CN113810405A - SDN network-based path jump dynamic defense system and method - Google Patents
SDN network-based path jump dynamic defense system and method Download PDFInfo
- Publication number
- CN113810405A CN113810405A CN202111078197.7A CN202111078197A CN113810405A CN 113810405 A CN113810405 A CN 113810405A CN 202111078197 A CN202111078197 A CN 202111078197A CN 113810405 A CN113810405 A CN 113810405A
- Authority
- CN
- China
- Prior art keywords
- hopping
- path
- forwarding
- route
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/20—Hop count for routing purposes, e.g. TTL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic defense system and a dynamic defense method for path hopping based on an SDN network, wherein the system comprises a hopping route set hopping route management module, a path hopping decision module and a hopping route implementation module, wherein the hopping route set hopping route management module is constructed to meet constraint conditions, the path hopping decision module generates an optimal hopping route and a hopping period combination by using a generation method, and the hopping route implementation module updates the configuration of the generated hopping route. The optimal path hopping algorithm formalizes and reduces performance constraints required to be met by routing nodes and forwarding links in a forwarding path according to a global view of an SDN and hopping constraints based on SMT on the basis of random path hopping so as to prevent transient problems from occurring in the path hopping process; meanwhile, by using the thought of maximum flow-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is selected, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.
Description
Technical Field
The invention relates to a dynamic defense system and a dynamic defense method for path jump, in particular to a defense system for path jump based on an SDN network and an implementation method.
Background
Network attackers have 95% of their time spent gathering target network information and planning attack methods. Therefore, the network scanning is used as a pilot technology and an initial stage of various attack means, and plays an irreplaceable role in the effective implementation of the network attack. While existing defense methods have developed quite mature, cognitive limitations make it difficult for the defenders to exploit all of the vulnerability information; the immobility of the mechanism makes the traditional defense method difficult to withstand the continuous detection and long-term analysis of the offline stage of the attacker, and the end node information, namely the IP address and the port information, is used as an organic component of a network attack surface and a main object of network scanning, and becomes an important network attribute which needs to be protected urgently. With the continuous development of network scanning technology, different scanning strategies are adopted by scanning attacks aiming at different network information system structural characteristics, and the attack effectiveness is greatly improved. On the other hand, the characteristics of determinacy and staticity of the existing network information system reduce the difficulty of scanning implemented by an attacker. Therefore, the "advancement" of the network scanning technology and the "pertinence" of the implementation strategy and the "staticity" of the existing network architecture and the "certainty" of the information system not only make the traditional security defense mode hard to be competent for the novel threat, but also further worsen the asymmetry of the status of both sides of the network attack and defense.
There are two existing ways to implement path hopping.
1) Deterministic multipath random selection is a technique for implementing hopping by obtaining as many routing node disjoint paths as possible in advance, thereby randomly generating different forwarding paths at each hop. The document "forward adaptation for Route aggregation experience attenters" proposes a Random Route hopping method (RRM), which calculates a forwarding path that can be generated by formalizing a constraint condition that the forwarding path needs to satisfy through a Satisfiability Model Theory (SMT). This approach may be resistant to about 90% link snooping compared to single path forwarding in static networks. Document SDN-Based Private Interconnection proposes a multi-path hopping scheme Based on an n-k threshold, in which data streams in one session are divided into n parts, and only less than k parts of data are allowed to be forwarded by the same path, so as to prevent passive monitoring in the data transmission process.
2) The random routing hopping is a technology of randomly generating a next-hop routing node from the routing nodes meeting the requirements in advance to forward data streams so as to realize hopping. An article, Secure data collection in wireless sensor network using random distributed routes, realizes Secure data transmission in a wireless network by designing a random route generation algorithm; in the literature, "Game electronic storage routing for surface traffic and security in computers" calculates a multi-forwarding path from a certain source node to a destination node based on two Game models, and randomly generates a hop route on the basis of the multi-forwarding path to realize safe transmission; the document "Agile virtual infrastructure to reactive discovery attack cyber attack" increases the difficulty of attacker detection through virtual mobile routing to defend against DDOS attacks.
