CN101257416B - Networking type abnormal flow defense method based on combining network with host computer - Google Patents
Networking type abnormal flow defense method based on combining network with host computer Download PDFInfo
- Publication number
- CN101257416B CN101257416B CN2008100196647A CN200810019664A CN101257416B CN 101257416 B CN101257416 B CN 101257416B CN 2008100196647 A CN2008100196647 A CN 2008100196647A CN 200810019664 A CN200810019664 A CN 200810019664A CN 101257416 B CN101257416 B CN 101257416B
- Authority
- CN
- China
- Prior art keywords
- main frame
- flow
- abnormal
- network
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A network-based and a host-based combining networking abnormal traffic prevention method is a method for preventing the harms of the network performance caused by the abnormal traffic, such as the communication link of the core network is occupied by the abnormal traffic, the load of the link network equipment is too high due to the abnormal traffic, service quality of the important client sharply drops caused by the abnormal traffic, and the like. The method comprises: (1) setting a performance parameter list; (2) a flow statistic module statistical analyzing the flow information collected by a route device and comparing the information with a threshold value set by the parameter list of the step (1); (3) if the flow statistic of any host exceeds the threshold range set by the step (1), judging that abnormal traffic of the host occurs and triggering an abnormal warning mechanism; (4) the abnormal warning mechanism sending abnormal alarm to the host of the step (3) and commanding the host processing the flow per se immediately; (5) recording and updating the host status; (6) judging the network access; and (7) the host filtering the abnormal traffic automatically.
Description
Technical field
The present invention be a kind of harm that is used for network performance being caused at abnormal flow (for example the communication link of core network by abnormal flow take, abnormal flow causes link network equipment load too high, big customer's business to be subjected to abnormal flow to influence service quality sharply to descend degradation) defence method, belong to the technical field of the safety in the network.
Background technology
Along with the core technology of next generation networks such as IPv6 reaches its maturity, telecommunication service demand and the development of technology and the differentiation of network architecture, many advantages that IPv6 had and function make it become the important foundation of constructing next generation network, and the fail safe that how to improve based on the next generation network of IPv6 must be China and global network important strategic developing direction.
Development along with information network technique; especially Internet technology is in the stage of high speed development; the crisis of IP address space has become the major impetus of IPv4 to the IPv6 upgrading; the complexity of IPv4 configuration also is badly in need of a kind of protocol application that can satisfy the IPv6 of " configuration automatically "; particularly, be badly in need of the fail safe of wanting a kind of IPv6 mechanism that has added security options to come strong backing IP for the security hidden trouble that exists among the IPv4.In a word, change the trend that is inevitable by IPv4 to IPv6.
Abroad, for the research of IPv6 network security aspect mainly based on research to IPSec.In large-scale experiment IPv6 network, ipsec protocol is replenished and upgrades, make that the IPv6 security mechanism is more perfect.For example: how IPSec is applied in the concrete environment, how uses effective cryptographic algorithm to come configuration of IP Sec.Also do not relate to for intruding detection system protection aspect in the network security.
Abroad under the IPv4 situation, having proposed many intrusion detection algorithms, as at the accumulation algorithm CUSUM (Cumulative Sum Algorithm) of SYN FLOOD, the abnormal flow algorithm that covariance matrix is analyzed, improved threshold algorithm.And what have is used in the current network environment, under the IPv4 network environment, certain effect is arranged really.But, its effect is restricted because the development of new generation network environment must have new variation.So research is suitable for intruding detection system and key technology research thereof under the IPv6 network environment of new generation, be the problem of all paying close attention to both at home and abroad next stage.
At home, some fund projects are tested IPv6, have proposed with respect to the advantage of IPv4 and the deficiency of existence.Because encryption and the authentication of IPv6 are that algorithm is to break away from agreement, can select different algorithms that its packet is encrypted and authenticated, the speed of different algorithm for encryption and the time of cracking are variant, so domestic many articles are all relatively paid close attention to and how to be IPv6 selection not only a high speed but also difficult encryption and the authentication system that cracks at present, at network invasion being detected for how does not also have relevant research, has just proposed under IPv6 the fire compartment wall scheme of new generation based on safety certification.
In sum, just pay attention to both at home and abroad at present how IPv6 be specialized, pragmatize focuses on how making this new procotol to apply to especially the encryption and the authentication mechanism of its introducing be paid special attention in the actual network.And for using the just simple proposition of the safety problem that still exists behind the IPv6, do not provide a concrete scheme, particularly do not solve the problem of intrusion detection at all with IPv6, along with the practical application of IPv6 network, problem in this respect will inevitably come out.
