CN113810405A - SDN network-based path jump dynamic defense system and method - Google Patents

SDN network-based path jump dynamic defense system and method Download PDF

Info

Publication number
CN113810405A
CN113810405A CN202111078197.7A CN202111078197A CN113810405A CN 113810405 A CN113810405 A CN 113810405A CN 202111078197 A CN202111078197 A CN 202111078197A CN 113810405 A CN113810405 A CN 113810405A
Authority
CN
China
Prior art keywords
hopping
path
forwarding
route
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111078197.7A
Other languages
Chinese (zh)
Inventor
朱伟华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiayuan Technology Co Ltd
Original Assignee
Jiayuan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiayuan Technology Co Ltd filed Critical Jiayuan Technology Co Ltd
Priority to CN202111078197.7A priority Critical patent/CN113810405A/en
Publication of CN113810405A publication Critical patent/CN113810405A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/20Hop count for routing purposes, e.g. TTL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a dynamic defense system and a dynamic defense method for path hopping based on an SDN network, wherein the system comprises a hopping route set hopping route management module, a path hopping decision module and a hopping route implementation module, wherein the hopping route set hopping route management module is constructed to meet constraint conditions, the path hopping decision module generates an optimal hopping route and a hopping period combination by using a generation method, and the hopping route implementation module updates the configuration of the generated hopping route. The optimal path hopping algorithm formalizes and reduces performance constraints required to be met by routing nodes and forwarding links in a forwarding path according to a global view of an SDN and hopping constraints based on SMT on the basis of random path hopping so as to prevent transient problems from occurring in the path hopping process; meanwhile, by using the thought of maximum flow-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is selected, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.