The problems existing in the prior art are as follows:
1) because the generation of the hopping path does not comprehensively consider the performance constraints of the routing node and the forwarding link, the transient problem occurs in the path hopping process, and the availability of the path hopping is reduced.
2) Due to unreasonable generation of the hopping routing node and the hopping period, the implementation of path hopping is difficult to fully exert the defense capability.
Disclosure of Invention
In view of this, the present invention provides a dynamic path hopping defense system and method based on an SDN network, which avoid a transient problem in a hopping process by constraining performance of nodes and forwarding links, and improve network defense capability by reasonably generating a hopping path and a hopping period.
In order to solve the technical problems, the technical scheme of the invention is to adopt a dynamic defense method for path jump based on an SDN network, which comprises the following steps:
acquiring a global network topology structure, and acquiring state information of a hop route in the network at regular time through port state request information on the basis of the global network topology structure;
after receiving the port state request information, the hopping router reports the state information thereof in the form of a feedback port state reply message;
the method comprises the following steps that conditions to be met by a protocol hopping route are met, and a hopping route set meeting constraint conditions is constructed according to information such as network topology, route states and the like;
generating an optimal combination of a hopping path and a hopping period;
and combining and configuring a hopping route according to the optimal hopping path and the hopping period.
As an improvement, a global network topology is obtained using a link layer discovery protocol.
As a further improvement, the condition to be met by the hopping routing is defined by adopting a hopping constraint protocol based on satisfiability mode theoryIndicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwardingOtherwiseBoolean variablesIndicating that the forwarding link e is in a hop period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the linkOtherwiseThe hopping path should satisfy:
forwarding path capacity constraints;
forwarding a road stiffness delay constraint;
forwarding path reachability constraints.
As another further improvement, the hop path should satisfy the forwarding path capacity constraint of:
formula I represents the marginal cost function required by adding a new flow entry; sigma is an adjusting parameter, sigma is 2n, and n is the number of network routing nodes;representing the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v;
equation II indicates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing nodeAnd the remaining flow table length is not less than Representation routing node MRvThe minimum amount of data that needs to be preserved.
Formula III represents the marginal cost required to forward a data flow;indicating the bandwidth utilization after the kth data flows through the forwarding path e.
Equation (4) indicates that the marginal cost of cumulative bandwidth consumption must be within the range that the selected forwarding link can carryWithin, and the remaining bandwidth is not less than Representing a forwarding link MLeThe minimum amount of data that needs to be preserved.
As a further improvement, the hop path should satisfy the forwarding path delay constraint:
the formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax;
Formula VI determines the forwarding path of the next hop period of the alternativeMedium minimum transmission delay and existing forwarding pathIs less than the minimum inter-packet delay.
As a further improvement, the hop path should satisfy the forwarding path reachability constraint that:
formula VII shows that the in-degree and out-degree of all routing nodes are the same on the forwarding path;
Equation VIII represents that each forwarding routing node in the path is physically adjacent to its previous and next hop routing nodes, where χ (MR)v) Representing a residual forwarding route node set after removing the route to which the source address and the destination address belong in the forwarding path;
Equation IX indicates that the distance from the next-hop routing node to the destination node is not greater than the distance from the existing forwarding node to the destination routing node, whereRepresenting MRvDistance to the target node.
As an improvement, based on the safety capacity matrix, the optimal jump path is generated by utilizing the maximum flow-minimum cut theory.
As a further improvement, generating the optimal hopping path includes:
scS,D=cS,D·ωs S,D X
maximum residual capacity c between S-D of formula XS,DWith a safety factor omegas S,DThe components are combined together; wherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DRepresenting the arbitrary path from the source node S e N to the destination node D∈N can realize the resource capacity size of routing node and forwarding link that is forwarded safely;
formula XI shows that the safety factor is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defender maximizes the benefit of jump defense by generating different jump strategies D E D, namely realizing omegas S,DMaximization of (2); the monitoring times of the attacker in the time T are RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth linkAnd the probability P of the data packet passing through the jth linkj·。
The invention also provides a dynamic defense system for path jump based on the SDN network, which comprises the following steps:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration.
As an improvement, the hop route implementation module installs flow table information on the routing nodes on the hop path in a reverse direction from the destination node to the source node, and deletes the old flow table rule in the sequential direction from the source node to the destination node.
The invention has the advantages that:
(1) by taking a non-detection defense theory as a core, the complexity and the cost of attack implementation are increased through dynamic change of a forwarding path.
The system is based on a non-detection defense theory, dynamic change of a transmission path in the network is realized through continuous transformation of a forwarding path, and therefore the difficulty and cost of correctly identifying and accurately positioning target nodes by malicious enemies are increased through improving the apparent uncertainty of a network structure.
(2) And generating the optimal hopping path and hopping period combination by an optimal path hopping generation method based on the safety capacity matrix so as to realize maximization of defense benefits.
By using the thought of maximum stream-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is generated, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.
(3) The constraint required to be met by path hopping can be formalized and reduced through the satisfiability mode theory, so that the transient problem caused by path hopping is prevented.
And formally stipulating performance constraints required to be met by a routing node and a forwarding link in a forwarding path according to a global view of a Software Defined Network (SDN) and a jump constraint based on SMT (surface mount technology), so as to prevent transient problems in the path jump process and ensure controllable performance consumption of forwarding path conversion.
Drawings
FIG. 1 is a schematic diagram of a topology and functional modules according to the present invention.
FIG. 2 is a flow chart of the present invention.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present invention, the present invention will be further described in detail with reference to the following embodiments.
As shown in fig. 1, the present invention provides a path hopping dynamic defense system based on an SDN Network, which is deployed in a Software Defined Network (SDN), and includes a hopping Controller (RC) and several hopping routers (MR). The path transformation mainly depends on the characteristics of SDN full-network view and centralized control, path hopping decision and deployment are carried out, and cooperative hopping is implemented through MR and RC.
The RC in turn comprises three functional modules:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration. The path jump updating needs to issue and configure new flow table information to multiple MRs, and the problem of inconsistent flow table configuration is easily caused in the flow table updating process. Therefore, the path jump updating process adopts an updating mode of reverse order addition and sequential deletion. The reverse order adding means that the jump controller installs flow table information on the routing nodes on the jump path according to the reverse order direction from the destination node to the source node; "sequential deletion" means that the hopping controller deletes the old flow table rule in the sequential direction from the source node to the destination node.
The invention also provides a dynamic defense system and a dynamic defense method for path jump based on the SDN network, which comprises the following steps.
The S1 hopping route management module uses Link Layer Discovery Protocol (LLDP) to obtain the global network topology structure, and periodically obtains the status message of the hopping route in the network through the port status request information on the basis of the global network topology structure.
And S2 the jump route reports the state information to the jump route management module in the form of feedback port state reply message after receiving the port state request message.
The S3 hopping route management module constructs a hopping route set meeting constraint conditions according to information such as network topology and route state fed back by the hopping route based on conditions to be met by the hopping route based on a Satisfiability Model Theory (SMT) formalized protocol.
Transient problems are the phenomenon of rapid degradation of network performance during hopping, which can lead to packet misordering and increased probability of packet loss. Wherein, the generation of the packet disorder is the disorder of the sequence of the forwarding data packets caused by the transition path migration; packet loss is caused by insufficient capacity of forwarding nodes and links, unreachable forwarding paths, and inconsistent flow table updates. In addition, since packet misordering and packet loss may further trigger the TCP retransmission mechanism, the TCP performance may be degraded in the network implementing path hopping, resulting in reduced availability of path hopping. In order to ensure the network service quality and improve the availability of jump implementation, the invention adopts jump constraint based on SMT to formalize the constraint conditions required to be met by a protocol jump path from three aspects of forwarding path capacity, transmission delay and accessibility; and a flow table updating method of 'reverse order adding and sequential deleting' is combined to prevent the transient problem caused by jumping path switching.