Summary of the invention
Technical problem: the objective of the invention is to propose a kind of Network Based and the networking type abnormal flow defense method that combines based on main frame, greatly reduce the difficulty of abnormal flow defense, changed the situation of routing device burden extensive work in the unusual in the past system of defense.
Technical scheme: just pay attention to both at home and abroad at present how IPv6 (Internet Protocol version6) be specialized, pragmatize, focus on how making this new procotol to apply to especially the encryption and the authentication mechanism of its introducing be paid special attention in the actual network.And for using the just simple proposition of the safety problem that still exists behind the IPv6, do not provide a concrete scheme, particularly do not solve the problem of the safety in the network at all with IPv6, along with the practical application of IPv6 network, problem in this respect will inevitably come out.
Of the present inventionly Network Basedly be with the networking type abnormal flow defense method that combines based on main frame:
1). the performance parameter tabulation is set: the threshold value of some network parameters under the record normal condition, survey one of unusual foundation that whether takes place as unusual induction module;
2). the flow information that traffic statistics module statistics routing device is gathered, and with step 1) in the parameter list set threshold value compare;
3) if. find to have main frame corresponding flow statistics to surpass set threshold range in the step 1), judge that then this main frame produces abnormal flow, and trigger abnormal alarm mechanism;
4). the main frame that the abnormal alarm module is found in step 3) sends abnormality warnings, orders this main frame to handle the flow that self produced immediately;
5). Host Status record and renewal: after the abnormal alarm module is triggered, need carries out corresponding Host Status and upgrade;
6) network insertion judgement: routing forwarding equipment judges whether normally to transmit this flow according to the state of main frame under the received flow, network insertion judging module inquiry Host Status record sheet obtains Host Status, if this main frame be in be warned, abnormal conditions such as abnormality processing, unreacted, then stop to provide flow to transmit service to it; Otherwise normally its flow is carried out routing forwarding;
7) main frame filters abnormal flow voluntarily: after receiving abnormality warnings, if main frame wishes to obtain once more the network insertion service, then must start the abnormal flow filtering module immediately.Need an exception rules storehouse herein, introducing accurately, detailed unusual filtering rule helps unusual efficiently identification and filtration work.
State of introducing for each main frame and renewal thereof regular as follows:
A. status report module running status: be used for identifying main frame and whether join when being ready at any time take place unusually in the unusual defense system and routing forwarding equipment is implemented abnormality processing work hand in hand;
B. normal condition: refer to that main frame adds unusual defense system and traffic statistics information is in the normal range (NR);
C. be warned state: when finding certain main frame Traffic Anomaly and after this main frame sends abnormality warnings, this Host Status being designated the state of being warned;
D. abnormality processing state: if after main frame sends abnormality warnings, successfully receive the warning process information that this main frame returns then this Host Status is designated the abnormality processing state;
E. unreacted state: do not receive the status report of main frame or after main frame sends abnormality warnings, do not receiving the warning process information that main frame returns then this Host Status is designated unreacted state if surpass the regular hour.
Beneficial effect: the successful implementation of this method can thoroughly change in the past in the unusual defense system situation by routing forwarding device assumes hard work, the identification of abnormal flow is responsible for final source one host terminal self that abnormal flow is transferred in control, and routing forwarding equipment then only is responsible for traditional flow information statistics and the whether normal judgment task of network work state.Even if the situation of Traffic Anomaly takes place, each main frame also only is to be responsible for detecting the communication flows that self produced, and directly locatees the abnormal flow source and makes the identification of abnormal flow more efficient with control.
Description of drawings
Fig. 1 is this system fundamental diagram, and wherein the dotted line representative detects unusual a series of abnormality processing incidents afterwards,
Fig. 2 is the transition diagram between the various states that main frame may be in this defense system,
Whether Fig. 3 provides flow to transmit the procedure chart of serving to it for routing device in this defense system according to the Host Status judgement,
Fig. 4 finds to produce in the network procedure chart of the main frame of abnormal flow for this defense system.