Description

SDN network-based path jump dynamic defense system and method
Technical Field
The invention relates to a dynamic defense system and a dynamic defense method for path jump, in particular to a defense system for path jump based on an SDN network and an implementation method.
Background
Network attackers have 95% of their time spent gathering target network information and planning attack methods. Therefore, the network scanning is used as a pilot technology and an initial stage of various attack means, and plays an irreplaceable role in the effective implementation of the network attack. While existing defense methods have developed quite mature, cognitive limitations make it difficult for the defenders to exploit all of the vulnerability information; the immobility of the mechanism makes the traditional defense method difficult to withstand the continuous detection and long-term analysis of the offline stage of the attacker, and the end node information, namely the IP address and the port information, is used as an organic component of a network attack surface and a main object of network scanning, and becomes an important network attribute which needs to be protected urgently. With the continuous development of network scanning technology, different scanning strategies are adopted by scanning attacks aiming at different network information system structural characteristics, and the attack effectiveness is greatly improved. On the other hand, the characteristics of determinacy and staticity of the existing network information system reduce the difficulty of scanning implemented by an attacker. Therefore, the "advancement" of the network scanning technology and the "pertinence" of the implementation strategy and the "staticity" of the existing network architecture and the "certainty" of the information system not only make the traditional security defense mode hard to be competent for the novel threat, but also further worsen the asymmetry of the status of both sides of the network attack and defense.
There are two existing ways to implement path hopping.
1) Deterministic multipath random selection is a technique for implementing hopping by obtaining as many routing node disjoint paths as possible in advance, thereby randomly generating different forwarding paths at each hop. The document "forward adaptation for Route aggregation experience attenters" proposes a Random Route hopping method (RRM), which calculates a forwarding path that can be generated by formalizing a constraint condition that the forwarding path needs to satisfy through a Satisfiability Model Theory (SMT). This approach may be resistant to about 90% link snooping compared to single path forwarding in static networks. Document SDN-Based Private Interconnection proposes a multi-path hopping scheme Based on an n-k threshold, in which data streams in one session are divided into n parts, and only less than k parts of data are allowed to be forwarded by the same path, so as to prevent passive monitoring in the data transmission process.
2) The random routing hopping is a technology of randomly generating a next-hop routing node from the routing nodes meeting the requirements in advance to forward data streams so as to realize hopping. An article, Secure data collection in wireless sensor network using random distributed routes, realizes Secure data transmission in a wireless network by designing a random route generation algorithm; in the literature, "Game electronic storage routing for surface traffic and security in computers" calculates a multi-forwarding path from a certain source node to a destination node based on two Game models, and randomly generates a hop route on the basis of the multi-forwarding path to realize safe transmission; the document "Agile virtual infrastructure to reactive discovery attack cyber attack" increases the difficulty of attacker detection through virtual mobile routing to defend against DDOS attacks.
The problems existing in the prior art are as follows:
1) because the generation of the hopping path does not comprehensively consider the performance constraints of the routing node and the forwarding link, the transient problem occurs in the path hopping process, and the availability of the path hopping is reduced.
2) Due to unreasonable generation of the hopping routing node and the hopping period, the implementation of path hopping is difficult to fully exert the defense capability.
Disclosure of Invention
In view of this, the present invention provides a dynamic path hopping defense system and method based on an SDN network, which avoid a transient problem in a hopping process by constraining performance of nodes and forwarding links, and improve network defense capability by reasonably generating a hopping path and a hopping period.
In order to solve the technical problems, the technical scheme of the invention is to adopt a dynamic defense method for path jump based on an SDN network, which comprises the following steps:
acquiring a global network topology structure, and acquiring state information of a hop route in the network at regular time through port state request information on the basis of the global network topology structure;
after receiving the port state request information, the hopping router reports the state information thereof in the form of a feedback port state reply message;
