CN103609070A

CN103609070A - Network traffic detection method, system, equipment and controller

Info

Publication number: CN103609070A
Application number: CN201280021731.3A
Authority: CN
Inventors: 孟健; 王雨晨
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2012-10-29
Filing date: 2012-10-29
Publication date: 2014-02-26
Anticipated expiration: 2032-10-29
Also published as: CN103609070B; WO2014067043A1

Abstract

Disclosed are a network traffic detection method, system, equipment and controller. The method comprises the steps of receiving messages of a first data stream sent by a first switcher by using the detection equipment; carrying out security detection on the messages of the first data stream according to a set security rule to obtain detection results; and sending the detection results to the controller, so that the controller can generate a new transmit rule according to the detection results to replace a temporary transmit rule of the first switcher. The controller can firstly direct the to-be-transmitted data stream of each switcher to the detection equipment and determines whether to transmit the data stream or not among the switchers according to the security detection results for each data stream of the detection equipment, thereby improving accuracy of network traffic detection and increasing transmission performance of the network.

Description

Network flow detection method, system, equipment and controller

Technical field

The present invention relates to network communications technology field, particularly network flow detection method, system, equipment and controller.

Background technology

In traditional network architecture, generally include some route exchange devices, each route exchange device can connect some main process equipments, and all route exchange devices are all directly or indirectly connected with gateway device, by gateway device, is connected with external network.When the flow fail safe in network detects, can dispose flow detection device at the critical path place of network.For example, for a local area network (LAN) or company's net, conventionally can, at the access path deploy flow detection device of gateway device and external network, with this, detect the whole flow fail safe of local area network (LAN) or company's net.

Inventor finds at the research process to prior art, if adopt the flow rate testing methods of legacy network, only can Sampling network the fail safe of whole flow, and be difficult to the fail safe of institute's delivery flow rate between network internal switching equipment to detect, thereby it is inaccurate to cause network traffics to detect.

Summary of the invention

The embodiment of the present invention provides network flow detection method, system, equipment and controller, to solve in prior art, cannot detect the fail safe of network internal flow, causes network traffics to detect inaccurate problem.

In order to solve the problems of the technologies described above, the embodiment of the invention discloses following technical scheme:

First aspect, provides a kind of network flow detection method, and described method comprises:

Checkout equipment receives the message of the first data flow of the first switch transmission, described message is that described the first switch reports the literary composition of reporting for the first time of described the first data flow after controller, and the interim forwarding rules orientation issuing according to described controller is to the message of described checkout equipment;

Described checkout equipment carries out safety detection according to the safety regulation arranging to the message of described the first data flow, obtains testing result;

Described checkout equipment sends to described controller by described testing result, so that described controller generates new forwarding rule according to described testing result, replaces the described interim forwarding rule on described the first switch.

In the possible implementation of the first of first aspect, described checkout equipment carries out safety detection according to the safety regulation arranging to the message of described the first data flow, comprising:

Obtain the attribute information of the message of described the first data flow;

Judge whether described attribute information mates with the safety regulation arranging;

If described attribute information mates with described safety regulation, determine that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, determine that described the first data flow is safe data flow.

In first aspect, or in the possible implementation of the first of first aspect, also provide the possible implementation of the second of first aspect, described described testing result sent to described controller, having comprised:

According to described testing result, build security notification message, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute;

Described security notification message is sent to described controller.

In the possible implementation of the second of first aspect, the third possible implementation of first aspect is also provided,

The matching domain of described the first data flow comprises: for identifying polynary group of described the first data flow, described polynary group comprises at least one following information: the source port of described the first data flow, destination interface, source media access control layer MAC Address, target MAC (Media Access Control) address, source internet protocol IP address, object IP address, ethernet frame type;

Described status attribute comprises: safe condition when described the first data flow is not mated with described safety regulation, unsafe condition when described the first data flow is mated with described safety regulation;

Described operational attribute comprises: when described status attribute is unsafe condition, abandon attribute, when the redirected attribute of described status attribute while being safe.

Second aspect, provides another kind of network flow detection method, and described method comprises:

Controller receives the literary composition of reporting for the first time of the first data flow that the first switch reports;

Described controller issues the interim forwarding rule of described the first data flow to described the first switch, so that described the first switch is directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow;

Described controller receives the testing result that described checkout equipment sends, and described testing result is that described checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of described the first data flow;

Described controller generates new forwarding rule according to described testing result and replaces the described interim forwarding rule on described the first switch, so that described the first switch is processed the message of described the first data flow according to described new forwarding rule.