Embodiment
The present invention proposes a kind of Network Based and the networking type abnormal flow defense system that combines based on main frame, change in the abnormality detection mechanism in the past by concentrating the detection module that is arranged on traffic transport control terminals such as router to bear the situation of main defence responsibility, with the initial source of network traffics just each main frame of access network bring whole cyber-defence system into, and by self set flow detection module before attack traffic threatens to network with its termination.The successful implementation of this system can realize going to stop attack traffic by the promoter self of network attack, and the influence that attack traffic is caused network drops to minimum, significantly reduces the burden of flow forwarding equipments such as router and whole network traffics.
The implementation process of this programme can be summarized as follows:
1) flow is transmitted end unusual induction module is set, and the flow information of the responsible network of statistics institute, as it is unusual to sense the flow situation of certain main frame is just start abnormal alarm and to respective hosts transmission abnormality warnings;
2) receive the unusual filtering module of host-initiated of abnormality warnings, self communication flows is carried out relevant detection and regulation and control;
3) flow is transmitted the flow situation of holding at each main frame the corresponding state record is set, and decision provides network insertion whether to serve according to record.
Fig. 1 is this system fundamental diagram, and wherein the dotted line representative detects unusual a series of abnormality processing incidents afterwards, and the work that each module is responsible for is as follows:
The routing device end:
1) performance parameter tabulation: the threshold value of some network parameters under the record normal condition, survey one of unusual foundation that whether takes place as unusual induction module;
2) Host Status logging modle: write down the state relevant, as the judgement foundation of network insertion judging module with main frame in the network;
3) network insertion judging module: the state according to main frame determines just whether transmit the flow of this main frame whether for it provides the network insertion service;
4) traffic statistics module: add up accordingly according to the flow information that routing device is gathered;
5) unusual induction module: statistical information and performance parameter tabulation according to flow detect whether Traffic Anomaly takes place;
6) abnormal alarm module: receive abnormality alarm information that unusual induction module sends and send abnormality warnings to respective hosts;
The main process equipment end:
1) exception rules storehouse: record can be used for the rule of abnormal flow identification, as the foundation of the filtering traffic of unusual filtering module;
2) status report module: to routing forwarding device report Host Status;
3) warning processing module: receive abnormality warnings and order the unusual filtering module of host-initiated;
Unusual filtering module: filter the abnormal flow that this machine sends according to the exception rules storehouse.
From this fundamental diagram, can clearly find out, this system is transferred to the main frame oneself that produces abnormal flow with topmost abnormal flow filtration work and is gone to finish, routing device no longer is responsible for work such as heavy abnormal flow identification, control, and abnormal flow is to be terminated before it is forwarded to network-external, compares the traffic load that has reduced overall network in the work that is on the defensive of victim router side greatly.To introduce the core work module and the flow process thereof of this unusual defense system below in detail:
1) Zhu Jizhuantai ﹠amp; The network insertion judgement
No matter main frame is to implement to internal attack or the target of subnet outside, place is attacked, all will at first successful access network, and attack traffic just can be sent to target of attack.And this programme is taked is a kind of network type architecture, and each main frame is directly brought whole unusual defense system into, just can stop abnormal flow by allowing a certain main frame to provide network insertion whether to serve from the source.In order to achieve this end, this programme has been introduced a series of status indicators for each main frame, and at routing forwarding equipment the network insertion judging module is set and whether the communication flows of this main frame is forwarded to network-external according to Host Status decision.
The state of introducing for each main frame can have: status report module running status, normal, be warned, abnormality processing, unreacted etc.Whether status report module running status is used for identifying main frame and joins when being ready at any time take place unusually in the unusual defense system and routing forwarding equipment is implemented abnormality processing work hand in hand; Normal condition refers to that main frame adds unusual defense system and traffic statistics information is in the normal range (NR); When finding certain main frame Traffic Anomaly and after this main frame sends abnormality warnings, this Host Status being designated the state of being warned; If after main frame sends abnormality warnings, successfully receive the warning process information that this main frame returns then this Host Status be designated the abnormality processing state; If surpassing the regular hour does not receive the status report of main frame or is not receiving the warning process information that main frame returns then this Host Status is designated unreacted state after main frame sends abnormality warnings.Transformational relation between each state as shown in Figure 2.
Whether the network insertion judging module then transmits the flow of this main frame according to the state decision routing device of main frame, flow chart 3 has been described and given judging process, and wherein host.status represents the Host Status that is write down.
2) unusual induction
Traffic statistics module statistics and record network internal All hosts are transferred to the flow information that routing device is transmitted, the threshold value that some networks are in following some network performance parameters that can support of normal operating conditions, for example network traffics total amount, main-machine communication speed or the like are then stored in the performance parameter tabulation.The threshold value of corresponding parameter in the tabulation of traffic statistics information and performance parameter is compared, in case find to have the situation that reaches or exceed threshold value, illustrate that then present network has been operated in abnormal condition and has descended, start abnormality alarm and send abnormality warnings to respective hosts.Fig. 4 is the flow chart of unusual induction module work.
3) abnormality processing
This programme is placed on the host terminal execution with the unusual filtering module of core of abnormal flow defense system, reduce the hard work that routing device is born in the abnormal flow identifying, and each main frame only after receiving abnormality warnings the side start unusual filtering module and carry out abnormality processing work, and handled all is oneself flow that main frame sent, so the workload of introducing is smaller.
After main frame receives abnormality warnings, the unusual filtering module of warning processing module order host-initiated, if the unusual filtering module of the normal startup of main frame, the warning processing module is then returned abnormality processing information to the abnormality alarm module.Main frame successfully starts after the unusual filtering module, according to the feature rule of the abnormal flow that is write down in the rule base communication flows that self produced is discerned and filtration work unusually, and the flow that filters out abnormal flow is sent.
Also will relate to the renewal of Host Status record in abnormality processing, concrete update rule sees the 2nd) part.
Claims (2)
1. Network Based and the networking type abnormal flow defense method that combines based on main frame is characterized in that this method is:
1). the performance parameter tabulation is set: record normal condition lower network flow threshold, survey one of unusual foundation that whether takes place as unusual induction module;
2). the flow information that traffic statistics module statistics routing forwarding equipment is gathered, and with step 1) in the parameter list set threshold value compare;
3) if. find to have main frame corresponding flow statistics to surpass set threshold value in the step 1), judge that then this main frame produces abnormal flow, and trigger abnormal alarm mechanism;
4). the main frame that the abnormal alarm module is found in step 3) sends abnormality warnings, orders this main frame to handle the flow that self produced immediately;
5). Host Status record and renewal: after the abnormal alarm module is triggered, need carries out corresponding Host Status and upgrade;
6) network insertion judgement: routing forwarding equipment judges whether normally to transmit this flow according to the state of main frame under the received flow, network insertion judging module inquiry Host Status record sheet obtains Host Status, if this main frame be in be warned, abnormality processing, unreacted abnormal condition, then stop to provide flow to transmit service to it; Otherwise normally its flow is carried out routing forwarding;
7) main frame filters abnormal flow voluntarily: after receiving abnormality warnings, if main frame wishes to obtain once more the network insertion service, then must start the abnormal flow filtering module immediately, need an exception rules storehouse herein, introducing accurately, detailed unusual filtering rule helps unusual efficiently identification and filtration work.
2. Network Based and the networking type abnormal flow defense method that combines based on main frame according to claim 1 is characterized in that the regular as follows of the state introduced for each main frame and renewal thereof:
A. status report module running status: be used for identifying main frame and whether join when being ready at any time take place unusually in the unusual defense system and routing forwarding equipment is implemented abnormality processing work hand in hand;
B. normal condition: refer to that main frame adds unusual defense system and traffic statistics information is in the normal range (NR);
C. be warned state: when finding certain main frame Traffic Anomaly and after this main frame sends abnormality warnings, this Host Status being designated the state of being warned;
D. abnormality processing state: if after main frame sends abnormality warnings, successfully receive the warning process information that this main frame returns then this Host Status is designated the abnormality processing state;
E. unreacted state: do not receive the status report of main frame or after main frame sends abnormality warnings, do not receiving the warning process information that main frame returns then this Host Status is designated unreacted state if surpass the regular hour.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100196647A CN101257416B (en) | 2008-03-11 | 2008-03-11 | Networking type abnormal flow defense method based on combining network with host computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100196647A CN101257416B (en) | 2008-03-11 | 2008-03-11 | Networking type abnormal flow defense method based on combining network with host computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101257416A CN101257416A (en) | 2008-09-03 |
| CN101257416B true CN101257416B (en) | 2010-08-18 |
Family
ID=39891906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100196647A Expired - Fee Related CN101257416B (en) | 2008-03-11 | 2008-03-11 | Networking type abnormal flow defense method based on combining network with host computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101257416B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567812B (en) * | 2009-03-13 | 2011-12-21 | 华为技术有限公司 | method and device for detecting network attack |
| CN102195843B (en) * | 2010-03-02 | 2014-06-11 | 中国移动通信集团公司 | Flow control system and method |
| CN101841605A (en) * | 2010-03-23 | 2010-09-22 | 中兴通讯股份有限公司 | Method and device for alarming flow when mobile phone downloads and flow alarming mobile phone |
| CN103828301A (en) * | 2012-08-31 | 2014-05-28 | 华为技术有限公司 | Method and device for defending bearer attack |
| CN104811399A (en) * | 2015-04-30 | 2015-07-29 | 努比亚技术有限公司 | Method and device for controlling network data flow |
| CN105281981B (en) * | 2015-11-04 | 2019-04-02 | 北京百度网讯科技有限公司 | The data traffic monitoring method and device of network service |
| CN107819633B (en) * | 2017-11-30 | 2021-05-28 | 国网河南省电力公司商丘供电公司 | Method for rapidly discovering and processing network fault |
| CN111191230B (en) * | 2019-12-27 | 2023-08-01 | 国网天津市电力公司 | Rapid network attack backtracking mining method and application based on convolutional neural network |
| CN112019441B (en) * | 2020-08-03 | 2021-06-15 | 苏州普轮电子科技有限公司 | Communication flow control system and method adopting relay equipment |
| CN112351353B (en) * | 2020-09-29 | 2022-09-06 | 中国人民武装警察部队工程大学 | Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE |
| CN114268957B (en) * | 2021-11-30 | 2023-07-04 | 中国联合网络通信集团有限公司 | Abnormal business data processing method, device, server and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1809000A (en) * | 2006-02-13 | 2006-07-26 | 成都三零盛安信息系统有限公司 | Network intrusion detection method |
| CN1820452A (en) * | 2001-08-14 | 2006-08-16 | 思科技术公司 | Detecting and protecting against worm traffic on a network |
| CN1997017A (en) * | 2006-12-20 | 2007-07-11 | 浙江大学 | A network worm detection method and its system |
-
2008
- 2008-03-11 CN CN2008100196647A patent/CN101257416B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1820452A (en) * | 2001-08-14 | 2006-08-16 | 思科技术公司 | Detecting and protecting against worm traffic on a network |
| CN1809000A (en) * | 2006-02-13 | 2006-07-26 | 成都三零盛安信息系统有限公司 | Network intrusion detection method |
| CN1997017A (en) * | 2006-12-20 | 2007-07-11 | 浙江大学 | A network worm detection method and its system |
Non-Patent Citations (1)
| Title |
|---|
| 孙知信,姜举良,焦琳.DDOS攻击检测和防御模型.软件学报.2007,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101257416A (en) | 2008-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101257416B (en) | Networking type abnormal flow defense method based on combining network with host computer | |
| EP1905197B1 (en) | System and method for detecting abnormal traffic based on early notification | |
| CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
| Shi et al. | Detecting prefix hijackings in the internet with argus | |
| KR101231975B1 (en) | Method of defending a spoofing attack using a blocking server | |
| CN100592680C (en) | A device and method for secure information joint processing | |
| CN101567812B (en) | method and device for detecting network attack | |
| CN106992955A (en) | APT fire walls | |
| KR20150037285A (en) | Apparatus and method for intrusion detection | |
| CN101364981A (en) | Hybrid intrusion detection method based on Internet protocol version 6 | |
| CN101577645B (en) | Method and device for detecting counterfeit network equipment | |
| CN101034976B (en) | Intrusion detection in an IP connected security system | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN109309679B (en) | Network scanning detection method and detection system based on TCP flow state | |
| JP4641848B2 (en) | Unauthorized access search method and apparatus | |
| Bouzida et al. | Detecting and reacting against distributed denial of service attacks | |
| CN109547442B (en) | GTP protocol protection method and device | |
| KR101236129B1 (en) | Apparatus for control abnormal traffic and method for the same | |
| CN215912109U (en) | Industrial control network architecture for real-time detection of network data traffic and attack | |
| CN111431913B (en) | Router advertisement protection mechanism existence detection method and device | |
| CN113422762B (en) | DDoS attack defense system and method based on MPLS | |
| Pattinson et al. | Trojan detection using MIB-based IDS/IPS system | |
| JP4950437B2 (en) | Network monitoring system | |
| CN114726602A (en) | Self-adaptive threat blocking method for enterprise intranet under network zero change condition | |
| Lee | Advanced packet marking mechanism with pushback for ip traceback |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100818 Termination date: 20160311 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |