CN104506511A - Moving target defense system and moving target defense method for SDN (self-defending network) - Google Patents
Moving target defense system and moving target defense method for SDN (self-defending network) Download PDFInfo
- Publication number
- CN104506511A CN104506511A CN201410778930.XA CN201410778930A CN104506511A CN 104506511 A CN104506511 A CN 104506511A CN 201410778930 A CN201410778930 A CN 201410778930A CN 104506511 A CN104506511 A CN 104506511A
- Authority
- CN
- China
- Prior art keywords
- module
- address
- sdn
- stream table
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a moving target defense system for an SDN (self-defending network). The system consists of a moving target defense module and an SDN controller management module; the moving target defense module comprises a flow analysis module, a mapping information storage module, a target conversion module, an encryption transmission module, a load balance module, a safety authentication module, a business flow recording database and a mapping information recording database; the SDN controller management module comprises a flow table generation module, a flow table distribution/synchronization module, a route selection module, a DNS service module, a load balance module, a distributed management module, a safety communication module, a redundant backup module, a safety authentication module and a flow table database; furthermore, the invention also discloses a moving target defense method for the SDN. Through the moving target defense system and the moving target defense method disclosed by the invention, the difficulty of an attacker to detect a target is increased further, and therefore the safety of an intranet is comprehensively protected.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of SDN dynamic object system of defense and method.
Background technology
Dynamic object defence-so-called dynamic object defence (Moving Target Defense, MTD) strategy, set up one (being it seems by outside) attribute is various and the network system constantly changed, make hacker be difficult to carry out investigations to target before offensive attack, increase the difficulty of attack by this and reach defence.Can the attribute kit of random fluctuation containing IP, Port, route, host identities, instruction set etc.Compared with legacy network, the characteristic of SDN control and forward separating more easily realizes out such network system.Random host conversion (OF-RHM) technology that North Carolina University researches and develops based on OpenFlow agreement, namely be utilize SDN to realize host ip rapid translating, but keep network service to user transparent, experiment proof effectively can be taken precautions against random scan and be attacked and worm propagation simultaneously.
The theoretical foundation of MTD is, assailant cannot map a system constantly changed, and implement concerted attack.Dynamic object defence policies can change cyber-defence, and system parameters becomes more dynamic from static configuration, and such assailant is just difficult to find and utilize leak.For assailant creates uncertainty, the attack for key network infrastructure can be defeated.By command and control system, can assess, plan, perform the defence of coordination, to avoid network system conflict, available approach is attacked in restriction.
Such as mentioning in paper " OpenFlow Random Host Mutation:Transparent Moving Target Defense usingSoftware Defined Networking " maintains secrecy constant by real IP, but is associated with a short-term virtual ip address by main frame.This technology is only simple by true main frame and virtual IP address binding, and regular update virtual ip address.Assailant still hits the scanning of target by attacking against each other to MAC Address or port address or both combinations.Virtual IP address is IPv4 in addition, and the address space that can be assigned as virtual address is limited, and assailant still can be scanned more easily and understand target of attack further.
In addition, application number be 200710179203.1 application for a patent for invention disclose a kind of method in conjunction with route and tunnel redirecting network attack, its by gateway N1 with tunnel is set between the gateway N2 being connected honey jar main frame, configures second routing table, and token network attacks IP bag, thus network attack is redirected on the honey jar main frame of far-end same subnet address, realize redirecting network attack.Of the present invention method is simple, rapidly and efficiently, is particularly suitable for the situation of interim redirecting network attack on important gateway; Simultaneously to have risk low for method of the present invention, without the need to minimum MTU or the IP packet fragmentation problem of worry about network.
This invention by means of only gateway N1 with tunnel is set between the gateway N2 being connected honey jar main frame, configures second routing table, and token network attacks IP bag, thus network attack is redirected on the honey jar main frame of far-end same subnet address, realize redirecting network attack.Assailant can arrive real main frame before trigger protection function, entered honey jar through contrast and discernable flow.Honey jar address and target of attack are bound constant in addition, and this also brings sizable security breaches.
Summary of the invention
The object of the invention is the defect in order to overcome prior art, a kind of SDN dynamic object system of defense and method are provided, thus increase the difficulty that assailant detects target.
In order to solve the problems of the technologies described above, this application discloses following technical scheme:
First aspect, the invention discloses a kind of SDN dynamic object system of defense, and this system is by dynamic object defense module and SDN controller management module composition.
Dynamic object defense module comprises flow analysis module, map information memory module, targeted transformation module, encrypted transmission module, load balancing module, security authentication module and Business Stream database of record, map information database of record.
Flow analysis module analysis packet, traffic stream identifier, agreement, destination-mac address, target ip address, target port address can be obtained, source MAC, source IP address, source port address information, analyze the agreement of the business belonging to packet that draws thus, affiliated business, the real machine address of target to be visited, finally judges the sensitivity of this Business Stream, generates level of security index.
Map information memory module is responsible for the storage administration of Business Stream database of record, and the stream table that the out-of-service time is exceeded set point by periodic scanning database clears out from database.
Targeted transformation module can use Random Maps algorithm according to the level of security index of Business Stream, and source MAC, source IP address, source port address are mapped to virtual MAC Address, IPv6 address, port address.
Encrypted transmission module is guaranteed between MTD server, the safety of MTD server and other net element communications.
The object of security authentication module to access MTD carries out certification, only allows entering of the interior network element of access rights.
The operating load of load balancing module to current MTD server is monitored, and transfers to other MTD servers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value.
Business Stream database of record deposits Business Stream record list item, and map information database of record deposits map information record list item.
SDN controller management module comprises stream table generation module, stream table distribution/synchronization module, routing selecting module, DNS service module, load balancing module, distributed management module, secure communication module, redundancy backup module, security authentication module and stream table database.
Stream table generation module obtains traffic forwarding rule from MTD server, and according to the stream table of this traffic forwarding generate rule SDN edge switch to be deployed to.
Stream table is pushed to relevant SDN edge switch by stream table distribution/synchronization module, and according to keeping the consistency of stream table on controller and switch, realizes the synchronous of the stream table between multi-controller.
Routing selecting module is responsible for the decision-making work of route.
The operating load of load balancing module to current SDN controller is monitored, and transfers to other SDN controllers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value.
Distributed management module carries out distributed management to SDN controller cluster.
Secure communication module guarantees that the safety of communication behavior is carried out.
Redundancy backup module is prevent from SDN controller from breaking down to affect the normal work of whole system.
The object of security authentication module to access SDN carries out certification, only allows entering of the interior network element of access rights.
The not out of date stream list item that the SDN edge switch that stream table database purchase current controller manages is correlated with.
Controller clustered control module uses southbound interface agreement by exchange interface communication module and supports that the switch of SDN communicates.
Wherein, targeted transformation module comprises MAC mapping block, IP mapping block, port mapping module, protocol-identifier change module, and it can use random algorithm to comprise MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm according to the level of security index of Business Stream.
