TW202027460A - Dynamic protection method for network node and network protection server - Google Patents

Dynamic protection method for network node and network protection server Download PDF

Info

Publication number
TW202027460A
TW202027460A TW108100516A TW108100516A TW202027460A TW 202027460 A TW202027460 A TW 202027460A TW 108100516 A TW108100516 A TW 108100516A TW 108100516 A TW108100516 A TW 108100516A TW 202027460 A TW202027460 A TW 202027460A
Authority
TW
Taiwan
Prior art keywords
network packet
network
mobile protection
packet
virtual
Prior art date
Application number
TW108100516A
Other languages
Chinese (zh)
Other versions
TWI682644B (en
Inventor
王貞力
周國森
陳彥仲
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108100516A priority Critical patent/TWI682644B/en
Application granted granted Critical
Publication of TWI682644B publication Critical patent/TWI682644B/en
Publication of TW202027460A publication Critical patent/TW202027460A/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a dynamic protection method for network node and network protection server. The method includes: creating a dynamic protection table, wherein the dynamic protection table includes a plurality of virtual target hosts and a plurality of numbers corresponding to the virtual target hosts; recording a first time point of creating the dynamic protection table, and generating an interval time; updating the correspondence relationships between the virtual target hosts and the foregoing numbers at a second time point to update the dynamic protection table, wherein the second time point is the sum of the first time point and the interval time; and receiving a network packet and adaptively directing the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

Description

網路節點的移動防護方法及網路防護伺服器Mobile protection method of network node and network protection server

本發明是有關於一種網路防護方法及網路防護伺服器,且特別是有關於一種網路節點的移動防護方法及網路防護伺服器。The invention relates to a network protection method and a network protection server, and more particularly to a mobile protection method of a network node and a network protection server.

現行的網路環境對於系統服務主機本身的網路配置多偏向靜態且固定,且配置後不會一直持續變換網路配置資訊。當被入侵者透過如通訊埠掃描攻擊進行探測與資料蒐集後,則可針對性地對於系統服務主機的弱點或漏洞進行有效入侵動作。The current network environment tends to be static and fixed for the network configuration of the system service host itself, and the network configuration information will not be continuously changed after configuration. When the intruder conducts detection and data collection through port scanning attacks, it can target the weaknesses or vulnerabilities of the system service host to perform effective intrusion actions.

有鑑於此,本發明提供一種網路節點的移動防護方法及網路防護伺服器,其可用以解決上述技術問題。In view of this, the present invention provides a mobile protection method for network nodes and a network protection server, which can be used to solve the above technical problems.

本發明提供一種網路節點的移動防護方法,其包括:創建一移動防護表,其中移動防護表包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號;記錄創建移動防護表的一第一時間點,並產生一間隔時間;在一第二時間點更新前述虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表,其中第二時間點為第一時間點與間隔時間的總和;以及接收一網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。The present invention provides a mobile protection method for network nodes, which includes: creating a mobile protection table, wherein the mobile protection table includes a plurality of virtual target hosts and a plurality of mobile protection numbers corresponding to the aforementioned virtual target hosts; A first time point of the protection table, and an interval time is generated; at a second time point, the corresponding relationship between the virtual target host and the mobile protection number is updated to update the mobile protection table, where the second time point is the first time The sum of point and interval time; and receiving a network packet, and adaptively directing the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

本發明提供一種網路防護伺服器,其包括儲存電路及處理器。儲存電路記錄多個模組。處理器耦接儲存電路,存取前述模組以執行下列步驟:創建一移動防護表,其中移動防護表包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號;記錄創建移動防護表的一第一時間點,並產生一間隔時間;在一第二時間點更新前述虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表,其中第二時間點為第一時間點與間隔時間的總和;以及接收一網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。The invention provides a network protection server, which includes a storage circuit and a processor. The storage circuit records multiple modules. The processor is coupled to the storage circuit and accesses the aforementioned modules to perform the following steps: create a mobile protection table, wherein the mobile protection table includes a plurality of virtual target hosts and a plurality of mobile protection numbers corresponding to the virtual target hosts; Create a first time point of the mobile protection table and generate an interval time; update the corresponding relationship between the virtual target host and the mobile protection number at a second time point to update the mobile protection table, where the second time point is the first The sum of a time point and an interval time; and receiving a network packet, and adaptively directing the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

基於上述,本發明可讓標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。Based on the foregoing, the present invention can allow the target host to change and change over time, increase the complexity and cost of hacker attacks, and limit the opportunities for hackers to discover loopholes, thereby achieving the protective effect of active defense.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.

概略而言,本發明係揭露一種網路節點隨機轉變的移動防護方法,係在虛擬主機間進行網路通訊時,採用軟體定義網路技術監聽虛擬網路,並透過移動防護表以變化可疑連線所欲連接的網路節點與主機位置,而移動防護表內的網路節點亦會於隨機的時間間隔持續變化,以混淆與欺騙可疑使用者。當收到網路封包時,會根據受保護的系統服務主機和標靶主機資訊,進行封包內容分析,辨別是否為可疑連線以進行移動防護處理。若判斷封包為可疑連線,則可視情況而基於OpenFlow通訊協定,派送移動防護連線規則至雲端虛擬交換器,轉換可疑連線原本欲連接的系統服務主機之網路節點,而轉送至標靶主機,或是直接將封包丟棄。若判斷封包不為可疑連線,則可使封包正常連線至系統服務主機。藉此,可疑使用者便無法獲得正確的系統服務資訊,且必須處理大量的不確定因素,而系統因具有動態性更難於探索和預測,以達防護系統的目的。In summary, the present invention discloses a mobile protection method with random changes of network nodes. When network communication is performed between virtual hosts, software-defined network technology is used to monitor virtual networks and change suspicious connections through mobile protection tables. The location of the network node and host that the line intends to connect to, and the network node in the mobile protection list will continue to change at random time intervals to confuse and deceive suspicious users. When a network packet is received, it will analyze the contents of the packet based on the information of the protected system service host and the target host, and identify whether it is a suspicious connection for mobile protection processing. If the packet is judged to be a suspicious connection, based on the OpenFlow protocol, the mobile protection connection rule can be sent to the cloud virtual switch according to the situation, and the suspicious connection is originally intended to be connected to the network node of the system service host and forwarded to the target The host, or directly discard the packet. If it is determined that the packet is not a suspicious connection, the packet can be connected to the system service host normally. In this way, suspicious users cannot obtain correct system service information, and must deal with a large number of uncertain factors, and the system is more difficult to explore and predict due to its dynamic nature to achieve the purpose of the protection system.

請參照圖1,其是依據本發明之一實施例繪示的網路防護伺服器示意圖。在本實施例中,網路防護伺服器100可以是伺服器、個人電腦(personal computer,PC)、筆記型電腦(notebook PC)、網本型電腦(netbook PC)、平板電腦(tablet PC)、虛擬機器(virtual machine)等,但可不限於此。Please refer to FIG. 1, which is a schematic diagram of a network protection server according to an embodiment of the present invention. In this embodiment, the network protection server 100 may be a server, a personal computer (PC), a notebook PC (notebook PC), a netbook PC, a tablet PC, Virtual machine (virtual machine) etc., but not limited to this.

如圖1所示,網路防護伺服器100包括儲存電路102及處理器104。儲存電路102例如是任意型式的固定式或可移動式隨機存取記憶體(Random Access Memory,RAM)、唯讀記憶體(Read-Only Memory,ROM)、快閃記憶體(Flash memory)、硬碟或其他類似裝置或這些裝置的組合,而可用以記錄多個程式碼或模組。As shown in FIG. 1, the network protection server 100 includes a storage circuit 102 and a processor 104. The storage circuit 102 is, for example, any type of fixed or removable random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), flash memory (Flash memory), hard disk Disk or other similar devices or a combination of these devices can be used to record multiple codes or modules.

處理器104耦接於儲存電路102,並可為一般用途處理器、特殊用途處理器、傳統的處理器、數位訊號處理器、多個微處理器(microprocessor)、一個或多個結合數位訊號處理器核心的微處理器、控制器、微控制器、特殊應用集成電路(Application Specific Integrated Circuit,ASIC)、場可程式閘陣列電路(Field Programmable Gate Array,FPGA)、任何其他種類的積體電路、狀態機、基於進階精簡指令集機器(Advanced RISC Machine,ARM)的處理器以及類似品。The processor 104 is coupled to the storage circuit 102, and can be a general purpose processor, a special purpose processor, a traditional processor, a digital signal processor, multiple microprocessors, one or more combined digital signal processing The core microprocessor, controller, microcontroller, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), any other types of integrated circuits, State machines, processors based on Advanced RISC Machine (ARM) and similar products.

在本發明的實施例中,處理器104可載入儲存電路102中所記錄的程式碼或模組以執行本發明提出的網路節點的移動防護方法,以下將作進一步說明。In the embodiment of the present invention, the processor 104 can load the program code or module recorded in the storage circuit 102 to execute the mobile protection method for network nodes proposed by the present invention, which will be further described below.

請參照圖2,其是依據本發明之一實施例繪示的網路節點的移動防護方法流程圖。本實施例的方法可由圖1的網路防護伺服器執行,以下即搭配圖1所示的元件來說明圖2各步驟的細節。Please refer to FIG. 2, which is a flowchart of a mobile protection method for a network node according to an embodiment of the present invention. The method of this embodiment can be executed by the network protection server shown in FIG. 1. The details of each step in FIG. 2 are described below with the components shown in FIG. 1.

在步驟S210中,處理器104可創建移動防護表。在本實施例中,移動防護表可包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號。舉例而言,假設虛擬標靶主機的數量為n,且移動防護編號為0~(n-1),則處理器104可個別對前述虛擬標靶主機指派移動防護編號0~(n-1)的其中之一,且各虛擬標靶主機對應於不同的移動防護編號。此外,上述移動防護表還可包括各虛擬標靶主機對應的標靶主機編號、網路節點及虛擬網路介面,但可不限於此。In step S210, the processor 104 may create a mobile protection table. In this embodiment, the mobile protection table may include multiple virtual target hosts and multiple mobile protection numbers corresponding to the aforementioned virtual target hosts. For example, assuming that the number of virtual target hosts is n and the mobile protection number is 0~(n-1), the processor 104 may individually assign mobile protection numbers 0~(n-1) to the aforementioned virtual target hosts. One of them, and each virtual target host corresponds to a different mobile protection number. In addition, the aforementioned mobile protection table may also include the target host number, network node, and virtual network interface corresponding to each virtual target host, but it is not limited to this.

在步驟S220中,處理器104可記錄創建移動防護表的第一時間點(以下稱為Tpre ),並產生間隔時間(以下稱為Tr )。在不同的實施例中,處理器104可依需求而採用不同的方式產生Tr 。舉例而言,處理器104可隨機地產生介於一定數值範圍(例如30分鐘)內的數值作為Tr ,但可不限於此。In step S220, the processor 104 may record the first time point (hereinafter referred to as T pre ) of creating the movement protection table, and generate an interval time (hereinafter referred to as T r ). In various embodiments, the processor 104 according to necessity T r generated in different ways. For example, the processor 104 may generate a random value between a range of values (e.g., 30 minutes) as T r, but is not limited thereto.

在步驟S230中,處理器104可在第二時間點(以下稱為Tnow )更新虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表。在本實施例中,Tnow 例如是Tpre 與Tr 的總和。亦即,在Tpre 之後,處理器104可等待Tr 的時間,並更新虛擬標靶主機與移動防護編號的對應關係。In step S230, the processor 104 may update the correspondence between the virtual target host and the mobile protection number at a second time point (hereinafter referred to as T now ) to update the mobile protection table. In the present embodiment, T now, for example, is the sum of T r and T pre. That is, after T pre , the processor 104 can wait for the time of T r and update the correspondence between the virtual target host and the mobile protection number.

在一實施例中,處理器104可藉由打亂虛擬標靶主機與移動防護編號的對應關係來更新移動防護表。舉例而言,假設初始創建的移動防護表包括第一、第二、…、第十虛擬標靶主機,而其一對一地依序對應於移動防護編號0~9。然而,在處理器104進行上述更新後,第一虛擬標靶主機至第十虛擬標靶主機即不再一對一地依序對應於移動防護編號0~9,而是個別對應於0~9的其中之一。例如,第一虛擬標靶主機對應於移動防護編號2,第二虛擬標靶主機對應於移動防護編號6等,以此類推。然而,上述內容僅用以舉例,並非用以限定本發明可能的實施方式。In one embodiment, the processor 104 can update the mobile protection table by disrupting the correspondence between the virtual target host and the mobile protection number. For example, suppose that the initially created mobile protection table includes the first, second,..., And tenth virtual target hosts, and they correspond to mobile protection numbers 0-9 sequentially one-to-one. However, after the processor 104 performs the above-mentioned update, the first virtual target host to the tenth virtual target host no longer correspond to the mobile protection numbers 0-9 one-to-one, but respectively correspond to 0-9 One of them. For example, the first virtual target host corresponds to the mobile protection number 2, the second virtual target host corresponds to the mobile protection number 6, and so on. However, the foregoing content is only for example, and is not intended to limit the possible implementation of the present invention.

在一實施例中,處理器104可在第三時間點再次更新更新虛擬標靶主機與移動防護編號的對應關係,以再次更新移動防護表,其中第三時間點與第二時間點間隔另一間隔時間,而此另一間隔時間亦可由處理器104(隨機)產生。亦即,處理器104可不時地藉由例如打亂虛擬標靶主機與移動防護編號的對應關係來不斷地更新移動防護表,但本發明可不限於此。In an embodiment, the processor 104 may update the corresponding relationship between the virtual target host and the mobile protection number again at the third time point to update the mobile protection table again, where the third time point and the second time point are separated by another The interval time, and this other interval time can also be generated by the processor 104 (randomly). That is, the processor 104 can constantly update the mobile protection table by, for example, disrupting the correspondence between the virtual target host and the mobile protection number from time to time, but the present invention is not limited to this.

在步驟S240中,處理器104可接收網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。In step S240, the processor 104 may receive the network packet, and adaptively direct the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

由上可知,透過本發明提出的移動防護方法,可讓標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。It can be seen from the above that the mobile protection method proposed by the present invention allows the target host to continuously change and then change over time, increase the complexity and cost of hacker attacks, and limit the opportunities for hackers to find loopholes to achieve active defense The protective effect.

為使本發明的概念更為清楚,以下另輔以圖3作進一步說明。請參照圖3,其是依據本發明之一實施例繪示的依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一的流程圖。首先,在步驟S301中,處理器104可判斷是否收到資安警示通知。若是,則接續執行步驟S302,反之則執行步驟S303。In order to make the concept of the present invention clearer, the following is supplemented with FIG. 3 for further explanation. Please refer to FIG. 3, which is a flowchart of adaptively guiding a network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet according to an embodiment of the present invention. First, in step S301, the processor 104 may determine whether an information security alert notification is received. If yes, proceed to step S302, otherwise, proceed to step S303.

在步驟S302中,處理器104可將對應於資安警示通知的IP位址記錄至一可疑IP資料庫。在步驟S303中,處理器104可接收網路封包,並在步驟S304中解析網路封包的封包內容,其中前述封包內容可包括網路封包的目的IP、來源IP、目的通訊埠等,但可不限於此。In step S302, the processor 104 may record the IP address corresponding to the information security alert notification to a suspicious IP database. In step S303, the processor 104 may receive the network packet, and analyze the packet content of the network packet in step S304. The aforementioned packet content may include the destination IP, source IP, and destination communication port of the network packet, but may not Limited to this.

在一實施例中,當駭客於雲端環境發起通訊埠掃描攻擊時,本發明方法採用軟體定義網路(software defined network,SDN)技術集中控制網路封包流向,並解析此等攻擊封包的封包內容,但本發明可不限於此。In one embodiment, when a hacker initiates a port scanning attack in a cloud environment, the method of the present invention uses software defined network (software defined network, SDN) technology to centrally control the flow of network packets, and analyze the packets of these attack packets Content, but the present invention may not be limited to this.

在步驟S304之後,處理器104可在步驟S305中判斷上述可疑IP資料庫是否為空(null)。若是,則接續執行步驟S310,反之則接續執行步驟S306。After step S304, the processor 104 may determine whether the suspicious IP database is null in step S305. If yes, then continue to execute step S310, otherwise, continue to execute step S306.

在步驟S306中,處理器104可判斷來源IP是否已記錄於可疑IP資料庫中。亦即,處理器104可判斷上述網路封包的來源IP先前是否曾引發對應的資安警示通知。若是,則代表此網路封包可能是攻擊封包並視為可疑網路封包,因此處理器104可相應地執行步驟S307、S308及S309以將網路封包導引至標靶主機的其中之一。In step S306, the processor 104 can determine whether the source IP has been recorded in the suspicious IP database. That is, the processor 104 can determine whether the source IP of the aforementioned network packet has previously triggered a corresponding information security alert notification. If so, it means that the network packet may be an attack packet and regarded as a suspicious network packet. Therefore, the processor 104 can execute steps S307, S308, and S309 accordingly to direct the network packet to one of the target hosts.

在步驟S307中,處理器104可對網路封包的封包內容執行雜湊(hash)運算,以產生雜湊值。在步驟S308中,處理器104可基於雜湊值計算參考值。在一實施例中,處理器104可將此雜湊值轉換為十進位的多個美國資訊交換標準程式碼(American Standard Code for Information Interchange,ASCII)數字,並將前述ASCII數字加總為一總和值。之後,處理器104可計算此總和值除以n(即,虛擬標靶主機的數量)的一餘數,並以此餘數作為上述參考值。在此情況下,參考值將會是0~(n-1)之間的一整數值,亦即參考值將對應於前述移動防護編號的其中之一。接著,在步驟S309中,將網路封包導引至前述虛擬標靶主機的特定標靶主機,其中特定標靶主機的移動防護編號對應於上述參考值。In step S307, the processor 104 may perform a hash operation on the packet content of the network packet to generate a hash value. In step S308, the processor 104 may calculate a reference value based on the hash value. In an embodiment, the processor 104 may convert this hash value into a number of decimal digits of American Standard Code for Information Interchange (ASCII), and add the aforementioned ASCII numbers to a total value. . After that, the processor 104 may calculate a remainder of the total value divided by n (ie, the number of virtual target hosts), and use this remainder as the aforementioned reference value. In this case, the reference value will be an integer value between 0 and (n-1), that is, the reference value will correspond to one of the aforementioned mobile protection numbers. Next, in step S309, the network packet is directed to the specific target host of the aforementioned virtual target host, wherein the mobile protection number of the specific target host corresponds to the aforementioned reference value.

舉例而言,假設所計算出的參考值為3,則處理器104可查找移動防護表以找出當下對應於移動防護編號3的虛擬標靶主機,以作為上述特定標靶主機。接著,處理器104可從移動防護表中獲取特定標靶主機的網路節點及虛擬網路介面,並基於一OpenFlow協定組成移動防護連線規則,並派送前述移動防護連線規則至雲端虛擬交換器的流向表(Flow Table),則雲端虛擬交換器可依流向表內的移動防護連線規則轉換原本的網路封包流向,以將網路封包導引至特定標靶主機的網路節點及虛擬網路介面。For example, assuming that the calculated reference value is 3, the processor 104 may look up the mobile protection table to find the virtual target host corresponding to the mobile protection number 3 as the aforementioned specific target host. Then, the processor 104 can obtain the network node and virtual network interface of the specific target host from the mobile protection table, compose mobile protection connection rules based on an OpenFlow protocol, and send the aforementioned mobile protection connection rules to the cloud virtual exchange According to the mobile protection connection rules in the flow table, the cloud virtual switch can convert the original network packet flow to direct the network packet to the network node of the specific target host and Virtual network interface.

簡言之,當處理器104發現可疑的網路封包時,可透過OpenFlow協定控制可疑網路封包的流向,進而將可疑網路封包目的地的虛擬網路介面從原欲連線的系統服務主機,改成連線至移動防護表內對應於參考值的虛擬標靶主機。換言之,駭客透過通訊埠掃描攻擊所探測到的系統服務資訊即為偽造的虛擬標靶主機所提供,從而可使得受保護的系統服務可免於被探測到漏洞後,被施以針對性的漏洞攻擊或進階持續性滲透攻擊(Advanced Persistent Threat, APT)攻擊。In short, when the processor 104 finds a suspicious network packet, it can control the flow of the suspicious network packet through the OpenFlow protocol, and then change the virtual network interface of the destination of the suspicious network packet from the original system service host to be connected. , Change to connect to the virtual target host corresponding to the reference value in the mobile protection table. In other words, the system service information detected by the hacker through the port scanning attack is provided by the fake virtual target host, so that the protected system service can be prevented from being targeted after the vulnerability is detected. Vulnerability attacks or Advanced Persistent Threat (APT) attacks.

此外,承先前實施例中所述,由於移動防護表可不斷地被更新,因此即便處理器104在不同的時間點算出同樣的參考值,在不同時間點碰到的可疑網路封包可能會被導引至不同的虛擬標靶主機。In addition, as described in the previous embodiment, since the mobile protection table can be continuously updated, even if the processor 104 calculates the same reference value at different time points, suspicious network packets encountered at different time points may be Guide to different virtual target hosts.

此外,在步驟S306中,若來源IP未記錄於可疑IP資料庫中,代表此網路封包可能不是可疑網路封包,因此處理器104可執行步驟S310以網路封包的目的IP是否屬於受保護IP。若是,則可接續執行步驟S311作進一步判斷,反之則可接續執行步驟S313。在本實施例中,本發明的方法可保護系統服務主機,因此一開始即會先儲存受保護的系統服務主機資料。在此情況下,受保護的系統服務主機IP即可視為受保護IP,而受保護的系統服務主機上開啟的通訊埠即為受保護通訊埠,但本發明可不限於此。In addition, in step S306, if the source IP is not recorded in the suspicious IP database, it means that the network packet may not be a suspicious network packet. Therefore, the processor 104 may perform step S310 to determine whether the destination IP of the network packet is protected IP. If it is, then step S311 can be continued for further judgment, otherwise, step S313 can be continued. In this embodiment, the method of the present invention can protect the system service host, so the protected system service host data is stored first. In this case, the protected system service host IP can be regarded as the protected IP, and the open communication port on the protected system service host is the protected communication port, but the present invention is not limited to this.

在步驟S311中,處理器104可以判斷網路封包的目的通訊埠是否屬於受保護通訊埠。若是,則可確定網路封包應不為可疑網路封包,因此可執行步驟S312以將網路封包導引至對應於目的IP的受保護系統服務主機。在一實施例中,處理器104可基於一OpenFlow協定組成正常連線規則,並派送前述正常連線規則至雲端虛擬交換器的流向表,則雲端虛擬交換器可依流向表內的正常連線規則,將網路封包送至對應於目的IP的(系統服務或是其他一般)主機。In step S311, the processor 104 may determine whether the destination communication port of the network packet belongs to a protected communication port. If so, it can be determined that the network packet should not be a suspicious network packet, so step S312 may be performed to direct the network packet to the protected system service host corresponding to the destination IP. In one embodiment, the processor 104 can compose normal connection rules based on an OpenFlow protocol, and send the aforementioned normal connection rules to the flow direction table of the cloud virtual switch, and the cloud virtual switch can follow the normal connection in the flow direction table. Rules, send network packets to the host (system service or other general) corresponding to the destination IP.

另一方面,若處理器104在步驟S311中判斷網路封包的目的通訊埠不屬於受保護通訊埠,即代表網路封包正嘗試連接至未開放的通訊埠,因而視為可疑網路封包,因此處理器104可相應地執行步驟S307、S308及S309以將網路封包導引至標靶主機的其中之一。On the other hand, if the processor 104 determines in step S311 that the destination port of the network packet is not a protected port, it means that the network packet is trying to connect to an unopened communication port, and it is regarded as a suspicious network packet. Therefore, the processor 104 can execute steps S307, S308, and S309 accordingly to direct the network packet to one of the target hosts.

此外,在步驟S313中,處理器104可判斷網路封包的目的IP是否屬於前述虛擬標靶主機的任一。若是,處理器104可執行步驟S314以阻擋網路封包;若否,處理器104可接續執行步驟S315。具體而言,若網路封包的目的IP屬於前述虛擬標靶主機的任一,即代表先前某駭客曾經經由前置的通訊埠掃描攻擊動作,且曾經被導引連接至其中一個虛擬標靶主機,並取得其IP位址。由此可知,當下所處理的網路封包即為此駭客直接針對虛擬標靶主機的IP位址所發起的新一波網路攻擊。In addition, in step S313, the processor 104 can determine whether the destination IP of the network packet belongs to any of the aforementioned virtual target hosts. If yes, the processor 104 may perform step S314 to block network packets; if not, the processor 104 may continue to perform step S315. Specifically, if the destination IP of the network packet belongs to any of the aforementioned virtual target hosts, it means that a hacker has previously scanned and attacked through the front communication port and has been directed to connect to one of the virtual targets. Host and obtain its IP address. It can be seen that the current network packets being processed are a new wave of network attacks launched by hackers directly against the IP address of the virtual target host.

換言之,處理器104可得知當下所處理的網路封包為高度可疑的網路封包,因此可直接阻擋並丟棄此網路封包。在一實施例中,處理器104可基於OpenFlow協定組成移動防護阻擋規則,並派送前述移動防護阻擋規則至雲端虛擬交換器的流向表,則雲端虛擬交換器可依流向表內的移動防護阻擋規則丟棄此網路封包,以達到阻擋網路封包的目的。In other words, the processor 104 can know that the network packet currently being processed is a highly suspicious network packet, and therefore can directly block and discard the network packet. In an embodiment, the processor 104 may compose mobile protection blocking rules based on the OpenFlow protocol, and send the aforementioned mobile protection blocking rules to the flow direction table of the cloud virtual switch, and the cloud virtual switch may follow the mobile protection blocking rules in the flow direction table. Discard this network packet to achieve the purpose of blocking the network packet.

另一方面,在步驟S313中,若網路封包的目的IP不屬於前述虛擬標靶主機的任一,即代表此網路封包為無害的流量,因此可在步驟S315中將此網路封包導引至對應於目的IP的主機,以允許其連線至對應於目的IP的主機。在不同的實施例中,此主機可以是不受保護的系統服務主機,或其他客戶端主機等。On the other hand, in step S313, if the destination IP of the network packet does not belong to any of the aforementioned virtual target hosts, it means that the network packet is harmless traffic. Therefore, the network packet can be imported in step S315 Lead to the host corresponding to the destination IP to allow it to connect to the host corresponding to the destination IP. In different embodiments, the host may be an unprotected system service host, or other client hosts.

綜上所述,在本發明提供的移動防護方法及網路防護伺服器中,係採用SDN和OpenFlow技術以集中化的監聽與分析虛擬網路封包內容。當發覺可疑網路封包時,可進行網路節點轉變,從而防護SDN環境上服務系統的安全。In summary, in the mobile protection method and network protection server provided by the present invention, SDN and OpenFlow technologies are used to centrally monitor and analyze the contents of virtual network packets. When a suspicious network packet is detected, the network node can be changed to protect the security of the service system in the SDN environment.

本發明提供之方法可對於通訊埠掃描攻擊進行偵測,並辨別出正常與可疑的網路封包後,避免可疑網路封包接觸到受保護的服務系統。The method provided by the present invention can detect communication port scanning attacks, and after distinguishing normal and suspicious network packets, prevent the suspicious network packets from contacting the protected service system.

此外,透過創建多台虛擬標靶主機的方式,可使得駭客僅能獲取虛擬標靶主機的資訊,無法探測到真正服務系統主機資料,從而達到保護SDN環境上的服務系統主機的效果。In addition, by creating multiple virtual target hosts, hackers can only obtain information about virtual target hosts, but cannot detect real service system host data, thereby achieving the effect of protecting service system hosts in the SDN environment.

並且,本發明提供之方法會不斷地更新移動防護表,從而使得虛擬標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。In addition, the method provided by the present invention continuously updates the mobile protection table, so that the virtual target host changes and changes over time, increases the complexity and cost of hacker attacks, and limits the opportunities for hackers to discover vulnerabilities. Achieve the protective effect of active defense.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the relevant technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be subject to those defined by the attached patent scope.

100:網路防護伺服器 102:儲存電路 104:處理器 S210~S240、S301~S315:步驟100: Network protection server 102: storage circuit 104: processor S210~S240, S301~S315: steps

圖1是依據本發明之一實施例繪示的網路防護伺服器示意圖。 圖2是依據本發明之一實施例繪示的網路節點的移動防護方法流程圖。 圖3是依據本發明之一實施例繪示的依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一的流程圖。FIG. 1 is a schematic diagram of a network protection server according to an embodiment of the present invention. Fig. 2 is a flowchart of a mobile protection method for a network node according to an embodiment of the present invention. FIG. 3 is a flowchart of adaptively guiding a network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet according to an embodiment of the present invention.

S210~S240:步驟 S210~S240: steps

Claims (11)

一種網路節點的移動防護方法,包括: 創建一移動防護表,其中該移動防護表包括多個虛擬標靶主機及對應於該些虛擬標靶主機的多個移動防護編號; 記錄創建該移動防護表的一第一時間點,並產生一間隔時間; 在一第二時間點更新該些虛擬標靶主機與該些移動防護編號的對應關係,以更新該移動防護表,其中該第二時間點為該第一時間點與該間隔時間的總和;以及 接收一網路封包,並依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一。A mobile protection method for network nodes includes: Creating a mobile protection table, wherein the mobile protection table includes a plurality of virtual target hosts and a plurality of mobile protection numbers corresponding to the virtual target hosts; Record a first time point when the mobile protection table is created, and generate an interval time; Updating the correspondence between the virtual target hosts and the mobile protection numbers at a second time point to update the mobile protection table, where the second time point is the sum of the first time point and the interval time; and A network packet is received, and the network packet is adaptively guided to one of the virtual target hosts according to the packet content of the network packet. 如申請專利範圍第1項所述的方法,更包括: 反應於收到一資安警示通知,將對應於該資安警示通知的一連線網際網路協定(internet protocol,IP)位址記錄至一可疑IP資料庫。The method described in item 1 of the scope of patent application includes: In response to receiving an information security alert notification, an internet protocol (IP) address corresponding to the information security alert notification is recorded in a suspicious IP database. 如申請專利範圍第2項所述的方法,其中該網路封包的該封包內容包括一來源IP,且依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一的步驟包括: 反應於該可疑IP資料庫不為空,判斷該來源IP是否已記錄於該可疑IP資料庫中; 反應於該來源IP已記錄於該可疑IP資料庫中,對該網路封包的該封包內容執行一雜湊運算,以產生一雜湊值; 基於該雜湊值計算一參考值,其中該參考值對應於該些移動防護編號的其中之一; 將該網路封包導引至該些虛擬標靶主機的一特定標靶主機,其中該特定標靶主機對應於該參考值。The method described in item 2 of the scope of patent application, wherein the packet content of the network packet includes a source IP, and the network packet is adaptively directed to the virtual labels according to the packet content of the network packet One of the steps of the target host includes: Reflecting that the suspicious IP database is not empty, determine whether the source IP has been recorded in the suspicious IP database; In response to that the source IP has been recorded in the suspicious IP database, perform a hash operation on the packet content of the network packet to generate a hash value; Calculating a reference value based on the hash value, where the reference value corresponds to one of the mobile protection numbers; The network packet is directed to a specific target host of the virtual target hosts, where the specific target host corresponds to the reference value. 如申請專利範圍第3項所述的方法,其中該些移動防護編號的數量為n,且基於該雜湊值計算該參考值的步驟包括: 將該雜湊值轉換為十進位的多個美國資訊交換標準程式碼(American Standard Code for Information Interchange,ASCII)數字; 將該些ASCII數字加總為一總和值;以及 計算該總和值除以n的一餘數,並以該餘數作為該參考值。For the method described in item 3 of the scope of patent application, the number of the mobile protection numbers is n, and the step of calculating the reference value based on the hash value includes: Convert the hash value to a number of American Standard Code for Information Interchange (ASCII) numbers in decimal; Add these ASCII numbers to a total value; and Calculate a remainder of the total value divided by n, and use the remainder as the reference value. 如申請專利範圍第3項所述的方法,其中該移動防護表更包括各該虛擬標靶主機對應的標靶主機編號、網路節點及虛擬網路介面,且將該網路封包導引至該些虛擬標靶主機的該特定標靶主機的步驟包括: 從該移動防護表中獲取該特定標靶主機的該網路節點及該虛擬網路介面;以及 基於一OpenFlow協定組成移動防護連線規則,並派送前述移動防護連線規則至雲端虛擬交換器的流向表,以令該雲端虛擬交換器依該流向表內的該移動防護連線規則轉換原本的該網路封包流向,以將該網路封包導引至該特定標靶主機的該網路節點及該虛擬網路介面。For the method described in item 3 of the scope of the patent application, the mobile protection table further includes the target host number, network node and virtual network interface corresponding to each virtual target host, and directs the network packet to The steps of the specific target host of the virtual target hosts include: Obtain the network node and the virtual network interface of the specific target host from the mobile protection table; and The mobile protection connection rule is composed based on an OpenFlow protocol, and the aforementioned mobile protection connection rule is sent to the flow direction table of the cloud virtual switch, so that the cloud virtual switch converts the original mobile protection connection rule in the flow direction table The network packet flow direction to guide the network packet to the network node and the virtual network interface of the specific target host. 如申請專利範圍第2項所述的方法,其中該網路封包的該封包內容包括一目的IP,且依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一的步驟包括: 反應於該可疑IP資料庫為空,判斷該網路封包的該目的IP是否屬於一受保護IP; 反應於該網路封包的該目的IP不屬於該受保護IP,判斷該網路封包的該目的IP是否屬於該些虛擬標靶主機的任一;以及 反應於該網路封包的該目的IP屬於該些虛擬標靶主機的任一,阻擋該網路封包。For the method described in claim 2, wherein the packet content of the network packet includes a destination IP, and the network packet is adaptively directed to the virtual labels according to the packet content of the network packet One of the steps of the target host includes: Reflecting that the suspicious IP database is empty, determine whether the destination IP of the network packet belongs to a protected IP; In response to the destination IP of the network packet that does not belong to the protected IP, determine whether the destination IP of the network packet belongs to any of the virtual target hosts; and The destination IP reflected in the network packet belongs to any one of the virtual target hosts, and the network packet is blocked. 如申請專利範圍第6項所述的方法,其中該網路封包的該封包內容更包括一目的通訊埠,且反應於該網路封包的該目的IP屬於該受保護IP,所述方法更包括: 判斷該網路封包的該目的通訊埠是否屬於一受保護通訊埠;以及 反應於該目的通訊埠屬於該受保護通訊埠,將該網路封包導引至對應於該目的IP的一受保護系統服務主機。For the method described in item 6 of the scope of patent application, wherein the packet content of the network packet further includes a destination port, and the destination IP reflected in the network packet belongs to the protected IP, the method further includes : Determine whether the destination port of the network packet belongs to a protected port; and It is reflected that the destination communication port belongs to the protected communication port, and the network packet is directed to a protected system service host corresponding to the destination IP. 如申請專利範圍第7項所述的方法,其中反應於該目的通訊埠不屬於該受保護通訊埠,所述方法更包括: 對該網路封包的該封包內容執行一雜湊運算,以產生一雜湊值; 基於該雜湊值計算一參考值,其中該參考值對應於該些移動防護編號的其中之一; 將該網路封包導引至該些虛擬標靶主機的一特定標靶主機,其中該特定標靶主機對應於該參考值。For example, the method described in item 7 of the scope of patent application, wherein it is reflected that the destination communication port does not belong to the protected communication port, the method further includes: Performing a hash operation on the packet content of the network packet to generate a hash value; Calculating a reference value based on the hash value, where the reference value corresponds to one of the mobile protection numbers; The network packet is directed to a specific target host of the virtual target hosts, where the specific target host corresponds to the reference value. 如申請專利範圍第6項所述的方法,其中反應於該網路封包的該目的IP不屬於該些虛擬標靶主機的任一,將該網路封包導引至對應於該目的IP的一主機。The method described in item 6 of the scope of patent application, wherein the destination IP reflected in the network packet does not belong to any of the virtual target hosts, and the network packet is directed to a corresponding destination IP Host. 如申請專利範圍第1項所述的方法,更包括: 在一第三時間點再次更新該些虛擬標靶主機與該些移動防護編號的對應關係,以再次更新該移動防護表,其中該第三時間點與該第二時間點間隔另一間隔時間。The method described in item 1 of the scope of patent application includes: At a third time point, the correspondence between the virtual target hosts and the mobile protection numbers is updated again to update the mobile protection table again, wherein the third time point and the second time point are separated by another interval time. 一種網路防護伺服器,包括: 一儲存電路,記錄多個模組;以及 一處理器,耦接該儲存電路,存取該些模組以執行下列步驟: 創建一移動防護表,其中該移動防護表包括多個虛擬標靶主機及對應於該些虛擬標靶主機的多個移動防護編號; 記錄創建該移動防護表的一第一時間點,並產生一間隔時間; 在一第二時間點更新該些虛擬標靶主機與該些移動防護編號的對應關係,以更新該移動防護表,其中該第二時間點為該第一時間點與該間隔時間的總和;以及 接收一網路封包,並依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一。A network protection server, including: A storage circuit for recording multiple modules; and A processor, coupled to the storage circuit, accesses the modules to perform the following steps: Creating a mobile protection table, wherein the mobile protection table includes a plurality of virtual target hosts and a plurality of mobile protection numbers corresponding to the virtual target hosts; Record a first time point when the mobile protection table is created, and generate an interval time; Updating the correspondence between the virtual target hosts and the mobile protection numbers at a second time point to update the mobile protection table, where the second time point is the sum of the first time point and the interval time; and A network packet is received, and the network packet is adaptively guided to one of the virtual target hosts according to the packet content of the network packet.
TW108100516A 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server TWI682644B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Publications (2)

Publication Number Publication Date
TWI682644B TWI682644B (en) 2020-01-11
TW202027460A true TW202027460A (en) 2020-07-16

Family

ID=69942489

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Country Status (1)

Country Link
TW (1) TWI682644B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11455159B2 (en) * 2020-07-28 2022-09-27 Goldman Sachs & Co. LLC Wirelessly updating field programmable gate arrays upon detection of hardware vulnerability
TWI799070B (en) * 2022-01-10 2023-04-11 碩壹資訊股份有限公司 System and method for securing protected host

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9628507B2 (en) * 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
CN103561004B (en) * 2013-10-22 2016-10-12 西安交通大学 Cooperating type Active Defending System Against based on honey net
US9495188B1 (en) * 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN104410617B (en) * 2014-11-21 2018-04-17 西安邮电大学 A kind of information security attacking & defending department framework of cloud platform
CN107659540B (en) * 2016-07-25 2021-01-26 中兴通讯股份有限公司 Dynamic behavior analysis method, device, system and equipment

Also Published As

Publication number Publication date
TWI682644B (en) 2020-01-11

Similar Documents

Publication Publication Date Title
US20200366694A1 (en) Methods and systems for malware host correlation
US20210152520A1 (en) Network Firewall for Mitigating Against Persistent Low Volume Attacks
US20210029156A1 (en) Security monitoring system for internet of things (iot) device environments
US10505953B2 (en) Proactive prediction and mitigation of cyber-threats
US11831420B2 (en) Network application firewall
US10187422B2 (en) Mitigation of computer network attacks
US8260961B1 (en) Logical / physical address state lifecycle management
US8910285B2 (en) Methods and systems for reciprocal generation of watch-lists and malware signatures
JP2020515962A (en) Protection against APT attacks
US11863570B2 (en) Blockchain-based network security system and processing method
JP6138714B2 (en) Communication device and communication control method in communication device
EP2774071B1 (en) System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file
US11252183B1 (en) System and method for ransomware lateral movement protection in on-prem and cloud data center environments
KR20060013491A (en) Network attack signature generation
Kim et al. Preventing DNS amplification attacks using the history of DNS queries with SDN
US11190433B2 (en) Systems and methods for identifying infected network nodes based on anomalous behavior model
Bdair et al. Brief of intrusion detection systems in detecting ICMPv6 attacks
TWI682644B (en) Dynamic protection method for network node and network protection server
US8819285B1 (en) System and method for managing network communications
US20230056101A1 (en) Systems and methods for detecting anomalous behaviors based on temporal profile
CN113328976B (en) Security threat event identification method, device and equipment
CN114553452B (en) Attack defense method and protection equipment
IL257134A (en) Systems and methods for providing multi-level network security
Prasad et al. BOTNET
Nathiya et al. An Effective Hybrid Intrusion Detection System for Use in Security Monitoring in the Virtual Network Layer of Cloud