the method comprises the following steps that conditions to be met by a protocol hopping route are met, and a hopping route set meeting constraint conditions is constructed according to information such as network topology, route states and the like;
generating an optimal combination of a hopping path and a hopping period;
and combining and configuring a hopping route according to the optimal hopping path and the hopping period.
As an improvement, a global network topology is obtained using a link layer discovery protocol.
As a further improvement, the condition to be met by the hopping routing is defined by adopting a hopping constraint protocol based on satisfiability mode theory
Figure BDA0003263032020000031
Indicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwarding
Figure BDA0003263032020000032
Otherwise
Figure BDA0003263032020000033
Boolean variables
Figure BDA0003263032020000034
Indicating that the forwarding link e is in a hop period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the link
Figure BDA0003263032020000035
Otherwise
Figure BDA0003263032020000036
The hopping path should satisfy:
forwarding path capacity constraints;
forwarding a road stiffness delay constraint;
forwarding path reachability constraints.
As another further improvement, the hop path should satisfy the forwarding path capacity constraint of:
Figure BDA0003263032020000037
formula I represents the marginal cost function required by adding a new flow entry; sigma is an adjusting parameter, sigma is 2n, and n is the number of network routing nodes;
Figure BDA0003263032020000038
representing the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v;
Figure BDA0003263032020000041
equation II indicates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing node
Figure BDA0003263032020000042
And the remaining flow table length is not less than
Figure BDA0003263032020000043
Figure BDA0003263032020000044
Representation routing node MRvThe minimum amount of data that needs to be preserved.
Figure BDA0003263032020000045
Formula III represents the marginal cost required to forward a data flow;
Figure BDA0003263032020000046
indicating the bandwidth utilization after the kth data flows through the forwarding path e.
Figure BDA0003263032020000047
Equation (4) indicates that the marginal cost of cumulative bandwidth consumption must be within the range that the selected forwarding link can carry
Figure BDA0003263032020000048
Within, and the remaining bandwidth is not less than
Figure BDA0003263032020000049
Figure BDA00032630320200000410
Representing a forwarding link MLeThe minimum amount of data that needs to be preserved.
As a further improvement, the hop path should satisfy the forwarding path delay constraint:
Figure BDA00032630320200000411
the formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax
If it is
Figure BDA00032630320200000412
Formula VI determines the forwarding path of the next hop period of the alternative
Figure BDA00032630320200000413
Medium minimum transmission delay and existing forwarding path
Figure BDA00032630320200000414
Is less than the minimum inter-packet delay.
As a further improvement, the hop path should satisfy the forwarding path reachability constraint that:
Figure BDA00032630320200000415
formula VII shows that the in-degree and out-degree of all routing nodes are the same on the forwarding path;
if it is
Figure BDA0003263032020000051
Equation VIII represents that each forwarding routing node in the path is physically adjacent to its previous and next hop routing nodes, where χ (MR)v) Representing a residual forwarding route node set after removing the route to which the source address and the destination address belong in the forwarding path;
if it is
Figure BDA0003263032020000052
Equation IX indicates that the distance from the next-hop routing node to the destination node is not greater than the distance from the existing forwarding node to the destination routing node, where
Figure BDA0003263032020000053
Representing MRvDistance to the target node.
As an improvement, based on the safety capacity matrix, the optimal jump path is generated by utilizing the maximum flow-minimum cut theory.
As a further improvement, generating the optimal hopping path includes:
scS,D=cS,D·ωs S,D X
maximum residual capacity c between S-D of formula XS,DWith a safety factor omegas S,DThe components are combined together; wherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DRepresenting the arbitrary path from the source node S e N to the destination node DN can realize the resource capacity size of routing node and forwarding link that is forwarded safely;
Figure BDA0003263032020000055
formula XI shows that the safety factor is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defender maximizes the benefit of jump defense by generating different jump strategies D E D, namely realizing omegas S,DMaximization of (2); the monitoring times of the attacker in the time T are RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth link
Figure BDA0003263032020000056
And the probability P of the data packet passing through the jth link
The invention also provides a dynamic defense system for path jump based on the SDN network, which comprises the following steps:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration.
As an improvement, the hop route implementation module installs flow table information on the routing nodes on the hop path in a reverse direction from the destination node to the source node, and deletes the old flow table rule in the sequential direction from the source node to the destination node.
The invention has the advantages that:
(1) by taking a non-detection defense theory as a core, the complexity and the cost of attack implementation are increased through dynamic change of a forwarding path.
The system is based on a non-detection defense theory, dynamic change of a transmission path in the network is realized through continuous transformation of a forwarding path, and therefore the difficulty and cost of correctly identifying and accurately positioning target nodes by malicious enemies are increased through improving the apparent uncertainty of a network structure.
(2) And generating the optimal hopping path and hopping period combination by an optimal path hopping generation method based on the safety capacity matrix so as to realize maximization of defense benefits.
By using the thought of maximum stream-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is generated, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.
(3) The constraint required to be met by path hopping can be formalized and reduced through the satisfiability mode theory, so that the transient problem caused by path hopping is prevented.
And formally stipulating performance constraints required to be met by a routing node and a forwarding link in a forwarding path according to a global view of a Software Defined Network (SDN) and a jump constraint based on SMT (surface mount technology), so as to prevent transient problems in the path jump process and ensure controllable performance consumption of forwarding path conversion.
Drawings
FIG. 1 is a schematic diagram of a topology and functional modules according to the present invention.
FIG. 2 is a flow chart of the present invention.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present invention, the present invention will be further described in detail with reference to the following embodiments.
As shown in fig. 1, the present invention provides a path hopping dynamic defense system based on an SDN Network, which is deployed in a Software Defined Network (SDN), and includes a hopping Controller (RC) and several hopping routers (MR). The path transformation mainly depends on the characteristics of SDN full-network view and centralized control, path hopping decision and deployment are carried out, and cooperative hopping is implemented through MR and RC.
The RC in turn comprises three functional modules:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration. The path jump updating needs to issue and configure new flow table information to multiple MRs, and the problem of inconsistent flow table configuration is easily caused in the flow table updating process. Therefore, the path jump updating process adopts an updating mode of reverse order addition and sequential deletion. The reverse order adding means that the jump controller installs flow table information on the routing nodes on the jump path according to the reverse order direction from the destination node to the source node; "sequential deletion" means that the hopping controller deletes the old flow table rule in the sequential direction from the source node to the destination node.
The invention also provides a dynamic defense system and a dynamic defense method for path jump based on the SDN network, which comprises the following steps.
The S1 hopping route management module uses Link Layer Discovery Protocol (LLDP) to obtain the global network topology structure, and periodically obtains the status message of the hopping route in the network through the port status request information on the basis of the global network topology structure.
And S2 the jump route reports the state information to the jump route management module in the form of feedback port state reply message after receiving the port state request message.
The S3 hopping route management module constructs a hopping route set meeting constraint conditions according to information such as network topology and route state fed back by the hopping route based on conditions to be met by the hopping route based on a Satisfiability Model Theory (SMT) formalized protocol.
Transient problems are the phenomenon of rapid degradation of network performance during hopping, which can lead to packet misordering and increased probability of packet loss. Wherein, the generation of the packet disorder is the disorder of the sequence of the forwarding data packets caused by the transition path migration; packet loss is caused by insufficient capacity of forwarding nodes and links, unreachable forwarding paths, and inconsistent flow table updates. In addition, since packet misordering and packet loss may further trigger the TCP retransmission mechanism, the TCP performance may be degraded in the network implementing path hopping, resulting in reduced availability of path hopping. In order to ensure the network service quality and improve the availability of jump implementation, the invention adopts jump constraint based on SMT to formalize the constraint conditions required to be met by a protocol jump path from three aspects of forwarding path capacity, transmission delay and accessibility; and a flow table updating method of 'reverse order adding and sequential deleting' is combined to prevent the transient problem caused by jumping path switching.
The network resource capacity in path hopping refers to the remaining available resource amount of routing nodes and forwarding links in the network system. The residual available resource amount of the routing node mainly depends on the residual available flow table entry, because the CPU consumption, the storage residual amount and the like of the routing node are positively correlated with the size of the flow table entry; the amount of remaining available resources of the forwarding link depends primarily on the remaining available bandwidth. Because the actual network environment has the characteristic of multi-stream intersection, the overhead of the routing node and the forwarding link refers to the sum of the costs required by all data streams passing through the route or the link at a certain time. Defining Boolean variables
Figure BDA0003263032020000096
Indicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwarding
Figure BDA0003263032020000097
Otherwise
Figure BDA0003263032020000098
Analogously, define
Figure BDA0003263032020000099
Representation forwardingLink e in transition period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the link
Figure BDA00032630320200000910
Otherwise
Figure BDA00032630320200000911
The constraints that the hopping path needs to satisfy are specifically the following three:
1) forwarding path capacity constraint: the constraint prevents the packet loss problem caused by data overflow by selecting a routing node capable of bearing the size of the accumulated flow table and a forwarding link capable of bearing the accumulated forwarding data flow.
The index function based on the marginal cost is widely used for quantifying indexes of network resource performance consumption under different conditions, such as performance consumption of routing nodes and forwarding paths in unicast or multicast, and the like, so the technology quantifies the resource expenditure of the routing nodes and the forwarding links by adopting the index function based on the marginal cost.
Figure BDA0003263032020000091
Equation I represents the marginal cost function required to add a new flow entry. Wherein, σ is an adjusting parameter, the parameter value is set to be 2n after analysis, and n is the number of network routing nodes;
Figure BDA0003263032020000092
and the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v is shown.
Figure BDA0003263032020000093
Equation II illustrates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing node
Figure BDA0003263032020000094
Therein, andremaining flow table length is not less than
Figure BDA0003263032020000095
So that problems such as data overflow do not occur. Wherein
Figure BDA0003263032020000101
Representation routing node MRvThe minimum amount of data that needs to be preserved.
Figure BDA0003263032020000102
Similar to equation (1), equation (3) represents the marginal cost required to forward a data flow. Wherein
Figure BDA0003263032020000103
Indicating the bandwidth utilization after the kth data flows through the forwarding path e.
Figure BDA0003263032020000104
Equation (4) illustrates that the marginal cost of cumulative bandwidth consumption must be within the range that the selected forwarding link can carry
Figure BDA0003263032020000105
Within, and the remaining bandwidth is not less than
Figure BDA0003263032020000106
So that the forwarding link has the remaining capacity to handle data fluctuations due to load balancing, network jitter, etc. Wherein
Figure BDA0003263032020000107
Representing a forwarding link MLeThe minimum amount of data that needs to be preserved.
2) Forwarding path delay constraints: the constraint prevents the packet disorder problem generated in the hopping process by selecting a forwarding path with the total transmission Delay meeting the condition and the hopping path Delay difference smaller than the Inter-packet Delay.
Figure BDA0003263032020000108
The formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax. Because the transmission delay is positively correlated with the number of the routing nodes in the forwarding path, the network service quality reduction caused by overlarge transmission delay is prevented by limiting the length of the forwarding path.
If it is
Figure BDA0003263032020000109
Meanwhile, formula VI judges the forwarding path of the alternative next hop period
Figure BDA00032630320200001010
Medium minimum transmission delay and existing forwarding path
Figure BDA00032630320200001011
Whether the difference of the maximum transmission time delay in the forwarding path is smaller than the minimum inter-packet time delay or not is judged, so that extra packet disorder is prevented from being caused in the path migration process, and the problem of extra packet disorder is avoided when the forwarding path in the adjacent hopping period is migrated.
3) Forwarding path reachability constraint: the constraint prevents the occurrence of a forwarding loop, and the resulting packet loss problem, by limiting the selection of forwarding routing nodes.
Figure BDA0003263032020000111
Formula VII shows that the in-degree and out-degree of all routing nodes are the same on this forwarding path.
If it is
Figure BDA0003263032020000112
Each forwarding routing node in equation VIII is physically adjacent to its previous and next hop routing nodes. Therein, χ (MR)v) And representing the residual forwarding route node set after the route to which the source address and the destination address belong is removed from the forwarding path. However, forwarding a data stream from one node to its neighboring next-hop node does not guarantee that the data is reachable.
If it is
Figure BDA0003263032020000113
Therefore, the distance between the sending node and the target routing node in formula XI is constrained. It means that the distance from the next-hop routing node to the destination node is not greater than the distance from the existing forwarding node to the destination routing node
Figure BDA0003263032020000114
Representing MRvDistance to the target node. Equation XI shows that the data flow will not be forwarded any more after reaching the target routing node.
The S4 path hop decision module generates an optimal hop path and hop period combination using max-min cut theory based on the safety capacity matrix.
The optimal hopping path generation method selects the optimal hopping path and the hopping period combination according to the maximum flow-minimum cut theory so as to improve the capability of resisting passive monitoring and realize the maximization of hopping defense benefits. Since an attacker may maliciously monitor the routing nodes and forwarding links, the existing network resource capacity does not take security into account. Therefore, even if the routing node and the forwarding link satisfy the three constraints in step S3, their availability decreases as the security risk increases. Defining a network security capacity matrix based on the concept of the network resource capacity matrix; on the basis, the optimal jump path and jump period combination is selected by utilizing the maximum flow-minimum cut theory so as to realize the maximization of the benefit of path jump.
The actual network may be represented by a directed graph G (N, L), where N is the set of nodes in the graph, which represents the set of hop routing nodes { MR } in the SDN networkv}; l is in the figureIs used to represent a set of forwarding links { ML }v}. If there is { MR for any source node S and destination node D in the graph G (N, L) }S,ML1,...,MRi,MLi,...,MRDMark as a forwarding path from S to D in the graph G
Figure BDA0003263032020000121
Given a network G (N, L), it can be represented as a weighted directed graph
Figure BDA0003263032020000122
Wherein W ═ { C, B }, C denotes the security capacity of the routing node; b denotes the safe bandwidth of the forwarding link.
The network security capacity matrix is based on
Figure BDA0003263032020000123
Generated Q [ sc [ ]S,D]n×nWherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DRepresenting the resource capacity size of the routing nodes and forwarding links that can implement secure forwarding arbitrarily from the source node S e N to the destination node D e N.
scS,D=cS,D·ωs S,D X
It is represented by the maximum residual capacity c between S-D, as shown in equation XS,DWith a safety factor omegas S,DAnd (4) the components are combined together. c. CS,DThe network state information can be obtained by calculation on the basis of the network state information acquired online in real time.
Figure BDA0003263032020000124
ωsS,DAs shown in formula XI, it is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defense party selects different hopping strategies D to belong to DMaximizing the yield of jump defenses, i.e. achieving omegas S,DIs maximized. Therefore, ωs S,DThe number of times of monitoring of an attacker in the time T is RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth link
Figure BDA0003263032020000125
And the probability P of the data packet passing through the jth linkIt is related.
And S5, the path jump implementation module configures the jump route according to the optimal jump path and the jump period combination. Specifically, the hopping route is configured through a Modify-State message of the flow table according to a path hopping decision result, and an idle _ time value is set according to a hopping period. The hop routing performs network path hopping according to the configuration.
The optimal path hopping algorithm formalizes and reduces performance constraints required to be met by a routing node and a forwarding link in a forwarding path according to a global view of a Software Defined Network (SDN) and hopping constraints based on SMT on the basis of random path hopping so as to prevent transient problems from occurring in the path hopping process; meanwhile, by using the thought of maximum flow-minimum cut for reference, an optimal hopping path generation method based on a safety capacity matrix is provided, the optimal combination of the hopping path and the hopping period is selected, the capability of resisting passive monitoring is improved, and the maximization of defense benefits is realized.
The above is only a preferred embodiment of the present invention, and it should be noted that the above preferred embodiment should not be considered as limiting the present invention, and the protection scope of the present invention should be subject to the scope defined by the claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and these modifications and adaptations should be considered within the scope of the invention.

Claims (10)

1. The method of claim 1, wherein the method for dynamically defending against path hopping based on the SDN network comprises:
acquiring a global network topology structure, and acquiring state information of a hop route in the network at regular time through port state request information on the basis of the global network topology structure;
after receiving the port state request information, the hopping router reports the state information thereof in the form of a feedback port state reply message;
the method comprises the following steps that conditions to be met by a protocol hopping route are met, and a hopping route set meeting constraint conditions is constructed according to network topology and route state information;
generating an optimal combination of a hopping path and a hopping period;
and combining and configuring a hopping route according to the optimal hopping path and the hopping period.
2. The method of claim 1, wherein a link layer discovery protocol is used to obtain the global network topology.
3. The method of claim 1, wherein a hop constraint protocol hop routing based on satisfiability mode theory is adopted to satisfy the conditions defined by the Boolean variables
Figure FDA0003263032010000011
Indicating that the routing node v is in the transition period TRMPWhether the kth data stream is forwarded or not, and if so, forwarding
Figure FDA0003263032010000012
Otherwise
Figure FDA0003263032010000013
Boolean variables
Figure FDA0003263032010000014
Indicating that the forwarding link e is in a hop period TRMPWhether the k-th data stream is transmitted or not, if the data stream flows through the link
Figure FDA0003263032010000015
Otherwise
Figure FDA0003263032010000016
The hopping path should satisfy:
forwarding path capacity constraints;
forwarding a road stiffness delay constraint;
forwarding path reachability constraints.
4. The method of claim 3, wherein the forwarding path capacity constraint that the hop path should satisfy is:
Figure FDA0003263032010000017
formula I represents the marginal cost function required by adding a new flow entry; sigma is an adjusting parameter, sigma is 2n, and n is the number of network routing nodes;
Figure FDA0003263032010000021
representing the utilization rate of the flow table after the forwarding information of the kth data flow is added to the routing node v;
Figure FDA0003263032010000022
if it is
Figure FDA0003263032010000023
Then
Figure FDA0003263032010000024
Equation II indicates that the marginal cost of cumulative addition of flow tables must be within the bearable range of the selected routing node
Figure FDA0003263032010000025
And the remaining flow table length is not less than
Figure FDA0003263032010000026
Figure FDA0003263032010000027
Representation routing node MRvThe minimum amount of data that needs to be preserved.
Figure FDA0003263032010000028
Formula III represents the marginal cost required to forward a data flow;
Figure FDA0003263032010000029
indicating the bandwidth utilization after the kth data flows through the forwarding path e.
Figure FDA00032630320100000210
Then
Figure FDA00032630320100000211
Equation (4) indicates that the marginal cost of cumulative bandwidth consumption must be within the range that the selected forwarding link can carry
Figure FDA00032630320100000212
Within, and the remaining bandwidth is not less than
Figure FDA00032630320100000219
Figure FDA00032630320100000213
Representing a forwarding link MLeThe minimum amount of data that needs to be preserved.
5. The method of claim 3, wherein the forwarding path delay constraint that the hop path should satisfy is:
Figure FDA00032630320100000214
the formula V indicates that the forwarding path length of each data flow cannot exceed the set maximum value Lmax
If it is
Figure FDA00032630320100000215
Then
Figure FDA00032630320100000216
Formula VI determines the forwarding path of the next hop period of the alternative
Figure FDA00032630320100000217
Medium minimum transmission delay and existing forwarding path
Figure FDA00032630320100000218
Is less than the minimum inter-packet delay.
6. The method of claim 3, wherein the forwarding path reachability constraint that the hop path should satisfy is:
Figure FDA0003263032010000031
formula VII shows that the in-degree and out-degree of all routing nodes are the same on the forwarding path;
if the number of the first-time-series terminal,
Figure FDA0003263032010000032
then
Figure FDA0003263032010000033
Equation VIII represents that each forwarding routing node in the path is physically adjacent to its previous and next hop routing nodes, where χ (MR)v) Representing a residual forwarding route node set after removing the route to which the source address and the destination address belong in the forwarding path;
if it is
Figure FDA0003263032010000034
Equation IX indicates that the distance from the next-hop routing node to the destination node is not greater than the distance from the existing forwarding node to the destination routing node, where
Figure FDA0003263032010000035
Representing MRvDistance to the target node.
7. The method of claim 1, wherein the optimal hop path is generated based on a security capacity matrix using max-min cut theory.
8. The SDN network-based path hopping dynamic defense method of claim 7, wherein generating an optimal hopping path comprises:
scS,D=cS,D·ωs S,D X
maximum residual capacity c between S-D of formula XS,DWith a safety factor omegas S,DThe components are combined together; wherein N ═ N | represents the number of network forwarding routing nodes; sc (sc)S,DThe resource capacity of a routing node and a forwarding link which can realize safe forwarding from a source node S e N to a destination node D e N is represented arbitrarily;
Figure FDA0003263032010000036
formula XI shows that the safety factor is determined by the listening policy taken by the attacker and the hopping policy taken by the defender: the attacker realizes maximization of attack profit by adopting different monitoring strategies a epsilon A, namely, minimizing omegas S,D(ii) a The defender maximizes the benefit of jump defense by generating different jump strategies D E D, namely realizing omegas S,DMaximization of (2); the monitoring times of the attacker in the time T are RA=T/rAThe number of jumping is RD=T/TRMPProbability of attacker monitoring jth link
Figure FDA0003263032010000041
And the probability P of the data packet passing through the jth link
9. A dynamic defense system for path jump based on an SDN network is characterized by comprising:
the hop routing management module is used for constructing a hop routing set which accords with constraint conditions according to the collected network routing node states and network topology information and the constraints to be met by the routing nodes and the forwarding paths;
the path hopping decision module generates an optimal hopping path and hopping period combination by using an optimal hopping path generation method based on a safety capacity matrix;
and the hopping route implementation module is used for deploying and issuing a flow table according to the generated hopping path so as to update the generated hopping route configuration.
10. The SDN network-based path hopping dynamic defense system of claim 9, wherein: and the hopping route implementation module installs flow table information on the routing nodes on the hopping path from the destination node to the source node in the reverse order direction, and deletes the old flow table rule according to the order direction from the source node to the destination node.
CN202111078197.7A 2021-09-15 2021-09-15 SDN network-based path jump dynamic defense system and method Pending CN113810405A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111078197.7A CN113810405A (en) 2021-09-15 2021-09-15 SDN network-based path jump dynamic defense system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111078197.7A CN113810405A (en) 2021-09-15 2021-09-15 SDN network-based path jump dynamic defense system and method

Publications (1)

Publication Number Publication Date
CN113810405A true CN113810405A (en) 2021-12-17

Family

ID=78940881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111078197.7A Pending CN113810405A (en) 2021-09-15 2021-09-15 SDN network-based path jump dynamic defense system and method

Country Status (1)

Country Link
CN (1) CN113810405A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134304A (en) * 2022-06-27 2022-09-30 长沙理工大学 Self-adaptive load balancing method for avoiding data packet disorder in cloud computing data center
CN115174467A (en) * 2022-06-28 2022-10-11 福州大学 Route jump defense construction method based on programmable data plane

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180069786A1 (en) * 2016-09-02 2018-03-08 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. Randomized route hopping in software defined networks
CN108833285A (en) * 2018-06-08 2018-11-16 浙江捷尚人工智能研究发展有限公司 Network moving target defence method, electronic equipment, storage medium and system
CN113225255A (en) * 2021-03-31 2021-08-06 福建奇点时空数字科技有限公司 SDN random route hopping method based on trigger generation mechanism

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180069786A1 (en) * 2016-09-02 2018-03-08 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. Randomized route hopping in software defined networks
CN108833285A (en) * 2018-06-08 2018-11-16 浙江捷尚人工智能研究发展有限公司 Network moving target defence method, electronic equipment, storage medium and system
CN113225255A (en) * 2021-03-31 2021-08-06 福建奇点时空数字科技有限公司 SDN random route hopping method based on trigger generation mechanism

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
雷程,马多贺,张红旗,韩琦,杨英杰: "基于最优路径跳变的网络移动目标防御技术", 《通信学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134304A (en) * 2022-06-27 2022-09-30 长沙理工大学 Self-adaptive load balancing method for avoiding data packet disorder in cloud computing data center
CN115134304B (en) * 2022-06-27 2023-10-03 长沙理工大学 Self-adaptive load balancing method for avoiding data packet disorder of cloud computing data center
CN115174467A (en) * 2022-06-28 2022-10-11 福州大学 Route jump defense construction method based on programmable data plane
CN115174467B (en) * 2022-06-28 2023-09-22 福州大学 Route jump defending construction method based on programmable data plane

Similar Documents

Publication Publication Date Title
Lee et al. CoDef: Collaborative defense against large-scale link-flooding attacks
Yeremenko et al. Secure routing in reliable networks: proactive and reactive approach
Ballani et al. Off by default!
Jafarian et al. Formal approach for route agility against persistent attackers
Zhang et al. BGP design and implementation
US9432282B2 (en) Network-based hyperspeed communication and defense
Muthumanikandan et al. Link failure recovery using shortest path fast rerouting technique in SDN
Dang et al. Sdn-based syn proxy—a solution to enhance performance of attack mitigation under tcp syn flood
CN113810405A (en) SDN network-based path jump dynamic defense system and method
Zhou et al. An efficient and agile spatio-temporal route mutation moving target defense mechanism
Hsiao et al. STRIDE: sanctuary trail--refuge from internet DDoS entrapment
Lu et al. A novel path‐based approach for single‐packet IP traceback
CN113225255A (en) SDN random route hopping method based on trigger generation mechanism
Balakrishnan et al. Team: Trust enhanced security architecture for mobile ad-hoc networks
Sangeetha et al. A novel traffic dividing and scheduling mechanism for enhancing security and performance in the tor network
Merlin et al. Latency-aware forwarding for IRON: Latency support for back-pressure forwarding
Zhang et al. On multi-point, in-network filtering of distributed denial-of-service traffic
Odegbile et al. Dependable policy enforcement in traditional non-sdn networks
Liu et al. Optimal Control for Networks with Unobservable MaliciousNodes
CN114844708A (en) Method, device and storage medium for mitigating flooding attack of link based on traffic rerouting
Yeremenko et al. Flow-aware approach of evaluating probability of compromise in combined structure network
Gev et al. Backward traffic throttling to mitigate bandwidth floods
Devikar et al. A hybrid computing approach to improve convergence time for scalable network
Ji et al. Multi-domain multicast routing mutation scheme for resisting DDoS attacks
Hepsiba et al. Enhanced techniques to strengthening DTN against flood attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211217

RJ01 Rejection of invention patent application after publication