CN104202303A - Policy conflict detection method and system for SDN (Software Defined Network) application - Google Patents
Policy conflict detection method and system for SDN (Software Defined Network) application Download PDFInfo
- Publication number
- CN104202303A CN104202303A CN201410391710.1A CN201410391710A CN104202303A CN 104202303 A CN104202303 A CN 104202303A CN 201410391710 A CN201410391710 A CN 201410391710A CN 104202303 A CN104202303 A CN 104202303A
- Authority
- CN
- China
- Prior art keywords
- application
- conflict
- rule
- network
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a policy conflict detection method and system for an SDN (Software Defined Network) application. The method comprises the following steps: authenticating and authorizing an application waiting to access a network; giving a priority; performing conflict detection and reconciliation; feeding back a network state to network management personnel in real time; and establishing a comprehensive policy conflict detection framework specific to the SDN application in order to eliminate network security threats caused by an SDN. A set intersection-based flow rule policy conflict analysis algorithm adopted in the method is simple and stable, and is easy to extend, and policy conflict detection of intermediate behaviors such as Set in flow rules and policy conflict detection after the combination of the flow rules of different applications are realized. A flow rule policy conflict decision algorithm based on application priority comparison adopted in the method is simple and effective, and is easy to implement.
Description
Technical field
The application relates to filed of network information security, relates in particular to a kind of policy conflict detection method and system of SDN application.
Background technology
SDN (Software Defined Network, software defined network) be a kind of network architecture of opening, main feature is centralized control and network programmability, allows network management personnel in the mode of software programming, whole network to be managed and operated.SDN separates logic control function with data retransmission function, realize the logic control function to network by the network controller based on software, and the network equipment of bottom only need be responsible for realizing simple data retransmission function, undertaken alternately by OpenFlow agreement and network controller.
The SDN network architecture as shown in Figure 1, is mainly divided into application layer, key-course and data retransmission layer from top to bottom.The core of framework concentrates on the key-course of operating system Network Based, and capital equipment is SDN controller, and it has the overall visual field of whole network.Data retransmission layer is mainly the data transfer equipment of bottom, such as OpenFlow switch etc.Data transfer equipment has been stripped from control function, only need to mate and transmitting data flow according to stream table.Data transfer equipment carries out information interaction by southbound interface (at present main use OpenFlow agreement) and key-course, completes issuing and the feedback of underlying device data message of controller data stream table.Key-course upwards provides northbound interface, carries out information transmission with application layer, and SDN application is carried out corresponding operating by the northbound interface providing is provided to network with service, realizes corresponding function.Also unrealized standardization of northbound interface at present.
As a kind of brand-new network architecture, SDN is that network security improvement has brought huge opportunity, but has also brought new security threat to network simultaneously.Taking the security threat of application layer as example, assailant can attack to accessing malicious application in network, and Application in manufacture policy conflict causes network confusion, or the Prevention-Security mechanism destroyed on network etc. of conflicting with the security strategy in network.Visible, application strategy conflict is increasing to the security threat degree of network.There are at present some application strategy collision detection methods, such as FLOVER, FlowChecker, VeriFlow, NICE etc.
FLOVER detects the dynamic flow rule of moving in SDN network, verifies whether it meets security requirement set in network.FLOVER is mainly by stream table encoder and SMT (Satisfiability Modulo Theories, the satisfiability theory of modules) resolver Yices composition.In the time flowing rule checking, stream table encoder is encoded all stream rule and network security policy, is converted into predicative set, then is processed and security verification by SMT resolver Yices.FLOVER mainly comprises two kinds of patterns, line model and batch modes.In line model, as long as there is upgrading (controller issues new stream rule or the new stream rule of switch active request) in the stream rule set on switch, the all stream rule sets after upgrading are carried out to set fail safe and detect, judge that whether new stream rule set is consistent with network security policy.Batch mode is that convection current rule set carries out periodic security verification.
FlowChecker detects the configuration conformance of the switch in SDN network and controller.It is binary decision table (Binary Decision Diagrams, BDD) that stream is shown recompile by FlowChecker, and the mode that adopts model to detect is verified the fail safe of network.
VeriFlow detects network consistency.VeriFlow, between controller and the network equipment, is same item independently according to new and old rule by network burst, and is that each class is set up and forwarded figure, realizes situation and verifies whether violate network consistency by simulate new regulation on forwarding figure.
NICE adopts the strategy that model detects and symbolic execution combines to detect the consistency that SDN applies, the discovery of this strategy based on code path.
But all there is certain defect in said method.FLOVER is mainly whether the stream rule that detects application exists policy conflict with network security policy, and the policy conflict not relating between general application detects; FlowChecker and VeriFlow do not solve the situation in the time comprising the middle behaviors such as Set in stream rule; The tactful autgmentability of finding based on code path that NICE adopts is not good, cannot in large-scale application, adopt.And said method does not all consider that the policy conflict producing after the stream rule of different application combines detects, and therefore, can not solve the security threat that network brings completely.
Summary of the invention
The present invention a kind of SDN policy conflict detection method and the system of application, the network security threats of bringing to solve SDN be provided.
For solving the problems of the technologies described above, the invention provides a kind of policy conflict detection system of SDN application, comprising:
Application Access Layer, comprises the application of managing accessed network and the application of wanting access network;
Control detection layers, be used for the access authorization request of the application that receives described wish access network, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, to prevent having conflicting policing rule in network;
Supervise visual layer, for the stream Rule Information of display network in real time, conflicting information, network topological information to network manager.
Preferably, the application in described application Access Layer comprises:
Webmaster application, described webmaster is applied the application specifically being accessed by described network management personnel, and described webmaster application is for carrying out the management and supervision of network;
Secure Application, described Secure Application is mainly the security service application accessing in network, for setting up the Prevention-Security mechanism of network;
Third party application, described third party's application refers to that the routine being accessed by third party applies, and realizes self-defining function for the API that increases income (application programming interface) by calling controller.
Preferably, described control detection layers comprises:
Application authorization authorization module, the access authorization request of wanting the application of access network for receiving each, and the corresponding priority of application of giving each wish access network according to application type, provide privately owned certificate and want the application of access network to each, and to the network application of each wish access Certificate Authority that conducts interviews;
Stream rule conflict detects and decision-making module, for the stream rule request of inserting of obtaining the application of Certificate Authority and issuing being carried out to conflict analysis according to described conflict analysis algorithm, judge whether to exist and conflict with existing stream rule in the set of stream table, if there is conflict, carry out conflict decision with mitigate collisions according to described conflict decision algorithm, to prevent having conflicting policing rule in network, and the result of conflict analysis and decision-making is sent to state table administration module;
Described state table administration module, obtain the stream rule that the application of Certificate Authority issues and insert request for managing, according to the result of described conflict analysis and decision-making, operation is accepted or is refused in the stream rule request of inserting of obtaining the application of Certificate Authority and issuing, and stream table is gathered and bottom switch stream table described in real-time update, to described stream table, updating maintenance is carried out in set;
Information feedback module, for giving described supervision visual layer described stream Rule Information, described conflicting information, described network topological information Real-time Feedback, report to described network management personnel by described user interface, and described network management personnel's operational order is sent to corresponding module;
The set of described stream table, all stream table information of moving for preserving network;
Database, for storage policy collision detection log information, detects with decision-making module Data support is provided to described stream rule conflict.
Preferably, the visual layer of described supervision comprises:
Described user interface, for obtaining network state information from message processing module, with the real-time display network state information of form of pictorialization, so that described network management personnel issues operational order to described message processing module by described user interface;
Described message processing module, the internet message sending for receiving described information feedback module, carry out buffer memory according to type of message, when have from described user interface HTTP (HTML (Hypertext Markup Language)) information request time, described HTTP information request is sent to described user interface by HTTP resource response, when receive from described user interface operational order time, operational order described in buffer memory, and be converted into the operational order form that described information feedback module can be identified, then be handed down to described information feedback module, wherein, described internet message comprises described network topological information, described stream table information and described conflicting information.
Preferably, described conflict analysis algorithm is specifically:
The stream rule that existing stream rule and the new stream rule of inserting in the set of described stream table is all converted into ensemble, obtains the table set of ensemble stream and ensemble flow measurement rule to be checked;
All ensemble stream rules in described ensemble stream table set and described ensemble flow measurement rule to be checked are compared in pairs, judge whether conflict according to conflict matching principle.
Preferably, described conflict decision algorithm is specifically: in the time that conflict analysis algorithm detects rule conflict, the relatively priority size of the application of the stream of two conflicts rule correspondence, high if transmission stream rule is inserted the priority of the application of asking, new stream rule coverage is had to stream rule; The priority that flows regular application of inserting request if send is low, refuses new stream rule insertion and asks; If two the priority of the application of the stream of conflict rule correspondence is identical, report described network manager to choose.
Preferably, the conversion condition of the stream rule of described ensemble is: in the time that the behavior territory of first-class rule is Set-Field, value before and after Set is merged into a set, replace the single thresholding of original occurrence thresholding by set thresholding, if described first-class rule is all the other behaviors except Set-Field, using each coupling thresholding of described first-class rule separately as a set, replace described first-class rule original stream rule match thresholding by set thresholding.
Preferably, described conflict matching principle is: if two ensembles stream rule match territory is every and heterogeneous friendship, without conflicting; If two ensembles flow, rule match territory is every all common factor, but the behavior in behavior territory is identical, without conflict; If two ensembles flow, rule match territory is every all common factor, but the behavior difference in behavior territory, conflict.
Preferably, the priority of described application is that all application are divided into seven different grades according to important and safe coefficient.
The invention provides a kind of policy conflict detection method of SDN application, be applied to the policy conflict detection system of SDN application, described method comprises:
Control detection layers receives the application of described wish access network access authorization request from application Access Layer, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, to prevent having conflicting policing rule in network;
The visual layer of described supervision by the stream Rule Information, conflicting information, network topological information Real-time Feedback of application that obtains Certificate Authority to network manager.
By one or more technical scheme of the present invention, the present invention has following beneficial effect or advantage:
The present invention proposes a kind of policy conflict detection method and system of SDN application, the application of wanting access network is carried out to authentication and authorization, give priority, carry out collision detection and conciliation, and in real time network state is fed back to network management personnel, set up one and comprehensively detect framework, the network security threats of bringing to solve SDN for the policy conflict of SDN application.The stream rule and policy conflict analysis algorithm based on intersection of sets of the present invention's employing, simple and easy stablizing, is easy to expansion, has realized in stream rule and has existed the policy conflict detection of the middle behaviors such as Set and the stream principle combinations of different application policy conflict afterwards to detect.It is simply effective based on application priority ratio stream rule and policy conflict decision algorithm that the present invention adopts, and is easy to realize.
Brief description of the drawings
Fig. 1 is the SDN network architecture of the prior art;
Fig. 2 is the policy conflict detection system framework in the embodiment of the present invention;
Fig. 3 is the stream rule and policy conflict analysis algorithm flow chart based on intersection of sets in the embodiment of the present invention;
Fig. 4 is based on application priority ratio stream rule and policy conflict decision algorithm flow in the embodiment of the present invention;
Fig. 5 is the flow chart of the policy conflict detection method of embodiment of the present invention illustrated.
Embodiment
In order to make the application the technical staff in the technical field more clearly understand the application, below in conjunction with accompanying drawing, by specific embodiment, present techniques scheme is described in detail.
Embodiment mono-:
In embodiments of the present invention, a kind of policy conflict detection system of SDN application has been proposed, apply mainly for SDN, the application of wanting access network is carried out to authentication and authorization, give priority, the stream rule request it being issued according to conflict analysis algorithm is carried out collision detection, if there is conflict, mediate according to conflict decision algorithm, and in real time network state is fed back to network management personnel.Especially, collision detection algorithm can realize in stream rule and exist the policy conflict detection of the middle behaviors such as Set and the stream principle combinations of different application policy conflict afterwards to detect.In addition, policy conflict detection system is expanded on the basis of the SDN controller (OpenDaylight) based on Java, realize corresponding module according to design requirement, and add functional module in the configuration file of controller, thereby in the time that controller starts, realize automatically and loading, and adopt module loading device (ModuleLoader) to manage each module.
In concrete implementation process, the overall framework of policy conflict detection system as shown in Figure 2, is divided into three layers: apply Access Layer 1, control detection layers 2 and supervise visual layer 3.
Application Access Layer 1 is similar to the application layer in the existing SDN network architecture, comprises the application of accessed network and the application of wish access network.
Controlling detection layers 2 and be similar to the key-course in the existing SDN network architecture, is the core of whole framework, for complete detection and the conciliation of policy conflict by conflict analysis algorithm and conflict decision algorithm.Specifically for receiving the access authorization request of the application of wanting access network, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, to prevent having conflicting policing rule in network.Wherein, conflict analysis algorithm specifically refers to the stream rule and policy conflict analysis algorithm based on intersection of sets, and conflict decision algorithm specifically refers to based on application priority ratio stream rule and policy conflict decision algorithm.
Supervise visual layer 3, be mainly used in showing that controlling detection layers 2 carries out the conflicting information, conflicting stream table information, the network topological information that after conflict analysis, obtain.Certainly, supervise visual layer 3 and obtain the stream Rule Information etc. of the application of Certificate Authority in can also display network.In addition, supervise visual layer 3 also for carrying out the management of network security policy, and allow network management personnel to pass through user interface 13 (that is: UI graphical interfaces) to operate accordingly.
The application of application Access Layer 1 can be divided into three types according to source and function: webmaster application 4, Secure Application 5 and third party apply 6.
Webmaster application 4 refers to the application being accessed by network management personnel, mainly carries out management, monitoring and other inter-related tasks of network, facilitates administrative staff better network to be supervised.
Secure Application 5 refers to the security service application accessing in network, is used for setting up the Prevention-Security mechanism of network, such as fire compartment wall, access control etc.
Third party applies 6 and refers to that the routine being accessed by third party applies, and realizes self-defining function by the API that increases income (Application Programming Interface, application programming interface) that calls controller.
Control detection layers 2 and comprise six modules: application authorization authorization module 7, stream rule conflict detect and decision-making module 8, state table administration module 9, information feedback module 10, the set 11 of stream table and database 12.
Application authorization authorization module 7, for receiving the access authorization request of the application of wanting access network, and the corresponding priority of application of giving each wish access network according to application type, provide the application of privately owned certificate to each wish access network, and each is wanted to the application of the access network Certificate Authority that conducts interviews, make each want the normally system resource of access controller of application of access network, issue application strategy.Generally the priority of webmaster application 4 is the highest, and the priority of Secure Application 5 is taken second place, and it is minimum that third party applies 6 priority.
Stream rule conflict detects and decision-making module 8, for the stream rule request of inserting of obtaining the application of Certificate Authority and issuing being carried out to conflict analysis according to conflict analysis algorithm, judge whether to exist and conflict with existing stream rule in the set 11 of stream table, if there is conflict, carry out conflict decision according to conflict decision algorithm, mitigate collisions, prevents from existing in network conflicting policing rule, and the result of conflict analysis and decision-making is sent to state table administration module 9.
State table administration module 9, obtain the stream rule that the application of Certificate Authority issues and insert request, according to the result of conflict analysis and decision-making, operation is accepted or is refused in the stream rule request of inserting of obtaining the application of Certificate Authority and issuing, and the table set 11 of real-time update stream and bottom switch stream table, updating maintenance is carried out in convection current table set 11.
Information feedback module 10, for flowing Rule Information, conflicting information, network topological information Real-time Feedback to the visual layer 3 of supervision, by user interface 13 reporting ent administrative staff, and sends to corresponding module by network management personnel's operational order.
Stream table set 11, all stream table information of moving for preserving network.These stream table information are bases that policy conflict detects, and are responsible for safeguarding and upgrading by state table administration module 9.
Database 12, for storage policy collision detection log information, detects with decision-making module 8 Data support is provided to stream rule conflict.
Supervise visual layer 3 and comprise two modules: between user interface 13,14, two modules of message processing module, communicate by http protocol.
User interface 13 is a Web UI interface.When information feedback module 10 sends to internet message after message processing module 14, message processing module 14 carries out buffer memory according to type of message, when have from user interface 13 HTTP (Hypertext transfer protocol, HTML (Hypertext Markup Language)) information request time the information exchange of request crossed to HTTP resource response send to user interface 13.When network management personnel issues operational order by user interface 13, instruction sends to message processing module 14 by the form of HTTP message, message processing module 14 buffer memory instruction messages, and be converted into the operational order form that information feedback module 10 can identify and be handed down to information feedback module 10.
In the SDN application strategy collision detection system proposing in the present invention, collision detection and conflict reconcile are Core Features, and by controlling, the stream rule conflict of detection layers 2 detects and decision-making module 8 is realized.Stream rule conflict detects with the stream rule and policy conflict analysis algorithm of decision-making module 8 use based on intersection of sets and detects rule conflict, uses based on application priority ratio stream rule and policy conflict decision algorithm and reconciles conflict.
In concrete implementation process, conflict analysis algorithm specifically:
The stream rule that existing stream rule and the new stream rule of inserting in the set of stream table is all converted into ensemble, obtains the table set of ensemble stream and ensemble flow measurement rule to be checked.
All ensemble stream rules in the table set of pair set stream and ensemble flow measurement rule to be checked compare in pairs, judge whether conflict according to conflict matching principle.
Further, main conflict matching principle is:
If two ensembles stream rule match territory is every and heterogeneous friendship, without conflicting;
If two ensembles flow, rule match territory is every all common factor, but the behavior in behavior territory is identical, without conflict;
If two ensembles flow, rule match territory is every all common factor, but the behavior difference in behavior territory, conflict.
Stream rule and policy conflict analysis algorithm flow based on intersection of sets as shown in Figure 3.
S301, by flowing the stream rule (F) of existing stream rule (S) and new insertion in table set 11 and be all converted into the stream rule of ensemble, obtain ensemble stream table set (S_Set) and ensemble flow measurement rule to be checked (F_Set).
Concrete pass-through mode is: when the behavior territory of first-class rule (first-class rule can be existing stream rule (S) or the new stream rule (F) of inserting in the set 11 of stream table) is Set-Field, value before and after Set is merged into a set, replace the single thresholding of original occurrence thresholding by set thresholding; If first-class rule is all the other behaviors except Set-Field, using each coupling thresholding of first-class rule separately as a set, replace first-class rule original stream rule match thresholding by set thresholding.
Specifically, " Set-Field " is a kind of behavior of revising or arranging certain value of packet.
S302, all ensemble stream rules in pair setization stream table set (S_Set) and ensemble flow measurement rule to be checked (F_Set) compare in pairs, judge whether conflict according to conflict matching principle.
Further, in the time judging whether to conflict according to conflict matching principle, be mainly the step of carrying out below:
S303, every whether all the intersecting of matching domain of ensemble stream table set (S_Set) and ensemble flow measurement rule to be checked (F_Set).
All intersect if matching domain is every, proceed to S304, whether the behavior territory of ensemble stream table set (S_Set) and ensemble flow measurement rule to be checked (F_Set) is every identical.
If matching domain is every non-intersect, proceed to S305, without conflict.
Wherein, in S304, if behavior territory is every identical, proceed to S305.If behavior territory is every not identical, proceed to S306, conflict.
Judgment mode is above mainly to judge whether one by one in order conflict according to following three conflict matching principles:
(1) if the matching domain of S_Set and F_Set is every and heterogeneous friendship, i.e. onrelevant, without conflict;
(2) all have common factor if the matching domain of S_Set and F_Set is every, but the behavior in behavior territory is identical, without conflict;
(3) all there is common factor if S_Set and F_Set matching domain are every, but the behavior difference in behavior territory, conflict.
Determine conflict after, can carry out decision-making according to conflict decision algorithm, conflict decision algorithm specifically:
In the time that conflict analysis algorithm detects rule conflict, the relatively priority size of the application of the stream of two conflicts rule correspondence, high if transmission stream rule is inserted the priority of the application of asking, new stream rule coverage is had to stream rule.
The priority that flows regular application of inserting request if send is low, refuses new stream rule insertion and asks.
If two the priority of the application of the stream of conflict rule correspondence is identical, report network keeper chooses.
All application are divided into seven different grades according to important and safe coefficient.For convenience of explanation with explain the present invention, these seven grades can be used high especially, very high, higher, generally, lower, very low, low division especially, and correspond to priority 1~7, the less higher grade of priority.It is the highest that webmaster is applied 4 priority, and Secure Application 5 is taken second place, and it is 6 minimum that third party applies.
Based on application priority ratio stream rule and policy conflict decision algorithm flow as shown in Figure 4.
In the time that conflict analysis algorithm detects existing stream rule (S) and new stream rule (F) conflict of inserting, concrete step is as follows:
S401, relatively two the corresponding priority S->AppPriority (S-> application priority) of application and sizes of F->AppPriority (F-> application priority) of stream rule.This priority can obtain from flow the additional application priority of rule.
Concrete manner of comparison is as follows:
S402, whether the priority (F->AppPriority) of the relatively newer stream rule (F) of inserting is higher than the existing priority (S->AppPriority) that flows rule (S).
If so, proceed to S403, use the new stream rule (F) of inserting to cover existing stream rule (S).Be about to the new stream rule (F) of inserting and insert in the set 11 of stream table and bottom switch stream table, delete existing stream rule (S).
Otherwise, proceed to S404, whether the priority (F->AppPriority) of the relatively newer stream rule (F) of inserting is lower than the existing priority (S->AppPriority) that flows rule (S).
If so, proceed to S405, the insertion request of the new stream rule (F) of inserting of refusal.
Otherwise, show that S->AppPriority is identical with F->AppPriority, now proceed to S406, transfer to network manager to choose.Generally new stream rule will replace old stream rule.
The present invention proposes a kind of policy conflict detection system of SDN application, the application of wanting access network is carried out to authentication and authorization, give priority, carry out collision detection and conciliation, and in real time network state is fed back to network management personnel, set up one and comprehensively detect framework for the policy conflict of SDN application.The stream rule and policy conflict analysis algorithm based on intersection of sets of this system employing, simple and easy stablizing, is easy to expansion, has solved in stream rule and has existed the policy conflict detection of the middle behaviors such as Set and the stream principle combinations of different application policy conflict afterwards to detect.It is simply effective based on application priority ratio stream rule and policy conflict decision algorithm that this system adopts, and is easy to realize.
Embodiment has above described the framework of policy conflict detection system, based on same inventive concept, describes a kind of policy conflict detection method of SDN application in the following examples.
Embodiment bis-:
The policy conflict detection method of the SDN application that the present invention proposes, is applied in the policy conflict detection system of SDN application.Apply mainly for SDN.The method is expanded on the basis of the controller based on Java (OpenDaylight), corresponding system realizes corresponding module according to design requirement, and add functional module in the configuration file of controller, thereby realize automatically and loading in the time that controller starts.System corresponding to this method adopts module loading device (ModuleLoader) to manage each module.
And in policy conflict detection system framework, main implementing procedure is:
Control the access authorization request that detection layers 2 receives the application of wanting access network from application Access Layer 1, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, prevent from existing in network conflicting policing rule; Supervise visual layer 3 by the stream Rule Information, conflicting information, network topological information Real-time Feedback of application that obtains Certificate Authority to network manager.
Use concrete application to describe the method below.
The implementing procedure of the policy conflict detection method the present invention relates to is as shown in Figure 5:
S1, wants the first application of access network to the 7 request access mandates of application authorization authorization module.
S2, application authorization authorization module 7 carries out type discriminating to the first application, according to application type dispensing applications priority, generates privately owned certificate and provides to the first application.
S3, first applies the authorization code that sends privately owned certificate and obtain from controller to application authorization authorization module 7, request access token and refresh token.
S4, application authorization authorization module 7 is processed the access authorization request of the first application, receives privately owned certificate and the authorization code of the first application, if verify errorless and effectively provide access token and refresh token to the first application.
S5, when access token is crossed after date, the first application sends privately owned certificate and refreshes token to application authorization authorization module 7, and request refreshes access token.
S6, application authorization authorization module 7 receives the privately owned certificate that the first application sends and refreshes token, if verify errorless and effectively provide new access token to the first application.
S7, stream rule conflict detects the stream rule request of inserting according to policy conflict parser, the first application being issued with decision-making module 8 and carries out conflict analysis, judges whether to exist and conflict with existing stream rule in the set 11 of stream table.
S8, if the judged result in S7, for not there is not conflict, flows, rule conflict detects and the request of inserting of stream rule is sent to state table administration module 9 by decision-making module 8.
S9, detects with decision-making module 8 and carries out conflict decision according to policy conflict decision making algorithm if the judged result in S7 for there is conflict, flows rule conflict, and mitigate collisions, prevents from existing in network conflicting policing rule.
S10, stream rule conflict detects with decision-making module 8 result of conflict analysis and decision-making is sent to state table administration module 9.
S11, database 12 storage flow rule conflicts detect with the policy conflict of decision-making module 8 and detect log information, and co-current flow rule conflict detects with decision-making module 8 Data support is provided.
S12, state table administration module 9 detects the regular integrality of stream, if imperfect, flow rule and has suffered halfway destruction, and refusal inserts request; If complete, accept the request of inserting, then inserts stream rule to stream table set 11, from stream table set 11 delete flow regular, stream rule is issued to the operations such as bottom switch.
S13, information feedback module 10 receives the message of sending from each functional module, according to type of message, message is added to respectively in corresponding message queue.
S14, the message in message queue is sent to message processing module 14 by information feedback module 10.Message processing module 14 obtains the message of self information feedback module 10, carries out buffer memory according to type of message.
S15, when have from user interface 13 HTTP information request time, message processing module 14 is crossed HTTP resource response by the information exchange of request and is sent to user interface 13.
S16, when network management personnel issues operational order by user interface 13, operational order is packaged as instruction message and sends to message processing module 14.
S17, message processing module 14 buffer memory instruction messages, and be converted into the operational order form that information feedback module 10 can identify and be handed down to information feedback module 10.Information feedback module 10 receives the operational order of sending from message processing module 14, and the operational order of receiving is added in the instruction queue of respective modules according to object module.
S18, the operational order in module instruction queue is sent to corresponding functional module by information feedback module 10.
By one or more embodiment of the present invention, the present invention has following beneficial effect or advantage:
The present invention proposes a kind of policy conflict detection method and system of SDN application, the application of wanting access network is carried out to authentication and authorization, give priority, carry out collision detection and conciliation, and in real time network state is fed back to network management personnel, set up one and comprehensively detect framework, the network security threats of bringing to solve SDN for the policy conflict of SDN application.The stream rule and policy conflict analysis algorithm based on intersection of sets of the present invention's employing, simple and easy stablizing, is easy to expansion, has realized in stream rule and has existed the policy conflict detection of the middle behaviors such as Set and the stream principle combinations of different application policy conflict afterwards to detect.It is simply effective based on application priority ratio stream rule and policy conflict decision algorithm that the present invention adopts, and is easy to realize.
Although described the application's preferred embodiment, once one of ordinary skilled in the art obtains the basic creative concept of cicada, can make other change and amendment to these embodiment.So claims are intended to be interpreted as comprising preferred embodiment and fall into all changes and the amendment of the application's scope.
Obviously, those skilled in the art can carry out various changes and modification and the spirit and scope that do not depart from the application to the application.Like this, if these amendments of the application and within modification belongs to the scope of the application's claim and equivalent technologies thereof, the application is also intended to comprise these changes and modification interior.
Claims (10)
1. a policy conflict detection system for SDN application, is characterized in that, comprising:
Application Access Layer, comprises the application of accessed network and the application of wish access network;
Control detection layers, be used for the access authorization request of the application that receives described wish access network, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, to prevent having conflicting policing rule in network;
Supervise visual layer, for the stream Rule Information of display network in real time, conflicting information, network topological information to network manager.
2. the system as claimed in claim 1, is characterized in that, the application in described application Access Layer comprises:
Webmaster application, described webmaster is applied the application specifically being accessed by described network management personnel, and described webmaster application is for carrying out the management and supervision of network;
Secure Application, described Secure Application is mainly the security service application accessing in network, for setting up the Prevention-Security mechanism of network;
Third party application, described third party's application refers to that the routine being accessed by third party applies, and realizes self-defining function for the API that increases income (application programming interface) by calling controller.
3. the system as claimed in claim 1, is characterized in that, described control detection layers comprises:
Application authorization authorization module, the access authorization request of wanting the application of access network for receiving each, and the corresponding priority of application of giving each wish access network according to application type, provide privately owned certificate and want the application of access network to each, and the application that each is wanted to the access network Certificate Authority that conducts interviews;
Stream rule conflict detects and decision-making module, for the stream rule request of inserting of obtaining the application of Certificate Authority and issuing being carried out to conflict analysis according to described conflict analysis algorithm, judge whether to exist and conflict with existing stream rule in the set of stream table, if there is conflict, carry out conflict decision with mitigate collisions according to described conflict decision algorithm, to prevent having conflicting policing rule in network, and the result of conflict analysis and decision-making is sent to state table administration module;
Described state table administration module, obtain the stream rule that the application of Certificate Authority issues and insert request for managing, according to the result of described conflict analysis and decision-making, operation is accepted or is refused in the stream rule request of inserting of obtaining the application of Certificate Authority and issuing, and stream table is gathered and bottom switch stream table described in real-time update, to described stream table, updating maintenance is carried out in set;
Information feedback module, for giving described supervision visual layer described stream Rule Information, described conflicting information, described network topological information Real-time Feedback, report to described network management personnel by described user interface, and described network management personnel's operational order is sent to corresponding module;
The set of described stream table, all stream table information of moving for preserving network;
Database, for storage policy collision detection log information, detects with decision-making module Data support is provided to described stream rule conflict.
4. system according to claim 1, is characterized in that, the visual layer of described supervision comprises:
Described user interface, for obtaining network state information from message processing module, with the real-time display network state information of form of pictorialization, so that described network management personnel issues operational order to described message processing module by described user interface;
Described message processing module, the internet message sending for receiving described information feedback module, carry out buffer memory according to type of message, when have from described user interface HTTP (HTML (Hypertext Markup Language)) information request time, described HTTP information request is sent to described user interface by HTTP resource response, when receive from described user interface operational order time, operational order described in buffer memory, and be converted into the operational order form that described information feedback module can be identified, then be handed down to described information feedback module, wherein, described internet message comprises described network topological information, described stream table information and described conflicting information.
5. according to the system described in claim 1 or 3, it is characterized in that, described conflict analysis algorithm specifically:
The stream rule that existing stream rule and the new stream rule of inserting in the set of described stream table is all converted into ensemble, obtains the table set of ensemble stream and ensemble flow measurement rule to be checked;
All ensemble stream rules in described ensemble stream table set and described ensemble flow measurement rule to be checked are compared in pairs, judge whether conflict according to conflict matching principle.
6. according to the system described in claim 1 or 3, it is characterized in that, described conflict decision algorithm specifically:
In the time that conflict analysis algorithm detects rule conflict, the relatively priority size of the application of the stream of two conflicts rule correspondence, high if transmission stream rule is inserted the priority of the application of asking, new stream rule coverage is had to stream rule; The priority that flows regular application of inserting request if send is low, refuses new stream rule insertion and asks; If two the priority of the application of the stream of conflict rule correspondence is identical, report described network manager to choose.
7. system according to claim 5, it is characterized in that, the conversion condition of the stream rule of described ensemble is: in the time that the behavior territory of first-class rule is Set-Field, value before and after Set is merged into a set, replace the single thresholding of original occurrence thresholding by set thresholding, if described first-class rule is all the other behaviors except Set-Field, using each coupling thresholding of described first-class rule separately as a set, replace described first-class rule original stream rule match thresholding by set thresholding.
8. system according to claim 5, is characterized in that, described conflict matching principle is:
If two ensembles stream rule match territory is every and heterogeneous friendship, without conflicting;
If two ensembles flow, rule match territory is every all common factor, but the behavior in behavior territory is identical, without conflict;
If two ensembles flow, rule match territory is every all common factor, but the behavior difference in behavior territory, conflict.
9. system according to claim 6, is characterized in that, the priority of described application is that all application are divided into seven different grades according to important and safe coefficient.
10. a policy conflict detection method for SDN application, is characterized in that, described method comprises:
Control detection layers receives the application of wanting access network access authorization request from application Access Layer, give the corresponding priority of application of each wish access network according to application type, provide privately owned certificate, Certificate Authority conducts interviews, and by conflict analysis algorithm, the stream rule request of inserting of obtaining the application of Certificate Authority and issuing is carried out to conflict analysis, if exist conflict to carry out conflict decision with mitigate collisions by conflict decision algorithm, prevent from existing in network conflicting policing rule;
The visual layer of described supervision by the stream Rule Information, conflicting information, network topological information Real-time Feedback of application that obtains Certificate Authority to network manager.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410391710.1A CN104202303A (en) | 2014-08-11 | 2014-08-11 | Policy conflict detection method and system for SDN (Software Defined Network) application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410391710.1A CN104202303A (en) | 2014-08-11 | 2014-08-11 | Policy conflict detection method and system for SDN (Software Defined Network) application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104202303A true CN104202303A (en) | 2014-12-10 |
Family
ID=52087528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410391710.1A Pending CN104202303A (en) | 2014-08-11 | 2014-08-11 | Policy conflict detection method and system for SDN (Software Defined Network) application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104202303A (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506511A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Moving target defense system and moving target defense method for SDN (self-defending network) |
| CN105207912A (en) * | 2015-09-16 | 2015-12-30 | 江苏省未来网络创新研究院 | Method for handling SDN multi-module deployment rule conflicts |
| CN105490936A (en) * | 2015-12-14 | 2016-04-13 | 国网吉林省电力有限公司信息通信公司 | SDN-based conflict-avoiding rapid data transmission method |
| CN105897493A (en) * | 2016-06-28 | 2016-08-24 | 电子科技大学 | SDN (Self-Defending Network) rule conflict detection method |
| CN106357470A (en) * | 2016-11-15 | 2017-01-25 | 中国电子科技集团公司第四十研究所 | Quick sensing method for network threat based on SDN controller |
| CN106411568A (en) * | 2016-08-30 | 2017-02-15 | 同济大学 | SDN (Software Defined Network) network state updating method and system based on rule conflict |
| CN106453079A (en) * | 2016-09-13 | 2017-02-22 | 浙江工商大学 | SDN (software defined network) flow table collision detection method based on deep learning |
| CN106656591A (en) * | 2016-12-15 | 2017-05-10 | 西安电子科技大学 | Method for detecting and eliminating rule conflicts among multiple applications in software-defined network |
| CN106685689A (en) * | 2016-10-26 | 2017-05-17 | 浙江工商大学 | SDN (software defined network) flow table conflict detection device and method based on deep learning |
| CN106817275A (en) * | 2016-12-16 | 2017-06-09 | 江苏省未来网络创新研究院 | It is a kind of to automate the system and method that prevention and layout process policy conflict |
| CN107534601A (en) * | 2015-05-15 | 2018-01-02 | 三菱电机株式会社 | Packet filtering device and grouping filter method |
| CN107800640A (en) * | 2017-09-19 | 2018-03-13 | 北京邮电大学 | A kind of method for detection and the processing for flowing rule |
| US9967257B2 (en) | 2016-03-16 | 2018-05-08 | Sprint Communications Company L.P. | Software defined network (SDN) application integrity |
| CN108270614A (en) * | 2017-12-25 | 2018-07-10 | 深圳市泰信通信息技术有限公司 | Fault handling method, device and equipment based on SDN network |
| CN110650023A (en) * | 2018-06-26 | 2020-01-03 | 中国移动通信有限公司研究院 | Policy rule processing method and device, functional network element and storage medium |
| CN111131071A (en) * | 2019-12-19 | 2020-05-08 | 紫光云技术有限公司 | Method and system for realizing rule priority of cloud host security group based on OpenStack |
| CN111628980A (en) * | 2020-05-20 | 2020-09-04 | 深信服科技股份有限公司 | Policy adjustment method, device, equipment and storage medium |
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN112367188A (en) * | 2020-10-16 | 2021-02-12 | 零氪科技(北京)有限公司 | Privatization safety system based on zero trust model and implementation method |
| CN112415959A (en) * | 2020-11-03 | 2021-02-26 | 华中科技大学 | Edge cloud cooperative industrial information physical system active safety response method and framework |
| CN112437065A (en) * | 2020-11-12 | 2021-03-02 | 安徽大学 | Strategy conflict detection and solution method based on graphic representation under SDN environment |
| CN112565193A (en) * | 2020-11-06 | 2021-03-26 | 西安电子科技大学 | Network security policy conflict resolution method, system, storage medium and equipment |
| CN114301786A (en) * | 2020-09-21 | 2022-04-08 | 中国电信股份有限公司 | Method, device and storage medium for detecting policy conflict of flow table in SDN |
| CN114640590A (en) * | 2022-01-26 | 2022-06-17 | 北京邮电大学 | Method for detecting conflict of policy set in intention network and related equipment |
| CN115242641A (en) * | 2021-04-23 | 2022-10-25 | 奇安信科技集团股份有限公司 | Strategy issuing result previewing method and device and computer equipment |
| CN116232770A (en) * | 2023-05-08 | 2023-06-06 | 中国石油大学(华东) | Enterprise network safety protection system and method based on SDN controller |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607379A (en) * | 2013-11-04 | 2014-02-26 | 中兴通讯股份有限公司 | Software definition network safety enforcement method, system and controller thereof |
| CN103763197A (en) * | 2014-01-27 | 2014-04-30 | 杭州华三通信技术有限公司 | Flow table item collision detection device and method |
| US20140122668A1 (en) * | 2012-10-25 | 2014-05-01 | Tellabs Oy | Method and a controller device for configuring a software-defined network |
-
2014
- 2014-08-11 CN CN201410391710.1A patent/CN104202303A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140122668A1 (en) * | 2012-10-25 | 2014-05-01 | Tellabs Oy | Method and a controller device for configuring a software-defined network |
| CN103607379A (en) * | 2013-11-04 | 2014-02-26 | 中兴通讯股份有限公司 | Software definition network safety enforcement method, system and controller thereof |
| CN103763197A (en) * | 2014-01-27 | 2014-04-30 | 杭州华三通信技术有限公司 | Flow table item collision detection device and method |
Non-Patent Citations (1)
| Title |
|---|
| 魏亮 等: "基于SDN的虚拟化平台设计", 《电信技术》 * |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506511A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Moving target defense system and moving target defense method for SDN (self-defending network) |
| CN107534601A (en) * | 2015-05-15 | 2018-01-02 | 三菱电机株式会社 | Packet filtering device and grouping filter method |
| CN105207912A (en) * | 2015-09-16 | 2015-12-30 | 江苏省未来网络创新研究院 | Method for handling SDN multi-module deployment rule conflicts |
| CN105207912B (en) * | 2015-09-16 | 2018-08-24 | 江苏省未来网络创新研究院 | A kind of processing method of SDN multimodes deployment rule conflict |
| CN105490936A (en) * | 2015-12-14 | 2016-04-13 | 国网吉林省电力有限公司信息通信公司 | SDN-based conflict-avoiding rapid data transmission method |
| CN105490936B (en) * | 2015-12-14 | 2018-06-15 | 国网吉林省电力有限公司信息通信公司 | A kind of rapid data transmission method for avoiding conflict based on SDN |
| US10237274B2 (en) | 2016-03-16 | 2019-03-19 | Sprint Communications Company L.P. | Software defined network (SDN) application integrity |
| US9967257B2 (en) | 2016-03-16 | 2018-05-08 | Sprint Communications Company L.P. | Software defined network (SDN) application integrity |
| CN105897493A (en) * | 2016-06-28 | 2016-08-24 | 电子科技大学 | SDN (Self-Defending Network) rule conflict detection method |
| CN105897493B (en) * | 2016-06-28 | 2018-11-09 | 电子科技大学 | A kind of detection method of SDN rule conflicts |
| CN106411568A (en) * | 2016-08-30 | 2017-02-15 | 同济大学 | SDN (Software Defined Network) network state updating method and system based on rule conflict |
| CN106411568B (en) * | 2016-08-30 | 2019-10-18 | 同济大学 | The SDN network state updating method and system of rule-based conflict |
| CN106453079B (en) * | 2016-09-13 | 2019-07-16 | 浙江工商大学 | A kind of SDN flow table collision detection method based on deep learning |
| CN106453079A (en) * | 2016-09-13 | 2017-02-22 | 浙江工商大学 | SDN (software defined network) flow table collision detection method based on deep learning |
| WO2018049841A1 (en) * | 2016-09-13 | 2018-03-22 | 浙江工商大学 | Sdn flow table conflict detection method based on deep learning |
| CN106685689B (en) * | 2016-10-26 | 2019-08-27 | 浙江工商大学 | A kind of SDN flow table collision-detection means and method based on deep learning |
| CN106685689A (en) * | 2016-10-26 | 2017-05-17 | 浙江工商大学 | SDN (software defined network) flow table conflict detection device and method based on deep learning |
| CN106357470A (en) * | 2016-11-15 | 2017-01-25 | 中国电子科技集团公司第四十研究所 | Quick sensing method for network threat based on SDN controller |
| CN106357470B (en) * | 2016-11-15 | 2019-09-10 | 中国电子科技集团公司第四十一研究所 | One kind threatening method for quickly sensing based on SDN controller network |
| CN106656591A (en) * | 2016-12-15 | 2017-05-10 | 西安电子科技大学 | Method for detecting and eliminating rule conflicts among multiple applications in software-defined network |
| CN106817275A (en) * | 2016-12-16 | 2017-06-09 | 江苏省未来网络创新研究院 | It is a kind of to automate the system and method that prevention and layout process policy conflict |
| CN106817275B (en) * | 2016-12-16 | 2020-05-08 | 江苏省未来网络创新研究院 | System and method for automatically preventing and arranging strategy conflict |
| CN107800640A (en) * | 2017-09-19 | 2018-03-13 | 北京邮电大学 | A kind of method for detection and the processing for flowing rule |
| CN108270614B (en) * | 2017-12-25 | 2021-07-23 | 深圳市泰信通信息技术有限公司 | SDN network-based fault processing method, device and equipment |
| CN108270614A (en) * | 2017-12-25 | 2018-07-10 | 深圳市泰信通信息技术有限公司 | Fault handling method, device and equipment based on SDN network |
| CN110650023A (en) * | 2018-06-26 | 2020-01-03 | 中国移动通信有限公司研究院 | Policy rule processing method and device, functional network element and storage medium |
| CN111131071A (en) * | 2019-12-19 | 2020-05-08 | 紫光云技术有限公司 | Method and system for realizing rule priority of cloud host security group based on OpenStack |
| CN111628980A (en) * | 2020-05-20 | 2020-09-04 | 深信服科技股份有限公司 | Policy adjustment method, device, equipment and storage medium |
| CN111628980B (en) * | 2020-05-20 | 2022-08-09 | 深信服科技股份有限公司 | Policy adjustment method, device, equipment and storage medium |
| CN114301786A (en) * | 2020-09-21 | 2022-04-08 | 中国电信股份有限公司 | Method, device and storage medium for detecting policy conflict of flow table in SDN |
| CN112367213B (en) * | 2020-10-12 | 2022-02-25 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN112367188A (en) * | 2020-10-16 | 2021-02-12 | 零氪科技(北京)有限公司 | Privatization safety system based on zero trust model and implementation method |
| CN112367188B (en) * | 2020-10-16 | 2023-08-29 | 零氪科技(北京)有限公司 | Privately-owned security system based on zero trust model and implementation method |
| CN112415959A (en) * | 2020-11-03 | 2021-02-26 | 华中科技大学 | Edge cloud cooperative industrial information physical system active safety response method and framework |
| CN112565193A (en) * | 2020-11-06 | 2021-03-26 | 西安电子科技大学 | Network security policy conflict resolution method, system, storage medium and equipment |
| CN112437065A (en) * | 2020-11-12 | 2021-03-02 | 安徽大学 | Strategy conflict detection and solution method based on graphic representation under SDN environment |
| CN115242641A (en) * | 2021-04-23 | 2022-10-25 | 奇安信科技集团股份有限公司 | Strategy issuing result previewing method and device and computer equipment |
| CN115242641B (en) * | 2021-04-23 | 2023-12-19 | 奇安信科技集团股份有限公司 | Method and device for previewing strategy issuing result and computer equipment |
| CN114640590A (en) * | 2022-01-26 | 2022-06-17 | 北京邮电大学 | Method for detecting conflict of policy set in intention network and related equipment |
| CN114640590B (en) * | 2022-01-26 | 2023-02-10 | 北京邮电大学 | Method for detecting conflict of policy set in intention network and related equipment |
| CN116232770A (en) * | 2023-05-08 | 2023-06-06 | 中国石油大学(华东) | Enterprise network safety protection system and method based on SDN controller |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104202303A (en) | Policy conflict detection method and system for SDN (Software Defined Network) application | |
| EP3472994B1 (en) | Software defined networking system | |
| CN107241360A (en) | A kind of data safety shares exchange method and data safety shares switching plane system | |
| CN110611651B (en) | Network monitoring method, network monitoring device and electronic equipment | |
| JP4953609B2 (en) | Scalable and flexible information security for industrial automation | |
| CN111614468B (en) | Block chain consensus method and system | |
| CN109831327A (en) | IMS full service network based on big data analysis monitors intelligent operation support system | |
| DE112016006867T5 (en) | Peer-to-peer network and nodes of a peer-to-peer network | |
| US10880332B2 (en) | Enterprise security management tool | |
| CN109919771B (en) | Industrial internet transaction device applying hierarchical block chain technology | |
| US10652280B2 (en) | User interface features for enterprise security management | |
| CN107153565A (en) | Configure the method and its network equipment of resource | |
| CN110488617A (en) | Intelligent home control system, method and terminal device | |
| CN111327568B (en) | Identity authentication method and system | |
| CN110098938B (en) | Trusted committee under-chain acceleration solution method and system | |
| US11063982B2 (en) | Object scope definition for enterprise security management tool | |
| CN103856345A (en) | Server account number and password management method and system and server | |
| CN103473636A (en) | System data components for collecting, analyzing and distributing internet business information | |
| CN103916397A (en) | Safety monitoring method under distributed network environment | |
| US10979455B2 (en) | Solution definition for enterprise security management | |
| CN108600198A (en) | Access control method, device, computer storage media and the terminal of fire wall | |
| US20180309789A1 (en) | Multi-level affinitization for enterprise security management | |
| CN112565368B (en) | Block chain based offshore equipment ad hoc network system, method and medium | |
| CN107800640B (en) | Method for detecting and processing flow rule | |
| CN113393240A (en) | Electronic certificate storage system and operation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141210 |
|
| RJ01 | Rejection of invention patent application after publication |