In the possible implementation of the first of second aspect, described controller receives the testing result that described checkout equipment sends, be specially: described controller receives the security notification message that described checkout equipment sends, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute.

In the possible implementation of the first of second aspect, the possible implementation of the second of first aspect is also provided,

In the possible implementation of the second of second aspect, the third possible implementation of second aspect is also provided, described controller generates new forwarding rule according to described testing result and replaces the interim forwarding rule on described the first switch, comprising:

Check status attribute and operational attribute in described security notification message;

If determine that according to described status attribute described the first data flow is safe data flow, to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule; And

If determine that according to described status attribute described the first data flow is unsafe data flow, to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

The third aspect, provides a kind of network traffics detection system, and described system comprises: controller, checkout equipment and at least one the first switch,

Described the first switch, for the literary composition of reporting for the first time to described controller report the first data flow;

Described controller, for issuing the interim forwarding rule of described the first data flow to described the first switch;

Described the first switch, also for being directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow;

Described checkout equipment, for the message of described the first data flow being carried out to safety detection according to the safety regulation arranging, obtains testing result, and described testing result is sent to described controller;

Described controller, also replaces the described interim forwarding rule on described the first switch for generate new forwarding rule according to described testing result;

Described the first switch, also for processing the message of described the first data flow according to described new forwarding rule.

In the possible implementation of the first of the third aspect, described checkout equipment, specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow; According to described testing result, build security notification message, and described security notification message is sent to described controller, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute.

In the possible implementation of the first of the third aspect, also provide the third aspect in the possible implementation of the second,

In the possible implementation of the second of the third aspect, the third possible implementation of the third aspect is also provided,

Described controller, specifically for checking status attribute and the operational attribute in described security notification message, if determine that according to described status attribute described the first data flow is safe data flow, to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule, if and determine that according to described status attribute described the first data flow is unsafe data flow, to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

Fourth aspect, provides a kind of checkout equipment, and described checkout equipment comprises:

Receiving element, for receiving the message of the first data flow of the first switch transmission, described message is that described the first switch reports the literary composition of reporting for the first time of described the first data flow after controller, and the interim forwarding rules orientation issuing according to described controller is to the message of described checkout equipment;

Detecting unit, for according to the safety regulation arranging, the message of the first data flow of described receiving element reception being carried out to safety detection, obtains testing result;

Transmitting element, sends to described controller for the testing result that described detecting unit is obtained, so that described controller generates new forwarding rule according to described testing result, replaces the described interim forwarding rule on described the first switch.

In the possible implementation of the first of fourth aspect, described detecting unit comprises:

Acquisition of information subelement, for obtaining the attribute information of the message of described the first data flow;

Rule match subelement, for judging whether the attribute information that described acquisition of information subelement obtains mates with the safety regulation arranging;

Result is determined subelement, for when described rule match subelement judges that described attribute information mates with described safety regulation, determine that described the first data flow is unsafe data flow, when described rule match subelement judges that described attribute information does not mate with described safety regulation, determine that described the first data flow is safe data flow.

In fourth aspect, or in the possible implementation of the first of fourth aspect, also provide the possible implementation of the second of fourth aspect, described transmitting element comprises:

Message construction subelement, for building security notification message, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute according to described testing result;

Message sends subelement, for the security notification message that described message construction subelement is built, sends to described controller.

The 5th aspect, provides another kind of checkout equipment, and described checkout equipment comprises: input port, processor and output port, wherein,

Described input port, for receiving the message of the first data flow of the first switch transmission, described message is that described the first switch reports the literary composition of reporting for the first time of described the first data flow after controller, and the interim forwarding rules orientation issuing according to described controller is to the message of described checkout equipment;

Described processor, for the message of described the first data flow being carried out to safety detection according to the safety regulation arranging, obtains testing result;

Described output port, for described testing result is sent to described controller, replaces the described interim forwarding rule on described the first switch so that described controller generates new forwarding rule according to described testing result.

In the possible implementation of the first aspect the 5th, described processor, specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow, according to described testing result, build security notification message, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute,

Described output port, specifically for sending to described controller by described security notification message.

The 6th aspect, provides a kind of controller, and described controller comprises:

The first receiving element, for receiving the literary composition of reporting for the first time of the first data flow that the first switch reports;

Issue unit, for issue the interim forwarding rule of the first data flow of described the first receiving element reception to described the first switch, so that described the first switch is directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow;

The second receiving element, the testing result sending for receiving described checkout equipment, described testing result is that described checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of described the first data flow;

Replacement unit, for the testing result receiving according to described the second receiving element, generate new forwarding rule and replace the described interim forwarding rule on described the first switch, so that described the first switch is processed the message of described the first data flow according to described new forwarding rule.

In the possible implementation of the first aspect the 6th, described network interface, described the second receiving element, the security notification message sending specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

In the possible implementation of the first aspect the 6th, also provide the possible implementation of the second of the 6th aspect, described replacement unit comprises:

Attribute is checked subelement, for checking status attribute and the operational attribute of described security notification message;

Rule sends subelement, for when checking that according to described attribute the status attribute that subelement is checked determines that described the first data flow is safe data flow, to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule; And when checking that according to described attribute the status attribute that subelement is checked determines that described the first data flow is unsafe data flow, to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

The 7th aspect, provides a kind of controller, and described controller comprises: network interface and processor, wherein,

Described network interface, for receiving the literary composition of reporting for the first time of the first data flow that the first switch reports;

Described processor, issues the interim forwarding rule of described the first data flow for controlling described network interface, so that described the first switch is directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow to described the first switch;

Described network interface, the testing result also sending for receiving described checkout equipment, described testing result is that described checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of described the first data flow;

Described processor, also replaces the described interim forwarding rule on described the first switch for generate new forwarding rule according to described testing result, so that described the first switch is processed the message of described the first data flow according to described new forwarding rule.

In the possible implementation of the first aspect the 7th, described network interface, the security notification message sending specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

In the possible implementation of the first aspect the 7th, also provide the possible implementation of the second of the 7th aspect, described processor, specifically for checking status attribute and the operational attribute in described security notification message, if determine that according to described status attribute described the first data flow is safe data flow, control described network interface and to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule, if and determine that according to described status attribute described the first data flow is unsafe data flow, control described network interface and to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

In the embodiment of the present invention, the first switch is to the literary composition of reporting for the first time of controller report the first data flow, controller issues the interim forwarding rule of the first data flow to the first switch, the first switch is directed to checkout equipment according to the interim rule that forwards by the message of the first data flow, checkout equipment carries out safety detection according to the safety regulation arranging to the message of the first data flow, obtain testing result, and testing result is sent to controller, controller generates new forwarding rule according to testing result and replaces the interim forwarding rule on the first switch, the first switch is processed the message of the first data flow according to new forwarding rule.In the embodiment of the present invention, first the data flow that controller can will transmit each switch is directed to checkout equipment, and according to checkout equipment the fail safe testing result to each data flow, determine whether transmitting data stream between switch, therefore improve the accuracy of flow detection in network, improved the transmission performance of network.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

Fig. 1 is an embodiment flow chart of network flow detection method of the present invention;

Fig. 2 is another embodiment flow chart of network flow detection method of the present invention;

Fig. 3 A is the applied network architecture schematic diagram of the embodiment of the present invention;

Fig. 3 B is the form schematic diagram of security notification message in the embodiment of the present invention;

Fig. 4 is the embodiment block diagram of network traffics detection system of the present invention;

Fig. 5 is an embodiment block diagram of checkout equipment of the present invention;

Fig. 6 is another embodiment block diagram of checkout equipment of the present invention;

Fig. 7 is an embodiment block diagram of controller of the present invention;

Fig. 8 is another embodiment block diagram of controller of the present invention.

Embodiment

The present invention following embodiment provide network flow detection method, system, equipment and controller, to improve the accuracy of flow detection in network.

In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and the above-mentioned purpose of the embodiment of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the embodiment of the present invention is described in further detail.

The following embodiment of the present invention can be applied in programmable software defined network (Software Defined Network, SDN) in, SDN network carries out the control plane of the network equipment and data retransmission plane separated, thereby can control flexibly network traffics.Wherein the function of control plane is realized by controller (Controller), is mainly responsible for sending flow rate forwarding strategy; The function of data retransmission plane is realized by switch (Switch is called for short SW), is mainly used in receiving the forwarding strategy that controller issues, and according to this forwarding strategy, flow is forwarded.Conventionally in a SDN network, controller is connected with each switch respectively, between switch by interconnecting the forwarding that realizes flow.In the embodiment of the present invention, checkout equipment can be deployed in SDN network, this checkout equipment is connected with switch with controller respectively, this checkout equipment can be specially fire compartment wall (Firewall, FW) equipment, intrusion prevention system (Intrusion Prevention System, IPS) equipment or intruding detection system (Intrusion Detection Systems, IDS) equipment.

Referring to Fig. 1, be an embodiment flow chart of network flow detection method of the present invention, this embodiment has described the process of Sampling network flow from checkout equipment side:

Step 101: checkout equipment receives the message of the first data flow of the first switch transmission, and this message is that the first switch reports the literary composition of reporting for the first time of the first data flow after controller, and the interim forwarding rules orientation issuing according to controller is to the message of this checkout equipment.

In SDN network, switch, when each data flow of transmission, all need to obtain and forward rule from controller, and forwarding rule is stored in stream table as a list item, and each list item of switch institute storage flow table can identify a data flow.Conventionally when switch transmits reporting for the first time during literary composition of certain data flow, owing to there is no the forwarding rule of this data flow in stream table, so exchange opportunity reports controller by this literary composition of reporting for the first time, so that regular to the forwarding of this data flow of controller request.

In the present embodiment, application controller is that switch issues the regular characteristic of forwarding, fail safe for each data flow in Sampling network, controller can receive the reporting for the first time during literary composition of certain data flow of switch transmission, to this switch, issue interim forwarding rule, this interim destination interface comprising in rule that forwards, object Internet protocol (Internet Protocol, IP) address, object media access control layer (Medium Access Control, MAC) port that address is checkout equipment, IP address, MAC Address, thereby can make before this switch transmits this data flow in network, can first be transferred to checkout equipment according to interim forwarding rule and carry out fail safe detection.

Step 102: checkout equipment carries out safety detection according to the safety regulation arranging to the message of the first data flow, obtains testing result.

Wherein, checkout equipment can obtain the attribute information of the message of the first data flow, judge whether this attribute information mates with the safety regulation arranging, if attribute information mates with safety regulation, determine that the first data flow is unsafe data flow, if attribute information does not mate with safety regulation, determine that the first data flow is safe data flow.

Conventionally the attribute information of message can comprise conventionally: the information that the source IP address of message, source MAC, source port, object IP address, target MAC (Media Access Control) address, destination interface etc. can identification data streams; In safety regulation, comprised some data flow that do not meet security feature will be satisfied condition, for example, forbid that IP address range is the main frame that the host access IP address range of A is B, after receiving the message of data flow, checkout equipment can obtain source IP address and the object IP address of this message, if source IP address belongs to address realm A, and object IP address belongs to address realm B, the attribute information that this message is described mates with safety regulation, and this data flow belongs to unsafe data flow.

Step 103: checkout equipment sends to controller by testing result, replaces the interim forwarding rule on the first switch so that controller generates new forwarding rule according to testing result.

Wherein, checkout equipment can build security notification message according to testing result, the matching domain that comprises described the first data flow in this security notification message, and status attribute and operational attribute, and this security notification message is sent to controller.

Wherein, alternatively, the matching domain of the first data flow can comprise: for identifying polynary group of the first data flow, described polynary group can comprise at least one following information: the source port of described the first data flow, destination interface, source MAC, target MAC (Media Access Control) address, source IP address, object IP address, ethernet frame type etc.;

Status attribute can comprise: safe condition when the first data flow is not mated with safety regulation, unsafe condition when the first data flow is mated with described safety regulation;

Operational attribute can comprise: what when status attribute is unsafe condition, data stream is abandoned abandons attribute, when the redirected attribute that data stream be redirected of status attribute while being safe.

When checkout equipment sends to security notification message after controller, controller can be checked status attribute and the operational attribute in security notification message, if determine that according to status attribute the first data flow is safe data flow, controller can send the first forwarding rule generating to the first switch, the information that comprises the second switch after the first data flow arranging according to operational attribute is redirected in this first forwarding rule, switch corresponding to destination address that this second switch is initial the first data flow, the information of this second switch can be reported to controller during literary composition to reporting for the first time of controller report the first data flow at the first switch simultaneously, when controller determines that the first data flow is safe data flow, according to the Information generation of this second switch first, forward rule, so that follow-up the first switch can be by the message transmissions of the first data flow to the second switch, if determine that according to status attribute the first data flow is unsafe data flow, controller can send second to the first switch and forward rule, this second forwards in rule and comprises the information that abandons this first data flow according to operational attribute setting, so that follow-up the first switch abandons this message while receiving the message of the first data flow.

As seen from the above-described embodiment, first the data flow that controller can will transmit each switch is directed to checkout equipment, and according to checkout equipment the fail safe testing result to each data flow, determine whether transmitting data stream between switch, therefore improve the accuracy of flow detection in network, improved the transmission performance of network.

Referring to Fig. 2, be another embodiment flow chart of network flow detection method of the present invention, this embodiment has described the process of Sampling network flow from controller side:

Step 201: controller receives the literary composition of reporting for the first time of the first data flow that the first switch reports.

Step 202: controller issues the interim forwarding rule of the first data flow to the first switch, so that the first switch is directed to checkout equipment according to this interim rule that forwards by the message of the first data flow.

In the present embodiment, application controller is that switch issues the regular characteristic of forwarding, fail safe for each data flow in Sampling network, controller can receive the reporting for the first time during literary composition of certain data flow of switch transmission, to this switch, issue interim forwarding rule, this interim destination interface comprising in rule that forwards, object IP address, target MAC (Media Access Control) address is the port of checkout equipment, IP address, MAC Address, thereby can make before this switch transmits this data flow in network, can first be transferred to checkout equipment according to interim forwarding rule and carry out fail safe detection.

Step 203: controller receives the testing result that checkout equipment sends, this testing result is that checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of the first data flow.

In the present embodiment, when checkout equipment receives after the message of the first data flow that the first switch reports, can obtain the attribute information of the message of the first data flow, judge whether this attribute information mates with the safety regulation arranging, if attribute information mates with safety regulation, determine that the first data flow is unsafe data flow, if attribute information does not mate with safety regulation, determine that the first data flow is safe data flow.Checkout equipment can build security notification message according to testing result, and this security notification message is sent to controller, and controller receives security notification message, the matching domain that comprises the first data flow in this security notification message, status attribute and operational attribute.

Step 204: controller generates new forwarding rule according to testing result and replaces the interim forwarding rule on the first switch, so that the first switch is processed the message of the first data flow according to new forwarding rule.

Controller is checked status attribute and the operational attribute in security notification message, if determine that according to status attribute the first data flow is safe data flow, to the first switch, send first and forward rule, the information that comprises the second switch after the first data flow arranging according to operational attribute is redirected in this first forwarding rule, switch corresponding to destination address that this second switch is initial the first data flow, the information of this second switch can be reported to controller during literary composition to reporting for the first time of controller report the first data flow at the first switch simultaneously, when controller determines that the first data flow is safe data flow, according to the Information generation of this second switch first, forward rule, so that follow-up the first switch can be by the message transmissions of the first data flow to the second switch, if determine that according to status attribute the first data flow is unsafe data flow, to the first switch, send second and forward rule, this second forwards in rule and comprises the information that abandons this first data flow according to operational attribute setting, so that follow-up the first switch abandons this message while receiving the message of the first data flow.

Referring to Fig. 3 A, it is the applied network architecture schematic diagram of preceding method embodiment of the present invention;

The network architecture in Fig. 3 A can be specially the framework based on SDN network, as a kind of example, this network architecture comprises: a controller, a checkout equipment and three switches, be respectively SW1, SW2 and SW3, and each switch connects two main process equipments.Wherein, between controller, checkout equipment and each switch, interconnect.Below in conjunction with the network architecture shown in Fig. 3 A, the network traffics testing process of describing in the embodiment of the present invention is described, wherein suppose that SW1 will transmit data flow 1, and the switch that initially destination address of this data flow 1 is corresponding is SW2, the destination address of this data flow 1 is the address of the main frame that connects of SW2, and the destination address of data flow 1 is the address of main frame 21 or main frame 22 in the present embodiment:

When SW1 receives reporting for the first time during literary composition of data flow 1, in SW1, there is no the forwarding rule of data flow 1, so SW1 is reported to controller request to forward rule the literary composition of reporting for the first time of this data flow 1; For the fail safe of data flow 1 is detected, controller receives reporting for the first time after literary composition of data flow 1, to SW1, issue the interim forwarding rule of data flow 1, the address that this interim destination address that forwards the data flow 1 comprising in rule is checkout equipment, SW1 receives this interim forwarding after rule, forwards regular destination address the message transmissions of data flow 1 is arrived to checkout equipment according to this; On checkout equipment, be provided with safety regulation, the needs that this safety regulation can detect according to network traffic security arrange flexibly, for example, can forbid the main frame in another IP address range of host access in a certain IP address range, or, also can forbid certain port of host access in a certain IP address range etc., checkout equipment judges whether the message of data flow 1 mates with the safety regulation arranging, if coupling, illustrates that data flow 1 is for unsafe data flow, if do not mated, data flow 1 is safe data flow; Checkout equipment has detected after data flow 1, communicate with controller, to inform whether safety of controller data stream 1, the present embodiment can be in the agreement of SDN, checkout equipment for example in openflow agreement, adds security notification message, so that can be informed whether safety of data flow that controller detects by the testing result of carrying in security notification message.

As shown in Figure 3 B, be the form schematic diagram of a kind of security notification message in the embodiment of the present invention:

Security notification message form in Fig. 3 B comprises matching domain, status attribute and operating data.Wherein, matching domain can comprise: for polynary group of identification data stream, this polynary group can comprise at least one following information: the source port of data flow, destination interface, source MAC, target MAC (Media Access Control) address, source IP address, object IP address, ethernet frame type etc.; Status attribute can comprise: safe condition when data flow is not mated with safety regulation (can identify with field SAFE), unsafe condition when data flow is mated with described safety regulation (can represent with field UNSAFE); Operational attribute can comprise: what when status attribute is unsafe condition, data stream is abandoned abandons attribute (can represent with field DROP), when the redirected attribute that data stream be redirected (can with field REDIRECT represent) of status attribute while being safe.

Controller receives after security notification message, if the status attribute in security notification message is SAFE, to SW1, send first and forward rule, the information that comprises the SW2 after arrange according to operational attribute REDIERCT data flow 1 is redirected in this first forwarding rule, follow-up when SW1 receives the message of data flow 1, can message transmissions be arrived to SW2 according to the first forwarding rule; If be unsafe data flow according to status attribute UESAFE specified data stream 1, to SW1, send second and forward rule, in this second forwarding rule, comprise the information that abandons this data flow 1 arranging according to operational attribute DROP, it is follow-up when SW1 receives the message of data flow 1, can, according to the second forwarding rule by packet loss, no longer transmit.

Corresponding with the embodiment of network flow detection method of the present invention, the present invention also provides the embodiment of network traffics detection systems, checkout equipment and controller.

Referring to Fig. 4, be the embodiment block diagram of network traffics detection system of the present invention:

This system comprises: controller 410, checkout equipment 420 and at least one the first switch 430.

Wherein, described the first switch 430, for reporting the literary composition of reporting for the first time of the first data flow to described controller 410;

Described controller 410, for issuing the interim forwarding rule of described the first data flow to described the first switch 430;

Described the first switch 430, also for being directed to checkout equipment 420 according to described interim forwarding rule by the message of described the first data flow;

Described checkout equipment 420, for the message of described the first data flow being carried out to safety detection according to the safety regulation arranging, obtains testing result, and described testing result is sent to described controller 410;

Described controller 410, also replaces the described interim forwarding rule on described the first switch 430 for generate new forwarding rule according to described testing result;

Described the first switch 430, also for processing the message of described the first data flow according to described new forwarding rule.

Further, described checkout equipment 420, can be specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow; According to described testing result, build security notification message, and described security notification message is sent to described controller 410, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute.

Wherein, the matching domain of described the first data flow can comprise: for identifying polynary group of described the first data flow, described polynary group comprises at least one following information: the source port of described the first data flow, destination interface, source media access control layer MAC Address, target MAC (Media Access Control) address, source internet protocol IP address, object IP address, ethernet frame type;

Described status attribute can comprise: safe condition when described the first data flow is not mated with described safety regulation, unsafe condition when described the first data flow is mated with described safety regulation;

Described operational attribute can comprise: when described status attribute is unsafe condition, abandon attribute, when the redirected attribute of described status attribute while being safe.

Further, described controller 410, can be specifically for checking status attribute and the operational attribute in described security notification message, if determine that according to described status attribute described the first data flow is safe data flow, to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule, if and determine that according to described status attribute described the first data flow is unsafe data flow, to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

Referring to Fig. 5, be an embodiment block diagram of checkout equipment of the present invention:

This checkout equipment comprises: receiving element 510, detecting unit 520 and transmitting element 530.

Wherein, receiving element 510, for receiving the message of the first data flow of the first switch transmission, described message is that described the first switch reports the literary composition of reporting for the first time of described the first data flow after controller, and the interim forwarding rules orientation issuing according to described controller is to the message of described checkout equipment;

Detecting unit 520, for according to the safety regulation arranging, the message of the first data flow of described receiving element 510 receptions being carried out to safety detection, obtains testing result;

Transmitting element 530, sends to described controller for the testing result that described detecting unit 520 is obtained, so that described controller generates new forwarding rule according to described testing result, replaces the described interim forwarding rule on described the first switch.

Concrete, detecting unit 520 can comprise (not shown in Fig. 5):

Wherein, described transmitting element 530 can comprise (not shown in Fig. 5):

Referring to Fig. 6, be another embodiment block diagram of checkout equipment of the present invention:

This checkout equipment comprises: input port 610, processor 620 and output port 630.

Wherein, described input port 610, for receiving the message of the first data flow of the first switch transmission, described message is that described the first switch reports the literary composition of reporting for the first time of described the first data flow after controller, and the interim forwarding rules orientation issuing according to described controller is to the message of described checkout equipment;

Described processor 620, for the message of described the first data flow being carried out to safety detection according to the safety regulation arranging, obtains testing result;

Described output port 630, for described testing result is sent to described controller, replaces the described interim forwarding rule on described the first switch so that described controller generates new forwarding rule according to described testing result.

Further, described processor 620, can be specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow, according to described testing result, build security notification message, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute,

Described output port 630, can be specifically for sending to described controller by described security notification message.

Referring to Fig. 7, be an embodiment block diagram of controller of the present invention:

This controller comprises: the first receiving element 710, issue unit 720, the second receiving element 730 and replacement unit 740.

Wherein, the first receiving element 710, for receiving the literary composition of reporting for the first time of the first data flow that the first switch reports;

Issue unit 720, for issue the interim forwarding rule of the first data flow of described the first receiving element 710 receptions to described the first switch, so that described the first switch is directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow;

The second receiving element 730, the testing result sending for receiving described checkout equipment, described testing result is that described checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of described the first data flow;

Replacement unit 740, for the testing result receiving according to described the second receiving element 730, generate new forwarding rule and replace the described interim forwarding rule on described the first switch, so that described the first switch is processed the message of described the first data flow according to described new forwarding rule.

Wherein, described the second receiving element 730, the security notification message that can send specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

Wherein, described replacement unit 740 can comprise (not shown in Fig. 7):

Referring to Fig. 8, be another embodiment block diagram of controller of the present invention:

This controller comprises: network interface 810 and processor 820.

Wherein, described network interface 810, for receiving the literary composition of reporting for the first time of the first data flow that the first switch reports;

Described processor 820, issues the interim forwarding rule of described the first data flow for controlling described network interface, so that described the first switch is directed to checkout equipment according to described interim forwarding rule by the message of described the first data flow to described the first switch;

Described network interface 810, the testing result also sending for receiving described checkout equipment, described testing result is that described checkout equipment carries out according to the safety regulation arranging the result obtaining after safety detection to the message of described the first data flow;

Described processor 820, also for generate new forwarding rule according to described testing result, replace the described interim forwarding rule on described the first switch, so that described the first switch is processed the message of described the first data flow according to described new forwarding rule.

Wherein, described network interface 810, the security notification message that can send specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

Further, described processor 820, can be specifically for checking status attribute and the operational attribute in described security notification message, if determine that according to described status attribute described the first data flow is safe data flow, control described network interface and to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule, if and determine that according to described status attribute described the first data flow is unsafe data flow, control described network interface and to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.

As seen from the above-described embodiment, the first switch is to the literary composition of reporting for the first time of controller report the first data flow, controller issues the interim forwarding rule of the first data flow to the first switch, the first switch is directed to checkout equipment according to the interim rule that forwards by the message of the first data flow, checkout equipment carries out safety detection according to the safety regulation arranging to the message of the first data flow, obtain testing result, and testing result is sent to controller, controller generates new forwarding rule according to testing result and replaces the interim forwarding rule on the first switch, the first switch is processed the message of the first data flow according to new forwarding rule.In the embodiment of the present invention, first the data flow that controller can will transmit each switch is directed to checkout equipment, and according to checkout equipment the fail safe testing result to each data flow, determine whether transmitting data stream between switch, therefore improve the accuracy of flow detection in network, improved the transmission performance of network.

Those skilled in the art can be well understood to the mode that technology in the embodiment of the present invention can add essential general hardware platform by software and realize.Understanding based on such, the part that technical scheme in the embodiment of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) carry out the method described in some part of each embodiment of the present invention or embodiment.

Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually referring to, each embodiment stresses is the difference with other embodiment.Especially, for system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.

Above-described embodiment of the present invention, does not form limiting the scope of the present invention.Any modification of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.

Claims

1. a network flow detection method, is characterized in that, described method comprises:

2. method according to claim 1, is characterized in that, described checkout equipment carries out safety detection according to the safety regulation arranging to the message of described the first data flow, comprising:

3. method according to claim 1 and 2, is characterized in that, described described testing result is sent to described controller, comprising:

Described security notification message is sent to described controller.

4. method according to claim 3, is characterized in that,

5. a network flow detection method, is characterized in that, described method comprises:

6. method according to claim 5, it is characterized in that, described controller receives the testing result that described checkout equipment sends, be specially: described controller receives the security notification message that described checkout equipment sends, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute.

7. method according to claim 6, is characterized in that,

8. method according to claim 7, is characterized in that, described controller generates new forwarding rule according to described testing result and replaces the interim forwarding rule on described the first switch, comprising:

9. a network traffics detection system, is characterized in that, described system comprises: controller, checkout equipment and at least one the first switch,

10. system according to claim 9, it is characterized in that, described checkout equipment, specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow; According to described testing result, build security notification message, and described security notification message is sent to described controller, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute.

11. systems according to claim 10, is characterized in that,

12. systems according to claim 11, is characterized in that,

13. 1 kinds of checkout equipments, is characterized in that, described checkout equipment comprises:

14. checkout equipments according to claim 13, is characterized in that, described detecting unit comprises:

15. according to the checkout equipment described in claim 13 or 14, it is characterized in that, described transmitting element comprises:

16. 1 kinds of checkout equipments, is characterized in that, described checkout equipment comprises: input port, processor and output port, wherein,

17. checkout equipments according to claim 16, is characterized in that,

Described processor, specifically for obtaining the attribute information of the message of described the first data flow, judge whether described attribute information mates with the safety regulation arranging, if described attribute information mates with described safety regulation, obtain the testing result that described the first data flow is unsafe data flow, if described attribute information does not mate with described safety regulation, obtain described the first data flow and be the testing result of safe data flow, according to described testing result, build security notification message, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute,

18. 1 kinds of controllers, is characterized in that, described controller comprises:

19. controllers according to claim 18, is characterized in that,

Described the second receiving element, the security notification message sending specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

20. controllers according to claim 19, is characterized in that, described replacement unit comprises:

21. 1 kinds of controllers, is characterized in that, described controller comprises: network interface and processor, wherein,

22. controllers according to claim 21, is characterized in that,

Described network interface, the security notification message sending specifically for receiving described checkout equipment, the matching domain that comprises described the first data flow in described security notification message, status attribute and operational attribute; Wherein,

23. controllers according to claim 22, is characterized in that,

Described processor, specifically for checking status attribute and the operational attribute in described security notification message, if determine that according to described status attribute described the first data flow is safe data flow, control described network interface and to described the first switch, send the first forwarding rule generating, described first forwards the information that comprises the second switch after described the first data flow arranging according to described operational attribute is redirected in rule, if and determine that according to described status attribute described the first data flow is unsafe data flow, control described network interface and to described the first switch, send the second forwarding rule generating, in described the second forwarding rule, comprise according to the information of described the first data flow of abandoning of described operational attribute setting.