The modules of the security function design in the SDN controller comprise:
a flow acquisition module: collecting flow information of a data plane;
a flow rule generation module: generating a flow forwarding rule;
a flow sending module: sending network flow information acquired by an SDN controller to an abnormal flow management server for detection;
a processing result receiving module: receiving a flow processing result of the abnormal flow management server, forwarding the abnormal flow to an abnormal flow processing module for processing, and recording the abnormal flow into an abnormal flow log;
an abnormal flow processing module: according to the flow processing result of the abnormal flow management server, directly discarding and isolating the flow with high harm level; for abnormal traffic which is not of a high hazard level, translating decision content of a user into a traffic strategy according to a processing mode of an external APP, and then issuing the traffic strategy to network equipment;
an abnormal flow log module: storing history information of the detected abnormal flow;
an abnormal flow monitoring module: sending abnormal flow detected by the SDN controller to an external safety APP in a warning mode;
an abnormal flow template management module: and receiving configuration information of the external safety APP, and sending the received abnormal flow template management instruction to the abnormal flow management server for abnormal flow template management.
And the abnormal flow management server receives the flow collected by the SDN controller and analyzes and detects the flow. The module mainly comprises:
a flow receiving module: receiving flow collected by an SDN controller;
a flow classification module: classifying the traffic according to the content characteristics and the behavior characteristics of the traffic or the combination of the content characteristics and the behavior characteristics;
the flow detection module: according to the flow classification, combining an abnormal flow template library, and analyzing the flow by adopting a method based on the combination of message content characteristics and message behaviors;
a traffic processing result sending module: sending a detection result of the flow to an SDN controller;
an abnormal flow template library management module: adding, modifying and deleting abnormal flow template items to the abnormal flow template library;
abnormal flow template library: and storing a template of the abnormal traffic, wherein the content comprises content characteristics, behavior characteristics, hazard levels, suggested processing modes and the like of the abnormal traffic.
The SDN security framework provided by the invention combines an abnormal flow management server to increase an abnormal flow detection processing function, and provides a method for detecting and processing abnormal flow; meanwhile, the abnormal flow template is dynamically loaded by combining the safety application APP, and the safety of the SDN framework is effectively enhanced by processing the abnormal flow.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (7)
1. An abnormal traffic processing method in an SDN framework is characterized by comprising the following steps:
analyzing the data flow of the message to obtain analyzed data information;
carrying out flow detection on the analysis data information according to an abnormal flow template library to generate a flow detection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
if the flow detection result indicates that the analysis data information is abnormal flow, judging whether the analysis data information is high-risk abnormal flow according to the abnormal flow template base;
if the analyzed data information is the high-risk abnormal flow, discarding or isolating the message corresponding to the data information;
if the analyzed data information is not the high-risk abnormal flow, sending prompt information corresponding to the analyzed data information to an external safety APP, obtaining decision information returned by the external safety APP according to the prompt information, converting the decision information into flow strategy information, and changing the route of the abnormal flow or forbidding the abnormal flow from entering a network according to the flow strategy information.
2. The method for processing abnormal traffic in the SDN framework according to claim 1, wherein after performing traffic inspection on the parsed data information according to an abnormal traffic template library to generate a traffic inspection result, the method further comprises:
if the flow detection result indicates that the analysis data information is not abnormal flow, acquiring behavior statistical data of the analysis data information corresponding to the message within preset time, and performing flow behavior characteristic detection on the analysis data information of the message according to the abnormal flow template base based on the behavior statistical data to generate a behavior characteristic detection result;
and if the behavior characteristic detection result indicates that the analyzed data information is abnormal flow, processing the message corresponding to the abnormal flow according to the abnormal flow template library.
3. The abnormal traffic processing method in the SDN framework according to claim 2, wherein after performing traffic behavior feature detection on the parsed data information and generating a behavior feature detection result if the traffic verification result indicates that the parsed data information is not abnormal traffic, the method further comprises:
and if the behavior characteristic detection result indicates that the analysis data information is not abnormal flow, recording the analysis data information as normal flow.
4. The method for handling abnormal traffic in the SDN framework, according to any one of claims 1-3, wherein the parsing data information comprises message header information and message content information.
5. An abnormal traffic processing device in an SDN framework is characterized by comprising: the system comprises an analysis module, a detection module and a processing module;
the analysis module is used for analyzing the data stream of the message to obtain analysis data information;
the inspection module is used for carrying out flow inspection on the analysis data information according to an abnormal flow template library to generate a flow inspection result; the abnormal flow template library comprises preset content characteristics and behavior characteristics of abnormal flow;
the processing module is used for judging whether the analysis data information is high-risk abnormal flow according to the abnormal flow template base if the flow inspection result indicates that the analysis data information is abnormal flow; if the analyzed data information is the high-risk abnormal flow, discarding or isolating the message corresponding to the data information; if the analyzed data information is not the high-risk abnormal flow, sending prompt information corresponding to the analyzed data information to an external safety APP, obtaining decision information returned by the external safety APP according to the prompt information, converting the decision information into flow strategy information, and changing the route of the abnormal flow or forbidding the abnormal flow from entering a network according to the flow strategy information.
6. A user terminal, comprising a memory for storing an abnormal traffic handling program in an SDN framework, and a processor for executing the abnormal traffic handling program in the SDN framework to make the user terminal execute the abnormal traffic handling method in the SDN framework according to any one of claims 1 to 4.
7. A computer-readable storage medium, wherein the computer-readable storage medium stores thereon an abnormal traffic handling program in an SDN architecture, and when executed by a processor, the abnormal traffic handling program in the SDN architecture implements the abnormal traffic handling method in the SDN architecture according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810122369.8A CN108199906B (en) | 2018-02-07 | 2018-02-07 | Abnormal traffic processing method and device in SDN framework and user terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810122369.8A CN108199906B (en) | 2018-02-07 | 2018-02-07 | Abnormal traffic processing method and device in SDN framework and user terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108199906A CN108199906A (en) | 2018-06-22 |
| CN108199906B true CN108199906B (en) | 2021-03-30 |
Family
ID=62593263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810122369.8A Active CN108199906B (en) | 2018-02-07 | 2018-02-07 | Abnormal traffic processing method and device in SDN framework and user terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108199906B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900518B (en) * | 2018-07-09 | 2020-12-29 | 南京邮电大学 | Credible software-defined cloud network data distribution system |
| CN111698168B (en) * | 2020-05-20 | 2022-06-28 | 北京吉安金芯信息技术有限公司 | Message processing method, device, storage medium and processor |
| CN113068129A (en) * | 2021-03-26 | 2021-07-02 | 中国工商银行股份有限公司 | Method and device for low-delay switching of heterogeneous network based on trajectory prediction |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
| CN106559407A (en) * | 2015-11-19 | 2017-04-05 | 国网智能电网研究院 | A kind of Network traffic anomaly monitor system based on SDN |
| CN107623663A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | Handle the method and device of network traffics |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9806973B2 (en) * | 2014-03-18 | 2017-10-31 | Ciena Corporation | Bandwidth analytics in a software defined network (SDN) controlled multi-layer network for dynamic estimation of power consumption |
-
2018
- 2018-02-07 CN CN201810122369.8A patent/CN108199906B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
| CN106559407A (en) * | 2015-11-19 | 2017-04-05 | 国网智能电网研究院 | A kind of Network traffic anomaly monitor system based on SDN |
| CN107623663A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | Handle the method and device of network traffics |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108199906A (en) | 2018-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8789182B2 (en) | Security event logging in process control | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| EP2774346B1 (en) | Network analysis device and method | |
| CN108199906B (en) | Abnormal traffic processing method and device in SDN framework and user terminal | |
| US20130212681A1 (en) | Security Monitoring System and Security Monitoring Method | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN107026821A (en) | The processing method and processing device of message | |
| CN107426059B (en) | DPI equipment feature library automatic updating method and system, DPI equipment and cloud server | |
| US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| KR101272670B1 (en) | Apparatus, method and computer readable recording medium of distinguishing access network of a user terminal | |
| CN108965296A (en) | A kind of leak detection method and detection device for smart home device | |
| US9813438B2 (en) | Anomaly prediction method and system for heterogeneous network architecture | |
| CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
| CN102984161B (en) | The recognition methods of a kind of reliable website and device | |
| CN111222547B (en) | Traffic feature extraction method and system for mobile application | |
| CN109922026A (en) | Monitoring method, device, system and the storage medium of one OT system | |
| KR101467063B1 (en) | Building Integrated Network Management Sever and Managing Method Thereof | |
| CN113518042B (en) | Data processing method, device, equipment and storage medium | |
| CN104067558A (en) | Network access apparatus having a control module and a network access module | |
| WO2020027250A1 (en) | Infection spread attack detection device, attack origin specification method, and program | |
| CN114465710A (en) | Vulnerability detection method, device, equipment and storage medium based on flow | |
| CN107360062B (en) | DPI equipment identification result verification method and system and DPI equipment | |
| KR100969455B1 (en) | Home gateway apparatus and method for managing network using tendency and method of managing network using tendency using that | |
| KR20130006912A (en) | System and method for managing network traffic using monitoring and filtering policy | |
| CN114450920A (en) | Distributed security detection system, method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |