WO2017143897A1

WO2017143897A1 - Method, device, and system for handling attacks

Info

Publication number: WO2017143897A1
Application number: PCT/CN2017/072087
Authority: WO
Inventors: 张晋; 吴凤伟
Original assignee: 华为技术有限公司
Priority date: 2016-02-26
Filing date: 2017-01-22
Publication date: 2017-08-31
Also published as: CN107135185A

Abstract

The present invention relates to the technical field of communication. An embodiment of the invention provides a method, device, and system for handling attacks. The invention is able to address a network susceptibility to a security attack or an obstruction of normal data flow caused by a high probability of using an incorrect operation in a current attack handling system. The method comprises: a service network element receiving a data stream, if the data stream is determined to be an attacking stream, then sending, to a strategy controlling device, attack information corresponding to the attacking stream, the attack information comprising stream description information of the attacking stream and an attack type of the attacking stream; the strategy controlling device determining, on the basis of the attack type, a corresponding stream controlling strategy, and sending, to an SDN controller, the stream description information and the stream controlling strategy; and the SDN controller handling, on the basis of the stream controlling strategy, a data stream matching the stream description information of the attacking stream. The embodiment of the invention is used for handling attacks.

Description

Attack processing method, device and system

The present application claims priority to Chinese Patent Application No. 201610109680.X, entitled "Attack Processing Method, Apparatus and System", filed on February 26, 2016, the entire contents of which are incorporated by reference. In this application.

Technical field

The embodiments of the present invention relate to the field of communications technologies, and in particular, to an attack processing method, device, and system.

Background technique

With the rapid development of network technology, it is more and more important to improve network security and prevent malicious attacks on the network. In the prior art, the firewall acts as a security gateway between the internal network and the external Internet, and plays a role of preventing the network elements in the internal network from being illegally attacked by external users. When the internal network communicates with the external Internet, the firewall allows the security data flow specified in the security policy to pass through the security gateway according to the security policy configured by the administrator, and prohibits the attack data flow specified in the security policy from passing through the security gateway.

In the above firewall attack processing mechanism, since the security policy is usually pre-configured by the administrator by experience, and the illegal attack is usually sudden and unpredictable, it is easy to make the artificially pre-configured security policy inaccurate. Once the security policy is configured incorrectly, it will lead to misoperation, which will cause the protected network to be attacked by security or the normal data stream will be blocked.

Summary of the invention

The embodiment of the invention provides an attack processing method, device and system, which can solve the problem that the network is vulnerable to security attacks or normal data streams are blocked because the existing attack processing mechanism is prone to misoperation.

In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:

The first aspect provides an attack processing method, including: the service network element receives the data flow, and if the data flow is determined to be an attack flow, the attack information corresponding to the attack flow is sent to the policy control device, and the attack information includes the flow of the attack flow. Describe the attack type of the information and the attack flow; the policy control device determines the corresponding flow control policy according to the attack type, and sends the flow description information and the flow control policy of the attack flow to the SDN controller; the SDN controller matches the flow control policy according to the flow control policy The stream of the flow description information of the attack stream is processed.

The second aspect provides a policy control device, including: a receiving unit, configured to receive attack information corresponding to an attack flow sent by a service network element, where the attack information includes a flow description information of the attack flow and an attack type to which the attack flow belongs; a unit, configured to determine a flow control policy corresponding to an attack type received by the receiving unit, and the flow control policy includes a flow processing policy and an execution policy, and a sending unit, configured to determine, by the determining unit, flow description information of the attack flow received by the receiving unit The flow control policy is sent to the software defined network SDN controller, so that the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy.

In a third aspect, a software-defined network SDN controller is provided, including: a receiving unit, configured to receive flow description information and a flow control policy of an attack flow sent by a policy control device, where the flow control policy includes a flow processing policy and an execution policy; And a processing unit, configured to process, according to the flow control policy received by the receiving unit, the data flow that conforms to the flow description information of the attack flow received by the receiving unit.

A fourth aspect provides a service network element, including: a receiving unit, configured to receive a data stream; a determining unit, configured to determine whether the data stream received by the receiving unit is an attack stream; and a sending unit, configured to determine, in the determining unit, the data stream The attack information corresponding to the attack flow is sent to the policy control device, and the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.

In this way, the service network element can automatically identify the attack flow in the network, and the flow description information and the attack type of the identified attack flow are reported to the policy control device, and the policy control device automatically generates a flow control policy corresponding to the attack type, and The flow description information and the flow control policy of the attack flow are sent to the SDN controller, and the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane. The purpose of protecting the back-end network and the back-end network element of the SDN controller is to avoid the security problem caused by the manual pre-setting of the security policy.

In combination with any of the foregoing aspects, in the first possible implementation of any of the foregoing aspects, the attack flow includes a network layer attack flow or a service layer attack flow.

With reference to any one of the foregoing aspects to the first possible implementation of the foregoing aspect, in a second possible implementation manner of the foregoing aspect, the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow. The method further includes at least one of the following: a destination IP address, a source port, a destination port, and a transport layer protocol number of the attack flow.

With reference to the first aspect to the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, the determining, by the service network element, the data flow as the service layer attack flow includes: The signaling message and the media information in the flow determine that the data flow affects the security of the protected object at the service level, and then determine that the data flow is a service layer attack flow, and the service layer includes a control plane, a user plane, and a management layer. surface.

With reference to the second possible implementation of the fourth aspect to the fourth aspect, in a third possible implementation manner of the fourth aspect, the determining unit is specifically configured to: by parsing the signaling message in the data stream The media information determines that the data flow affects the security of the protected object at the service level, and determines that the data flow is a service layer attack flow, where the service layer includes a control plane, a user plane, and a management plane.

In this way, since the service network element can touch the signaling layer and the media data layer, the service network element can analyze whether the security of the protected object at the service level is threatened by analyzing the signaling message and the media information in the data stream, thereby When threatened, determine that the received data stream is an attack stream.

With reference to the third aspect, the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the flow processing policy includes deleting a data flow corresponding to the flow description information of the attack flow a flow table, redirecting a data flow that conforms to flow description information of the attack flow, or restricting traffic of a data flow that conforms to flow description information of the attack flow; and executing the policy includes performing immediately, periodically performing, or executing the flow within a specific time period Processing strategy.

With the second aspect to the second possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the flow processing policy includes deleting a data flow corresponding to the flow description information of the attack flow. a flow table, redirecting a data flow that conforms to the flow description information of the attack flow, or restricting a data flow that conforms to the flow description information of the attack flow Traffic; execution policies include immediate execution, periodic execution, or execution of a flow processing policy for a specific time period.

With reference to the second possible implementation of the third aspect to the third aspect, in a third possible implementation manner of the third aspect, the flow table corresponding to the data flow that matches the flow description information of the attack flow is deleted, Or directing a data flow conforming to the flow description information of the attack flow, or limiting a flow of the data flow conforming to the flow description information of the attack flow; the execution strategy includes performing immediately, periodically performing, or executing a flow processing policy within a specific time period.

With reference to the first aspect to the fourth possible implementation of the first aspect, in a fifth possible implementation manner of the first aspect, when the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow, According to the flow control policy, processing the data flow that conforms to the flow description information of the attack flow includes: processing, according to the flow control policy, the data flow whose source IP address is the source IP address in the flow description information of the attack flow.

With reference to the third aspect to the third possible implementation of the third aspect, in a fourth possible implementation manner of the third aspect, when the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow, The processing unit is specifically configured to: process, according to the flow control policy, a data flow whose source IP address is a source IP address in the flow description information of the attack flow.

In a fifth aspect, a system is provided, comprising any one of the third aspect to the fourth possible implementation manner of the third aspect, the second aspect to the third possible implementation of the second aspect Any one of the foregoing policy control devices, and any one of the foregoing fourth aspect to the third possible implementation manner of the fourth aspect.

For ease of understanding, the description of some of the concepts related to the present invention is given by way of example. As follows:

The Policy and Charging Enforcement Function (PCEF) mainly includes the detection of service data flows, policy enforcement, and flow-based charging.

Policy and Charging Rules Function (PCRF): A policy and charging control policy decision point for service data flows and IP bearer resources. It selects and provides available policy and charging control decisions for PCEF.

Long Term Evolution (LTE) is a long-term evolution of the Universal Mobile Telecommunications System (UMTS) technology standard developed by the 3rd Generation Partnership Project (3GPP).

EPC: Full name Evolved Packet Core, which refers to the 4G core network.

Gx interface: an interface defined in the 3GPP standard, an interface between a PCEF and a PCRF in an LTE/EPC network, used for charging control and policy control.

Software Defined Network (SDN): A network architecture that separates the control plane of the network device from the data plane. It can realize flexible control of network traffic and make the network become more intelligent as a pipeline.

Stream: A network stream, a unidirectional stream of data transmitted between a source network protocol (IP) address and a destination IP address over a period of time, the stream having the same quintuple.

Five-tuple: source IP address, source port number, transport layer protocol number, destination IP address, and destination port number.

Service network element: A network element that is mainly processed by services (such as voice service and media service) in the communication network, for example, may be a Home Location Register (HLR) in the core network, and a home subscription user. Home Subscriber Server (HSS), Subscription Profile Repository (SPR), Application Server (AS), etc.

Network layer attack: The external malicious IP attack, including the Layer 2 attack address resolution protocol (ARP) attack, the Internet Control Message Protocol (ICMP) attack, the IP attack, and the transmission control protocol. Transmission Control Protocol (TCP) attacks, User Datagram Protocol (UDP) attacks, and Internet Group Management Protocol (IGMP) attacks.

Service layer attack: refers to the behavior of the service layer to attack objects that the system wants to protect, including control plane attacks, user plane attacks, and management plane attacks. The control plane attack may include an attack that consumes important resources, a signaling storm, a Denial of Service (DoS)/Distributed Denial of Service (DDoS) flood attack, an abnormal registration behavior, a malformed message, Attacks such as illegal media address attacks and information disclosure; user-side attacks may include Real-time Transport Protocol (RTP) session injection, bandwidth theft RTP malformed packet attack, and Message Session Relay Protocol (The Message Session Relay Protocol). MSRP) packet attack, firewall traversal attack, media codec conversion consumption, pirate call, call eavesdropping, etc.; management plane attacks can include user account security threats, signaling transmission security threats, access control security threats, Web (Internet) Attack types such as security threats, syslog management threats, illicit operational threats, data storage loss, and business disruption threats.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.

1 is a schematic diagram of a basic network architecture provided in the prior art;

2 is a schematic diagram of another basic network architecture provided in the prior art;

FIG. 3 is a schematic diagram of a basic network architecture according to an embodiment of the present disclosure;

FIG. 4 is a flowchart of an attack processing method according to an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of a policy control device according to an embodiment of the present disclosure;

FIG. 6 is a schematic structural diagram of an SDN controller according to an embodiment of the present disclosure;

FIG. 7 is a schematic structural diagram of a service network element according to an embodiment of the present disclosure;

FIG. 8 is a schematic structural diagram of another policy control device according to an embodiment of the present disclosure;

FIG. 9 is a schematic structural diagram of another SDN controller according to an embodiment of the present disclosure;

FIG. 10 is a schematic structural diagram of another service network element according to an embodiment of the present disclosure;

FIG. 11 is a schematic structural diagram of a system according to an embodiment of the present invention.

detailed description

The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

A schematic diagram of the basic architecture of a communication network can be seen in FIG. The data in the network is between the access network 1 and the access network 2, and the data packet is forwarded and forwarded according to the IP address, and the network between the two access networks may be referred to as an IP bearer network, that is, IP. The bearer network is actually equivalent to the public network in the network system. At present, referring to FIG. 2, the Gx interface of the PCEF such as the PCRF and the PDN GW-Packet Data Network Gateway (PGW) and the Broadband Remote Access Server (BRAS) has been implemented, and the access network is In the access process such as wireless access and fixed access, resource control and security policy control are performed.

With the advent of the fully connected core network era, in order to ensure a customized service experience based on single-user single-service, the network needs to coordinate to ensure end-to-end service quality (QoS), communication reliability and communication through a policy control center. Communication security.

Referring to FIG. 3, the following embodiment of the present invention will add an interface between the PCRF and the SDN controller (SDN Controller) in the IP bearer network based on the existing network architecture shown in FIG. 2, and provide resources for the IP bearer network. Control and security policy control, which can increase resource control and security policy control of the IP bearer network based on existing access network resource control and security policy control, and achieve true end-to-end network resource control and security policy control. . At this time, the PCRF will be upgraded to a centralized and end-to-end resource and policy control center (PC)/policy control device. In the basic network architecture shown in FIG. 3, after the data stream is sent from the access network corresponding to the source end to the IP bearer network, the data stream is processed by the QoS controller in the policy control device and the IP bearer network, and according to the The IP address is routed and forwarded to the processed access network, and then transmitted to the destination end.

It is easy for the existing attack processing mechanism to malfunction, which makes the network vulnerable to security attacks or normal data streams being blocked. The following embodiment of the present invention automatically identifies the attack flow in the network by the service network element, and reports the flow description information and the attack type corresponding to the identified attack flow to the policy control device; the policy control device automatically generates the flow control corresponding to the attack type. The policy sends the flow description information and the flow control policy to the SDN controller; the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane. To achieve the purpose of a security network.

The following embodiments of the present invention will be described by taking the network architecture of FIG. 3 as an example.

Referring to FIG. 4, an embodiment of the present invention provides an attack processing method, which may include:

101. The service network element receives the data stream.

The service network element receives the data stream from the network. The source end of the data stream may be any other network element in the network. For example, it may be a user equipment UE. The data stream may be transmitted in the form of a data packet in the network. During the transmission process, the network element with data forwarding function in the network forwards the data packet by parsing the IP address and other information in the packet header to finally send the data stream to the destination end.

102. If the service network element determines that the data flow is an attack flow, the attack information corresponding to the attack flow is sent to the policy control device, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.

After receiving the data stream, the service network element can determine whether the received data stream is an attack stream, thereby performing phase Should be handled. If the attack flow is determined, the service network element may send the attack information corresponding to the attack flow to the policy control device, so that the policy control device determines the corresponding flow processing policy and execution policy according to the attack information of the attack flow, thereby performing attack processing. . If the received data stream does not belong to the attack flow, the service network element performs normal service processing.

It should be noted that, because the firewall in the prior art is responsible for identifying whether the data flow of all the network elements in the protected internal network is an attack flow and is responsible for filtering and forwarding the data flow, the performance requirement of the firewall device is high. As a result, deployment costs are high and performance bottlenecks can occur. In the method provided by the embodiment of the present invention, the attack flow identification is distributed on each service network element in the network, so that there is no problem of performance bottleneck.

In step 102, the attack flow that the service network element can identify may include a network layer attack flow or a service layer attack flow. Certainly, the attack flow that the service network element can identify may also include other types, which are not specifically limited herein.

The network layer attack flow is usually related to the protocol in the network transmission process, and usually has a fixed attack mode, such as an ARP attack, an ICMP attack, an IP attack, a TCP attack, a UDP attack, etc., and thus is easily recognized.

The firewall in the prior art can identify the network layer attack flow and perform attack processing in time to protect the security of the internal network and the network elements in the network. However, it is difficult for the firewall to reach the signaling layer and the media data layer. Therefore, it is difficult to identify the attack layer of the service layer, and it is difficult to attack the attack layer of the service layer. Therefore, it is difficult to effectively ensure the security of the protected internal network and the network element in the network.

In the method provided by the embodiment of the present invention, the service network element can not only identify the network layer attack flow, but also identify the service layer attack flow by parsing the signaling message and the media information, thereby identifying the service layer attack flow, and then identifying the attack stream. The flow description information and the attack type of the attack flow are reported to the policy control device, so that the policy control device generates a flow control policy corresponding to the attack flow according to the attack type. Moreover, the service network element can also customize the attack feature for certain specific services, so as to quickly identify the attack flow according to the corresponding service.

Optionally, the service network element determining that the data flow is a service layer attack flow may include:

If the service network element determines that the data flow affects the security of the protected object at the service level by analyzing the signaling message and the media information in the data flow, determining that the data flow is a service layer attack flow.

The protected object at the service level can refer to the protected resources in the service layer. By ensuring the security of the protected object, all services in the network can be guaranteed to operate normally. The business level can include the control plane, user plane, and management plane. Exemplarily, the object to be protected by the control plane may include system key resources, normal service flow, service logic, user account, network topology information, and signaling content, and the objects to be protected on the user plane may include normal services, bandwidth resources, and Quality of service, etc.; objects that need to be protected by the management plane may include user account information, user sensitive information, gateway data, logs, transmission pipelines, and authentication information.

Specifically, the service network element can analyze whether the protected object in the service layer is threatened by analyzing the signaling message and the media information in the data flow, that is, whether the data flow affects the security of any protected object in the service layer. Sex, when the security of any protected object is affected, it can be determined that the received data stream is an attack stream. Illustratively, when the service network element parses the signaling message and the media information in the data stream, it is found that the Session Initiation Protocol (SIP) packet in the data stream is distorted, for example, a time-out SIP fragment message, If the service network element processes the packets, the service network element may process the packets, and the service network element may process the data all the time. A crash occurs, which protects protected objects such as critical resources and normal traffic, and thus can determine that the received data stream is Business layer attack flow.

Illustratively, if the service network element finds that the initialization message received in the unit time period (for example, 1 s) exceeds the preset number threshold (for example, 50), the service network element can consider the unit time as the unit time. The number of initialization messages received in the segment is too large, which may threaten the protected normal service, bandwidth resources, etc., so that the data stream containing the initialization message exceeding the preset number threshold is received as the service layer attack flow.

If the service network element determines that the received data stream is an attack flow, the service network element may also determine the attack information corresponding to the attack flow, and report the attack information to the policy control device. The attack information may include flow description information of the attack flow and an attack type to which the attack flow belongs. The attack information reported by the service network element to the policy control device may also include other content, which is not specifically limited herein.

The flow description information of the attack flow may include at least the source network protocol IP address of the attack flow, and may also include at least one of the following: the destination IP address of the attack flow, the source port, the destination port, and the transport layer protocol number.

The attack flow can be divided into multiple types of attacks. When the attack behavior of the attack flow is a malicious attack against IP, the attack flow belongs to the network layer attack; when the attack behavior of the attack flow is directed to the protected object at the service level When attacking, the attack flow belongs to the business layer attack. The network layer attack and the service layer attack can respectively include multiple types of attacks. For details, refer to the detailed description of network layer attacks and service layer attacks. The service network element can determine the specific attack type to which the attack flow belongs according to the specific attack characteristics of the attack behavior of the attack flow.

Illustratively, when the attack flow is a plurality of signaling messages, and the signaling message request exceeds the processing capability of the signaling resources of the service network element service layer, the service network element may be in a problem, and thus the attack may be determined. The flow belongs to the type of signaling storm attack in the service layer attack.

Illustratively, when the service network element discovers that the data packet in the data stream includes a certain number of time-out SIP fragmented packets, the time-out SIP fragmentation packet may cause the service network element to generate an error when processing the packet. As a result, the service network element processes the data all the time, and finally the service network element is crashed, so that the protected object such as the key resources and the normal service flow at the service level is threatened. Therefore, the time-out SIP fragment packet is a malformed message. The data flow containing the timeout SIP fragment packet belongs to the malformed packet attack type in the control plane attack.

It should be noted that the attack flow in the embodiment of the present invention is automatically identified by each service network element in the network, and is reported to the policy control device, so that the policy control device can be based on the information about the attack flow reported by the service network element. The flow control policy corresponding to the attack type of the attack flow and the attack flow is automatically generated, and the flow control policy here is the security policy. Therefore, it can be more accurate than the artificially pre-configured security policy, and does not cause misoperation due to pre-configuration errors as in the firewall attack processing mechanism, thereby accurately blocking the attack flow and ensuring that the normal data flow passes safely. Moreover, since the method provided by the embodiment of the present invention does not require manual configuration and maintenance, the processing procedure is simple and reliable, and the usability is strong.

103. The policy control device receives attack information corresponding to the attack flow sent by the service network element.

The policy control device receives the attack information of the attack flow reported by the service network element, and the attack information may include the flow description information of the attack flow and the attack type to which the attack flow belongs. For the description of the flow description information and the attack type, refer to step 102 above.

104. The policy control device determines a flow control policy corresponding to the attack type, where the flow control policy includes a flow processing policy and an execution policy.

The policy control device can determine the corresponding attack type according to different attack types to which different attack flows belong. The flow control policy, that is, the policy control device automatically generates a corresponding security policy according to the attack type. The flow control policy may include a flow processing policy and an execution policy, and may further include other processing policies, which are not specifically limited herein. When the flow control policy includes the flow processing policy and the execution policy, the policy control device may store the mapping relationship between the preset attack type and the flow processing policy and the execution policy, and determine the attack type to which the attack flow belongs in the service network element. The policy control device may generate a flow processing policy and an execution policy corresponding to the attack type for the attack flow.

It should be noted that the flow control policy automatically generated by the policy control device according to the attack type of the attack flow is a security policy specifically corresponding to the attack type of the attack flow. Therefore, the attack flow of different attack types can pass a special security policy. Better handle the attack stream. However, the existing firewall attack processing mechanism does not perform specific security policy configuration for different attack types. Instead, all the attack types are pre-configured with a common security policy for attack processing, so the anti-attack effect is not good. .

The flow processing policy is used to process the attack flow. Optionally, the flow processing policy may include deleting a flow table corresponding to the data flow that matches the flow description information of the attack flow, redirecting the data flow that conforms to the flow description information of the attack flow, or limiting the flow that matches the attack flow. The flow of the data stream describing the flow of information. For example, for a malicious packet attack type, a flow table corresponding to the data flow that matches the flow description information of the attack flow may be deleted by adding a blacklist. For the malformed packet attack type, the deletion conformance may also be adopted. The flow table corresponding to the data flow of the flow description information of the attack flow refuses to receive the subsequent message; for the type of the signaling storm attack, the flow control mode may be adopted to limit the flow of the data flow that conforms to the flow description information of the attack flow; For the bandwidth theft attack, a processing manner of limiting the traffic of the data flow that conforms to the flow description information of the attack flow may be adopted.

The execution policy is used to describe how the flow processing policy is executed. Alternatively, the execution of the policy may include immediate execution, periodic execution, or execution of a flow processing policy within a specific time period.

It should be noted that, in addition to the attack type, the specific flow processing policy and the execution policy may be customized on the policy control device side according to the individualization requirements of the single user and the personalized features of the single service, thereby Personalized processing to meet the customized business experience of single-user single service. However, the firewall attack processing mechanism in the prior art uses a general security policy to process the attack stream, and cannot be personalized for a specific user or a specific service.

105. The policy control device sends the flow description information and the flow control policy of the attack flow to the software-defined network SDN controller, so that the SDN controller matches the flow description information of the attack flow according to the flow control policy. The data stream is processed.

The policy control device can send the flow description information and the flow control policy of the attack flow to the software-defined network SDN controller through the interface between the policy control device and the SDN controller in the architecture shown in FIG. 3, so that the SDN controller can be timely And processing, according to the flow control policy, a data flow that conforms to flow description information of the attack flow.

106. The SDN controller receives the flow description information and the flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy.

The SDN controller receives the flow description information and the flow control policy of the attack flow sent by the policy control device through an interface with the policy control device. For details about the flow description information, refer to the description in the foregoing step 102. For details about the flow control policy, the flow processing policy, and the execution policy, refer to the description in step 104 above.

107. The SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy.

In this step, the SDN controller can process the data flow that conforms to the flow description information of the attack flow according to the received flow control policy, and can obtain the data flow of the back-end network and the back-end network element through the SDN controller. For normal communication data flow.

Optionally, the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow, and the step 107 may specifically include:

The service network element processes the data stream of the source IP address in the flow description information of the attack flow according to the flow control policy.

Since the attack flow is usually an aggressive continuous data flow, after determining the source IP address in the flow description information of the attack flow, the data flow subsequently sent by the IP address may also be an attack flow, and thus the SDN controller may The received flow control policy processes the data stream sent by the IP address in time to prevent the back-end network and the back-end network element of the SDN controller from continuing to be attacked. The network element at the back end of the SDN controller may include a service network element, and may also include other network elements.

For example, if the flow control policy includes a flow processing policy and an execution policy, if the source IP address of the attack flow included in the flow description information is the IP address 1, and the attack type of the attack flow is a SIP malformed packet attack, The packet sent by the IP address 1 to the data stream of any service network element in the network may also be a SIP malformed packet, which may cause an attack on the destination network element. Therefore, the SDN controller may adopt an immediate (execution policy) deletion. The flow table (flow processing policy) refuses to receive the packets sent by the IP address 1 so that the attack packets sent by the IP address 1 cannot be sent to the SDN controller, and cannot be sent to the service network element at the back end of the SDN controller. Therefore, the SDN controller back-end network and the back-end network element can be prevented from continuing to be attacked by the IP address 1.

Further, the flow description information of the attack flow may further include at least one of the following: a source port, a destination port, and a transport layer protocol number of the attack flow.

Optionally, the flow description information of the attack flow includes a source IP address and a destination IP address of the attack flow, and the step 107 may specifically include:

The service network element processes the data source in the flow description information of the attack flow, and the destination IP address is the data flow of the destination IP address in the flow description information of the attack flow, according to the flow control policy.

Since the attack flow is usually an aggressive continuous data flow, after determining the source IP address and the destination IP address in the flow description information of the attack flow, the data stream sent from the source IP address to the destination IP address is also It is likely to be an attack flow. Therefore, the SDN controller can process the data stream sent from the source IP address to the destination IP address in time according to the received flow control policy, thereby blocking the attack flow sent by the source IP address. Attacks on the back-end network and back-end network elements of the SDN controller.

Optionally, the flow description information of the attack flow includes a quintuple of the attack flow, and the step 107 may specifically include:

The service network element uses the source IP address as the source IP address in the flow description of the attack flow according to the flow control policy. The source port is the source port in the flow description information of the attack flow, and the destination IP address is the flow description information of the attack flow. The destination IP address, the destination port is the destination port in the flow description information of the attack flow, and the transport layer protocol number is the data flow of the transport layer protocol number in the flow description information of the attack flow.

Since the attack flow is usually an aggressive continuous data flow, after determining the quintuple in the flow description information of the attack flow, the data flow corresponding to the quintuple in the network is highly likely to be an attack flow. Thus the SDN controller can According to the received flow control policy, the data stream that conforms to the quintuple is processed in time, so that the attack flow corresponding to the quintuple is prevented from continuing to attack the SDN controller back-end network and the back-end network element.

In this step, the SDN controller processes the data flow corresponding to the flow description information of the attack flow according to the flow control policy sent by the policy control device, and can block the attack flow from the IP layer forwarding plane, thereby achieving protection SDN control. The purpose of the backend network and the backend network element. Specifically, the SDN controller forwards and processes the attack stream at the IP layer, and can be processed by the SDN controller in time when the attack flow enters the IP bearer network from the source end, and thus does not occupy the backend network of the SDN controller. And the bandwidth in the back-end network element, thereby reducing the consumption of the network bandwidth of the operator and improving the network transmission performance. In the prior art firewall attack processing mechanism, the firewall can isolate the identified attack flow from the firewall, but still occupy the physical bandwidth of the IP bearer network and the network element outside the firewall.

In summary, the method provided by the embodiment of the present invention can improve the attack defense capability of the back-end network and the back-end network element of the SDN controller, especially the attack defense capability of the network element in the core network. Since the core network has a large influence range in the network, it is of great value and significance to improve the anti-attack capability of the network element in the core network.

In addition, the method provided by the embodiment of the present invention can open the interface between the policy control device and the SDN controller on the basis of the existing Gx interface, and implement end-to-end network resource (air interface, IP data flow) policy control. Including QoS policy control, IP data flow path adjustment policy control, attack flow processing policy control, etc. Moreover, since the flow control policy can be automatically generated during the process, a personalized security policy suitable for a specific user can be generated and automatically executed according to the service requirements of the single-user single service.

The attack processing method provided by the embodiment of the present invention automatically identifies the attack flow in the network by the service network element, and reports the flow description information and the attack type of the identified attack flow to the policy control device, and the policy control device automatically generates and attacks the attack type. Corresponding flow control policy, and sending the flow description information and the flow control policy of the attack flow to the SDN controller, and the SDN controller processes the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the IP layer can be processed from the IP layer. The forwarding plane blocks the attack flow and protects the back-end network and the back-end network element of the SDN controller. Therefore, it can solve the problem that the existing attack processing mechanism is prone to misoperation, so that the network is vulnerable to security attacks or the normal data flow is blocked. Broken problem.

Another embodiment of the present invention provides a policy control device 500. Referring to FIG. 5, the policy control device 500 may include:

The receiving unit 501 is configured to receive attack information corresponding to the attack flow sent by the service network element, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.

The determining unit 502 is configured to determine a flow control policy corresponding to the attack type received by the receiving unit 501, where the flow control policy includes a flow processing policy and an execution policy.

The sending unit 503 is configured to send the flow description information of the attack flow received by the receiving unit 501 and the flow control policy determined by the determining unit 502 to the software-defined network SDN controller, so that the SDN controller matches the attack according to the flow control policy. The stream of stream description information is processed.

The SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, and blocks the attack flow from the IP layer forwarding plane to achieve the purpose of protecting the back-end network and the back-end network element of the SDN controller.

The flow processing policy herein may include deleting a flow table corresponding to the data flow corresponding to the flow description information of the attack flow, redirecting the data flow conforming to the flow description information of the attack flow, or limiting the traffic of the data flow conforming to the flow description information of the attack flow. .

The execution strategy may include immediate execution, periodic execution, or execution of a flow processing policy within a specific time period.

The policy control device provided by the embodiment of the present invention receives the attack information of the attack flow sent by the service network element, and determines the corresponding flow control policy according to the attack type in the attack information, and the flow control policy and the attack information are The flow description information is sent to the SDN controller, so that the SDN controller can process the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane to protect the SDN controller. The purpose of the back-end network and the back-end network element is to avoid security problems caused by manual pre-set security policies that are prone to misuse.

Another embodiment of the present invention provides a software-defined network SDN controller 600. Referring to FIG. 6, the SDN controller 600 may include:

The receiving unit 601 is configured to receive flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy.

The flow control policy sent by the policy control device received by the receiving unit 601 of the SDN controller 600 is determined by the policy control device according to the attack type corresponding to the attack flow sent by the service network element, and the receiving unit 601 of the SDN controller 600 is configured. The flow description information of the attack flow sent by the received policy control device is received from the service network element.

The processing unit 602 is configured to process, according to the flow control policy received by the receiving unit 601, a data flow that conforms to the flow description information of the attack flow received by the receiving unit 601.

The SDN controller 600 processes the data flow conforming to the flow description information of the attack flow according to the flow control policy, and blocks the attack flow from the IP layer forwarding plane to protect the back end network and the back end network element of the SDN controller 600.

Optionally, the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and the processing unit 602 may be specifically configured to:

According to the flow control policy, the data stream whose source IP address is the source IP address in the flow description information of the attack flow is processed.

The flow description information of the attack flow herein may further include at least one of the following: a source port, a destination port, and a transport layer protocol number of the attack flow.

An SDN controller according to an embodiment of the present invention receives a flow control policy and flow description information of an attack flow sent by a policy control device, and processes a data flow that conforms to the flow description information according to the flow control policy, so that The IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.

Another embodiment of the present invention provides a service network element 700. Referring to FIG. 7, the service network element 700 may include:

The receiving unit 701 can be configured to receive a data stream.

The determining unit 702 can be configured to determine whether the data stream received by the receiving unit 701 is an attack stream.

The attack flow may include a network layer attack flow or a service layer attack flow.

The sending unit 703 may be configured to: when the determining unit 702 determines that the data stream is an attack flow, send the attack information corresponding to the attack flow to the policy control device, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.

The service network element 700 sends the attack information corresponding to the determined attack flow to the policy control device by using the sending unit 703, so that the policy control device determines the corresponding flow control policy according to the attack type in the attack information, and the flow control policy and the attack The flow description information in the information is sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane, and the SDN control is protected. Backend network and backend network elements.

Optionally, determining, by the determining unit 702, that the data stream is a service layer attack flow may include:

If the signaling message and the media information in the data stream are analyzed to determine the security of the protected object at the service level, the data flow is determined to be a service layer attack flow, and the service plane includes a control plane, a user plane, and a management plane.

The flow description information of the attack flow at least includes the source network protocol IP address of the attack flow, and may also include at least one of the following: a destination IP address, a source port, a destination port, and a transport layer protocol number.

After the service network element is determined to be an attack flow, the service network element sends the attack information corresponding to the attack flow to the policy control device, so that the policy control device can determine the corresponding attack type according to the attack type in the attack information. a flow control policy, and the flow control policy and the flow description information in the attack information are sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that The IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.

Another embodiment of the present invention provides a policy control device 800. Referring to FIG. 8, the policy control device 800 can adopt a general computer system structure. The program code for executing the solution of the present invention is stored in the memory 803 and controlled by the processor 802. Execution may include a bus 801, a processor 802, a memory 803, and a communication interface 804. Among them, the bus 801 includes a path for transferring information between various components of the computer; the memory 803 is for holding an operating system and a program for executing the solution of the present invention. The operating system is a program that controls the running of other programs and manages system resources. The program code for carrying out the inventive arrangement is stored in memory 803 and is controlled by processor 802 for execution.

Specifically, in the embodiment of the present invention, the communication interface 804 may be configured to receive the attack information corresponding to the attack flow sent by the service network element, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs; the processor 802 may And determining, according to the flow description information and the attack type, a corresponding flow control policy, where the flow control policy includes a flow processing policy and an execution policy, and the communication interface 804 is further configured to send the flow description information and the flow control policy of the attack flow to the software definition. The network SDN controller, so that the SDN controller processes the data stream that conforms to the flow description information of the attack flow according to the flow control policy.

The policy control device provided by the embodiment of the present invention receives the attack information of the attack flow sent by the service network element, determines the corresponding flow control policy according to the attack type in the attack information, and uses the flow control policy and the flow in the attack information. The description information is sent to the SDN controller, so that the SDN controller can process the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane to protect the SDN controller. The purpose of the end network and the back end network element is to avoid the security problem caused by the manual pre-setting of the security policy and the misoperation.

Another embodiment of the present invention provides a software-defined network SDN controller 900. Referring to FIG. 9, the SDN controller 900 can adopt a general-purpose computer system structure, and program code for executing the solution of the present invention is stored in the memory 903, and is processed by the processor. 902 to control execution, which may include a bus 901, a processor 902, a memory 903, and a communication interface 904. Wherein, the bus 901 includes a path for transferring information between various components of the computer; the memory 903 is for storing the operating system and The procedure for carrying out the solution of the invention. The operating system is a program that controls the running of other programs and manages system resources. The program code for carrying out the inventive arrangement is stored in memory 903 and is controlled by processor 902 for execution.

Specifically, in the embodiment of the present invention, the communication interface 904 may be configured to receive flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy; the processor 902 may be configured to: According to the flow control policy, the data flow that conforms to the flow description information of the attack flow is processed.

Another embodiment of the present invention provides a service network element 1000. Referring to FIG. 10, the service network element 1000 can adopt a general computer system structure. The program code for executing the solution of the present invention is stored in the memory 1003 and controlled by the processor 1002. Execution may include bus 1001, processor 1002, memory 1003, and communication interface 1004. The bus 1001 includes a path for transferring information between various components of the computer; the memory 1003 is for storing an operating system and a program for executing the solution of the present invention. The operating system is a program that controls the running of other programs and manages system resources. The program code for carrying out the inventive arrangement is stored in the memory 1003 and controlled by the processor 1002 for execution.

Specifically, in the embodiment of the present invention, the communication interface 1004 may be configured to receive a data stream; the processor 1002 may be configured to determine whether the data stream is an attack stream, and the communication interface 1004 may be further configured to: if the data stream is determined to be an attack stream, The attack information corresponding to the attack flow is sent to the policy control device. The attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.

A further embodiment of the present invention provides a system 1100. Referring to FIG. 11, the system 1100 may include a policy control device as shown in FIG. 5 or FIG. 8, an SDN controller as shown in FIG. 6 or FIG. 9, and 7 or the service network element shown in FIG.

It should be noted that, in the apparatus of the structure shown in FIGS. 8, 9, and 10, the

processors

802, 902, and 1002 may be a general-purpose central processing unit (CPU), a microprocessor, and an application-specific integrated circuit application- An integrated integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above described program of the present invention.

The

memories

803, 903, and 1003 may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or information and instructions. Other types of dynamic storage devices can also be disk storage.

Communication interfaces 804, 904, and 1004, which may include a receiving interface and a transmitting interface, may use devices such as any transceiver to communicate with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), wireless local area networks ( WLAN) and so on.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus, methods, and systems may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

The above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium. The software functional units described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform portions of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory RAM, a magnetic disk, or an optical disk, and the like, which can store program codes.

It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and are not limited thereto; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the foregoing embodiments are modified, or the equivalents of the technical features are replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

An attack processing method, comprising:

Receiving attack information corresponding to the attack flow sent by the service network element, where the attack information includes flow description information of the attack flow and an attack type to which the attack flow belongs;

Determining, according to the flow description information and the attack type, a corresponding flow control policy, where the flow control policy includes a flow processing policy and an execution policy;

Transmitting the flow description information of the attack flow and the flow control policy to a software-defined network SDN controller, so that the SDN controller, according to the flow control policy, data that conforms to flow description information of the attack flow The stream is processed.
The method according to claim 1, wherein the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and at least one of the following: a destination IP address of the attack flow, Source port, destination port, and transport layer protocol number.
The method according to claim 1, wherein the flow processing policy comprises deleting a flow table corresponding to the data flow that conforms to the flow description information of the attack flow, and redirecting data that conforms to the flow description information of the attack flow. Flow, or traffic limiting the flow of data that conforms to the flow description information of the attack flow.
The method according to any one of claims 1 to 3, wherein the execution strategy comprises immediate execution, periodic execution or execution of the flow processing policy within a specific time period.
An attack processing method, comprising:

Receiving flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy;

And processing, according to the flow control policy, a data flow that conforms to flow description information of the attack flow.
The method according to claim 5, wherein the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and according to the flow control policy, the flow conforming to the attack flow The flow of data describing the flow description information includes:

And processing, according to the flow control policy, a data flow whose source IP address is a source IP address in the flow description information of the attack flow.
The method according to claim 6, wherein the flow description information of the attack flow further comprises at least one of: a source port, a destination port, and a transport layer protocol number of the attack flow.
An attack processing method, comprising:

Receiving a data stream;

If the data flow is determined to be an attack flow, the attack information corresponding to the attack flow is sent to the policy control device, where the attack information includes flow description information of the attack flow and an attack type to which the attack flow belongs.
The method according to claim 8, wherein the attack flow comprises a network layer attack flow or a service layer attack flow.
The method according to claim 9, wherein determining the data flow as a service layer attack flow comprises:

If the signaling message and the media information in the data stream are parsed to determine that the data flow affects the security of the protected object at the service level, determining that the data flow is a service layer attack flow, and the service layer includes the control Face, user face and management face.
The method according to any one of claims 8 to 10, wherein the flow description information of the attack flow is at least The source network protocol IP address including the attack flow further includes at least one of the following: a destination IP address, a source port, a destination port, and a transport layer protocol number of the attack flow.
A policy control device, comprising:

a receiving unit, configured to receive attack information corresponding to the attack flow sent by the service network element, where the attack information includes flow description information of the attack flow and an attack type to which the attack flow belongs;

a determining unit, configured to determine a flow control policy corresponding to the attack type received by the receiving unit, where the flow control policy includes a flow processing policy and an execution policy;

a sending unit, configured to send flow description information of the attack flow received by the receiving unit and a flow control policy determined by the determining unit to a software defined network SDN controller, so that the SDN controller according to the flow control policy And processing the data stream that conforms to the flow description information of the attack flow.
The device according to claim 12, wherein the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and at least one of the following: a destination IP address of the attack flow, Source port, destination port, and transport layer protocol number.
The device according to claim 12, wherein the flow processing policy comprises deleting a flow table corresponding to the data flow that conforms to the flow description information of the attack flow, and redirecting data corresponding to the flow description information of the attack flow. Flow, or traffic limiting the flow of data that conforms to the flow description information of the attack flow.
The device according to any one of claims 12-14, wherein the execution policy comprises immediate execution, periodic execution or execution of the flow processing policy within a specific time period.
A software defined network SDN controller, comprising:

a receiving unit, configured to receive flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy;

And a processing unit, configured to process, according to the flow control policy received by the receiving unit, a data flow that conforms to flow description information of the attack flow received by the receiving unit.
The SDN controller according to claim 16, wherein the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and the processing unit is specifically configured to:

And processing, according to the flow control policy, a data flow whose source IP address is a source IP address in the flow description information of the attack flow.
The SDN controller according to claim 17, wherein the flow description information of the attack flow further comprises at least one of: a source port, a destination port, and a transport layer protocol number of the attack flow.
A service network element, which is characterized by:

a receiving unit, configured to receive a data stream;

a determining unit, configured to determine whether the data stream received by the receiving unit is an attack flow;

a sending unit, configured to: when the determining unit determines that the data stream is an attack flow, send the attack information corresponding to the attack flow to the policy control device, where the attack information includes flow description information and a location of the attack flow Indicates the type of attack to which the attack flow belongs.
The service network element according to claim 19, wherein the attack flow comprises a network layer attack flow or a service layer attack flow.
The service network element according to claim 20, wherein the determining unit determines that the data flow is a service layer attack flow specifically includes:

If the signaling message and the media information in the data stream are parsed, it is determined that the data flow affects the service level and is insured For security of the object, the data stream is determined to be a service layer attack flow, and the service layer includes a control plane, a user plane, and a management plane.
The service network element according to any one of claims 19 to 21, wherein the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow, and at least one of the following: a destination IP address. Address, source port, destination port, and transport layer protocol number.
A system, comprising a policy control device according to any one of claims 12-15, a software defined network SDN controller according to any of claims 16-18, and claim 19 A service network element as claimed in any one of the preceding claims.