The network resource capacity in path hopping refers to the remaining available resource amount of routing nodes and forwarding links in the network system. The residual available resource amount of the routing node mainly depends on the residual available flow table entry, because the CPU consumption, the storage residual amount and the like of the routing node are positively correlated with the size of the flow table entry; the amount of remaining available resources of the forwarding link depends primarily on the remaining available bandwidth. Because the actual network environment has the characteristic of multi-stream intersection, the overhead of the routing node and the forwarding link refers to the sum of the costs required by all data streams passing through the route or the link at a certain time. Defining Boolean variablesIndicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwardingOtherwiseAnalogously, defineRepresentation forwardingLink e in transition period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the linkOtherwiseThe constraints that the hopping path needs to satisfy are specifically the following three:
1) forwarding path capacity constraint: the constraint prevents the packet loss problem caused by data overflow by selecting a routing node capable of bearing the size of the accumulated flow table and a forwarding link capable of bearing the accumulated forwarding data flow.
The index function based on the marginal cost is widely used for quantifying indexes of network resource performance consumption under different conditions, such as performance consumption of routing nodes and forwarding paths in unicast or multicast, and the like, so the technology quantifies the resource expenditure of the routing nodes and the forwarding links by adopting the index function based on the marginal cost.
Equation I represents the marginal cost function required to add a new flow entry. Wherein, σ is an adjusting parameter, the parameter value is set to be 2n after analysis, and n is the number of network routing nodes;and the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v is shown.
Equation II illustrates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing nodeTherein, andremaining flow table length is not less thanSo that problems such as data overflow do not occur. WhereinRepresentation routing node MRvThe minimum amount of data that needs to be preserved.
Similar to equation (1), equation (3) represents the marginal cost required to forward a data flow. WhereinIndicating the bandwidth utilization after the kth data flows through the forwarding path e.
Equation (4) illustrates that the marginal cost of cumulative bandwidth consumption must be within the range that the selected forwarding link can carryWithin, and the remaining bandwidth is not less thanSo that the forwarding link has the remaining capacity to handle data fluctuations due to load balancing, network jitter, etc. WhereinRepresenting a forwarding link MLeThe minimum amount of data that needs to be preserved.
2) Forwarding path delay constraints: the constraint prevents the packet disorder problem generated in the hopping process by selecting a forwarding path with the total transmission Delay meeting the condition and the hopping path Delay difference smaller than the Inter-packet Delay.
The formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax. Because the transmission delay is positively correlated with the number of the routing nodes in the forwarding path, the network service quality reduction caused by overlarge transmission delay is prevented by limiting the length of the forwarding path.
Meanwhile, formula VI judges the forwarding path of the alternative next hop periodMedium minimum transmission delay and existing forwarding pathWhether the difference of the maximum transmission time delay in the forwarding path is smaller than the minimum inter-packet time delay or not is judged, so that extra packet disorder is prevented from being caused in the path migration process, and the problem of extra packet disorder is avoided when the forwarding path in the adjacent hopping period is migrated.
3) Forwarding path reachability constraint: the constraint prevents the occurrence of a forwarding loop, and the resulting packet loss problem, by limiting the selection of forwarding routing nodes.
Formula VII shows that the in-degree and out-degree of all routing nodes are the same on this forwarding path.
Each forwarding routing node in equation VIII is physically adjacent to its previous and next hop routing nodes. Therein, χ (MR)v) And representing the residual forwarding route node set after the route to which the source address and the destination address belong is removed from the forwarding path. However, forwarding a data stream from one node to its neighboring next-hop node does not guarantee that the data is reachable.
Therefore, the distance between the sending node and the target routing node in formula XI is constrained. It means that the distance from the next-hop routing node to the destination node is not greater than the distance from the existing forwarding node to the destination routing nodeRepresenting MRvDistance to the target node. Equation XI shows that the data flow will not be forwarded any more after reaching the target routing node.
The S4 path hop decision module generates an optimal hop path and hop period combination using max-min cut theory based on the safety capacity matrix.
The optimal hopping path generation method selects the optimal hopping path and the hopping period combination according to the maximum flow-minimum cut theory so as to improve the capability of resisting passive monitoring and realize the maximization of hopping defense benefits. Since an attacker may maliciously monitor the routing nodes and forwarding links, the existing network resource capacity does not take security into account. Therefore, even if the routing node and the forwarding link satisfy the three constraints in step S3, their availability decreases as the security risk increases. Defining a network security capacity matrix based on the concept of the network resource capacity matrix; on the basis, the optimal jump path and jump period combination is selected by utilizing the maximum flow-minimum cut theory so as to realize the maximization of the benefit of path jump.
The actual network may be represented by a directed graph G (N, L), where N is the set of nodes in the graph, which represents the set of hop routing nodes { MR } in the SDN networkv}; l is in the figureIs used to represent a set of forwarding links { ML }v}. If there is { MR for any source node S and destination node D in the graph G (N, L) }S,ML1,...,MRi,MLi,...,MRDMark as a forwarding path from S to D in the graph G
Given a network G (N, L), it can be represented as a weighted directed graphWherein W ═ { C, B }, C denotes the security capacity of the routing node; b denotes the safe bandwidth of the forwarding link.
The network security capacity matrix is based onGenerated Q [ sc [ ]S,D]n×nWherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DRepresenting the resource capacity size of the routing nodes and forwarding links that can implement secure forwarding arbitrarily from the source node S e N to the destination node D e N.
scS,D=cS,D·ωs S,D X
It is represented by the maximum residual capacity c between S-D, as shown in equation XS,DWith a safety factor omegas S,DAnd (4) the components are combined together. c. CS,DThe network state information can be obtained by calculation on the basis of the network state information acquired online in real time.
ωsS,DAs shown in formula XI, it is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defense party selects different hopping strategies D to belong to DMaximizing the yield of jump defenses, i.e. achieving omegas S,DIs maximized. Therefore, ωs S,DThe number of times of monitoring of an attacker in the time T is RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth linkAnd the probability P of the data packet passing through the jth linkj·It is related.
And S5, the path jump implementation module configures the jump route according to the optimal jump path and the jump period combination. Specifically, the hopping route is configured through a Modify-State message of the flow table according to a path hopping decision result, and an idle _ time value is set according to a hopping period. The hop routing performs network path hopping according to the configuration.
The optimal path hopping algorithm formalizes and reduces performance constraints required to be met by a routing node and a forwarding link in a forwarding path according to a global view of a Software Defined Network (SDN) and hopping constraints based on SMT on the basis of random path hopping so as to prevent transient problems from occurring in the path hopping process; meanwhile, by using the thought of maximum flow-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is selected, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.
The above is only a preferred embodiment of the present invention, and it should be noted that the above preferred embodiment should not be considered as limiting the present invention, and the protection scope of the present invention should be subject to the scope defined by the claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and these modifications and adaptations should be considered within the scope of the invention.
Claims (10)
1. The method of claim 1, wherein the method for dynamically defending against path hopping based on the SDN network comprises:
acquiring a global network topology structure, and acquiring state information of a hop route in the network at regular time through port state request information on the basis of the global network topology structure;
after receiving the port state request information, the hopping router reports the state information thereof in the form of a feedback port state reply message;
the method comprises the following steps that conditions to be met by a protocol hopping route are met, and a hopping route set meeting constraint conditions is constructed according to network topology and route state information;
generating an optimal combination of a hopping path and a hopping period;
and combining and configuring a hopping route according to the optimal hopping path and the hopping period.
2. The method of claim 1, wherein a link layer discovery protocol is used to obtain the global network topology.
3. The method of claim 1, wherein a hop constraint protocol hop routing based on satisfiability mode theory is adopted to satisfy the conditions defined by the Boolean variablesIndicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwardingOtherwiseBoolean variablesIndicating that the forwarding link e is in a hop period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the linkOtherwiseThe hopping path should satisfy:
forwarding path capacity constraints;
forwarding a road stiffness delay constraint;
forwarding path reachability constraints.
4. The method of claim 3, wherein the forwarding path capacity constraint that the hop path should satisfy is:
formula I represents the marginal cost function required by adding a new flow entry; sigma is an adjusting parameter, sigma is 2n, and n is the number of network routing nodes;representing the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v;
Equation II indicates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing nodeAnd the remaining flow table length is not less than Representation routing node MRvThe minimum amount of data that needs to be preserved.
Formula III represents the marginal cost required to forward a data flow;indicating the bandwidth utilization after the kth data flows through the forwarding path e.
5. The method of claim 3, wherein the forwarding path delay constraint that the hop path should satisfy is:
the formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax;
6. The method of claim 3, wherein the forwarding path reachability constraint that the hop path should satisfy is:
formula VII shows that the in-degree and out-degree of all routing nodes are the same on the forwarding path;
Equation VIII represents that each forwarding routing node in the path is physically adjacent to its previous and next hop routing nodes, where χ (MR)v) Representing a residual forwarding route node set after removing the route to which the source address and the destination address belong in the forwarding path;
7. The method of claim 1, wherein the optimal hop path is generated based on a security capacity matrix using max-min cut theory.
8. The SDN network-based path hopping dynamic defense method of claim 7, wherein generating an optimal hopping path comprises:
scS,D=cS,D·ωs S,D X
maximum residual capacity c between S-D of formula XS,DWith a safety factor omegas S,DThe components are combined together; wherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DThe resource capacity of a routing node and a forwarding link which can realize safe forwarding from a source node S e N to a destination node D e N is represented arbitrarily;
formula XI shows that the safety factor is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defender maximizes the benefit of jump defense by generating different jump strategies D E D, namely realizing omegas S,DMaximization of (2); the monitoring times of the attacker in the time T are RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth linkAnd the probability P of the data packet passing through the jth linkj·。
9. A dynamic defense system for path jump based on an SDN network is characterized by comprising:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration.
10. The SDN network-based path hopping dynamic defense system of claim 9, wherein: and the hopping route implementation module installs flow table information on the routing nodes on the hopping path from the destination node to the source node in the reverse order direction, and deletes the old flow table rule according to the order direction from the source node to the destination node.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111078197.7A CN113810405A (en) | 2021-09-15 | 2021-09-15 | SDN network-based path jump dynamic defense system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111078197.7A CN113810405A (en) | 2021-09-15 | 2021-09-15 | SDN network-based path jump dynamic defense system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113810405A true CN113810405A (en) | 2021-12-17 |
Family
ID=78940881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111078197.7A Pending CN113810405A (en) | 2021-09-15 | 2021-09-15 | SDN network-based path jump dynamic defense system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113810405A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115134304A (en) * | 2022-06-27 | 2022-09-30 | 长沙理工大学 | Self-adaptive load balancing method for avoiding data packet disorder in cloud computing data center |
CN115174467A (en) * | 2022-06-28 | 2022-10-11 | 福州大学 | Route jump defense construction method based on programmable data plane |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180069786A1 (en) * | 2016-09-02 | 2018-03-08 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | Randomized route hopping in software defined networks |
CN108833285A (en) * | 2018-06-08 | 2018-11-16 | 浙江捷尚人工智能研究发展有限公司 | Network moving target defence method, electronic equipment, storage medium and system |
CN113225255A (en) * | 2021-03-31 | 2021-08-06 | 福建奇点时空数字科技有限公司 | SDN random route hopping method based on trigger generation mechanism |
-
2021
- 2021-09-15 CN CN202111078197.7A patent/CN113810405A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180069786A1 (en) * | 2016-09-02 | 2018-03-08 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | Randomized route hopping in software defined networks |
CN108833285A (en) * | 2018-06-08 | 2018-11-16 | 浙江捷尚人工智能研究发展有限公司 | Network moving target defence method, electronic equipment, storage medium and system |
CN113225255A (en) * | 2021-03-31 | 2021-08-06 | 福建奇点时空数字科技有限公司 | SDN random route hopping method based on trigger generation mechanism |
Non-Patent Citations (1)
Title |
---|
雷程,马多贺,张红旗,韩琦,杨英杰: "基于最优路径跳变的网络移动目标防御技术", 《通信学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115134304A (en) * | 2022-06-27 | 2022-09-30 | 长沙理工大学 | Self-adaptive load balancing method for avoiding data packet disorder in cloud computing data center |
CN115134304B (en) * | 2022-06-27 | 2023-10-03 | 长沙理工大学 | Self-adaptive load balancing method for avoiding data packet disorder of cloud computing data center |
CN115174467A (en) * | 2022-06-28 | 2022-10-11 | 福州大学 | Route jump defense construction method based on programmable data plane |
CN115174467B (en) * | 2022-06-28 | 2023-09-22 | 福州大学 | Route jump defending construction method based on programmable data plane |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Lee et al. | CoDef: Collaborative defense against large-scale link-flooding attacks | |
Yeremenko et al. | Secure routing in reliable networks: proactive and reactive approach | |
Ballani et al. | Off by default! | |
Jafarian et al. | Formal approach for route agility against persistent attackers | |
Zhang et al. | BGP design and implementation | |
US9432282B2 (en) | Network-based hyperspeed communication and defense | |
Muthumanikandan et al. | Link failure recovery using shortest path fast rerouting technique in SDN | |
Dang et al. | Sdn-based syn proxy—a solution to enhance performance of attack mitigation under tcp syn flood | |
CN113810405A (en) | SDN network-based path jump dynamic defense system and method | |
Zhou et al. | An efficient and agile spatio-temporal route mutation moving target defense mechanism | |
Hsiao et al. | STRIDE: sanctuary trail--refuge from internet DDoS entrapment | |
Lu et al. | A novel path‐based approach for single‐packet IP traceback | |
CN113225255A (en) | SDN random route hopping method based on trigger generation mechanism | |
Balakrishnan et al. | Team: Trust enhanced security architecture for mobile ad-hoc networks | |
Sangeetha et al. | A novel traffic dividing and scheduling mechanism for enhancing security and performance in the tor network | |
Merlin et al. | Latency-aware forwarding for IRON: Latency support for back-pressure forwarding | |
Zhang et al. | On multi-point, in-network filtering of distributed denial-of-service traffic | |
Odegbile et al. | Dependable policy enforcement in traditional non-sdn networks | |
Liu et al. | Optimal Control for Networks with Unobservable MaliciousNodes | |
CN114844708A (en) | Method, device and storage medium for mitigating flooding attack of link based on traffic rerouting | |
Yeremenko et al. | Flow-aware approach of evaluating probability of compromise in combined structure network | |
Gev et al. | Backward traffic throttling to mitigate bandwidth floods | |
Devikar et al. | A hybrid computing approach to improve convergence time for scalable network | |
Ji et al. | Multi-domain multicast routing mutation scheme for resisting DDoS attacks | |
Hepsiba et al. | Enhanced techniques to strengthening DTN against flood attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211217 |
|
RJ01 | Rejection of invention patent application after publication |