Second aspect, the invention discloses the method for a kind of SDN dynamic object defence, the method by the information MAP of network element in real to the space greatly more vast than raw address space, and generate the term of validity with the address of transformed mappings according to the level of security different random of institute's access destination, the difficulty making assailant detect target information increases greatly, and idiographic flow is:
Packet enters the flow process of Intranet by outer net:
S11SDN edge switch receives the packet that the external world is transmitted to Intranet;
S12SDN edge switch checks whether this packet mates forwarding flow table;
If s13 mates, SDN edge switch forwards this packet according to stream table;
S14 is not if mated, and SDN edge switch extracts packet information and is transmitted to SDN controller;
Stream table database searched by s15SDN controller, checks and whether mates existing stream table;
If s16 mates, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
S17 is not if mated, and the information received is transmitted to MTD server process by SDN controller;
This packet of flow analysis module analysis of s18MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
S19 flow analysis module is according to obtained information searching Business Stream database of record;
If s110 stores in a database:
A11 map information memory module is according to the record list item in the information searching map record database of packet;
B11 map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record;
C11 map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
List item information is sent to SDN controller by d11MTD server in a secured manner;
The convert information stream table that the stream table generation module of e11SDN controller will receive;
This stream table is handed down to relevant SDN edge switch by f11SDN controller;
G11SDN edge switch forwards this packet according to stream table;
If s111 does not find this record in a database:
The agreement of a12 flow analysis module analysis new business, affiliated business, the real machine address of target to be visited;
B12 flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C12 map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D12 map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
List item information is sent to SDN controller by e12MTD server in a secured manner;
The convert information stream table that the stream table generation module of f12SDN controller will receive;
This stream table is handed down to relevant SDN edge switch by g12SDN controller;
H12SDN edge switch forwards this packet according to stream table.
Packet mails to the flow process of outer net by Intranet:
The Intranet that receives s21SDN edge switch mails to the packet of outer net;
S22SDN edge switch checks whether this packet mates forwarding flow table;
If s23 mates, SDN edge switch forwards this packet according to stream table;
S24 is not if mated, and SDN edge switch extracts packet information and is transmitted to SDN controller;
Stream table database searched by s25SDN controller, checks and whether mates existing stream table;
If s26 mates, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
S27 is not if mated, and the information received is transmitted to MTD server process by SDN controller;
This packet of flow analysis module analysis of s28MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
S29 flow analysis module is according to obtained information searching Business Stream database of record;
If s210 information is stored in database:
A21 map information memory module is according to the record list item in the information searching map record database of packet;
B21 map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record, checks that whether this list item is expired;
If c21 does not have expired:
I. map information memory module obtains Business Stream list item information corresponding belonging to this packet;
Ii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iii.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by iv.SDN controller;
If d21 is expired:
I. target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
Ii. map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
Iii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iv.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by v.SDN controller;
Vi.SDN edge switch forwards this packet according to stream table;
S211 such as information is not stored in database:
The agreement of a22 flow analysis module analysis new business, affiliated business;
B22 flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C22 map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D22 target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
E22 map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
The virtual MAC Address that interior network element externally maps by f22 map information memory module, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of g22SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by h22SDN controller;
I22SDN edge switch forwards this packet according to stream table.
The beneficial effect that technical solution of the present invention is brought:
Real Intranet net element information is mapped to the space greatly more vast than raw address space by a kind of SDN dynamic object system of defense and method, and generate the term of validity with the address of transformed mappings according to the level of security different random of institute's access destination, the difficulty making assailant detect target information increases greatly.IP is all converted into IPv6 address space by the present invention, IPv4 can provide at most about 4,000,000,000 addresses in theory, IPv6 then provides about 340,000,000,000,000 trillion trillion (128 powers of 2) individual address, and this improves with regard to the order of magnitude difficulty that Target IP determines; MAC Address be have also been made conversion by the present invention, makes assailant be difficult to position real target; The present invention deposits in case at port address, also maps it, adds the change that can set and agreement be carried out to identifier, and this increases the difficulty that assailant detects target more, thus the safety of general protection Intranet.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the functional block diagram of SDN dynamic object system of defense in the present invention;
Fig. 2 is the network topological diagram of SDN dynamic object system of defense in the present invention;
Fig. 3 is the flow chart that in the present invention, packet is entered Intranet by outer net;
Fig. 4 is the flow chart that in the present invention, packet is mail to outer net by Intranet.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The present invention is mapped to solve dynamic object defence in prior art the shortcoming or deficiency that virtual target immobilizes or virtual target space is less, have employed a kind of SDN dynamic object system of defense and method, thus increase the difficulty that assailant detects target.
A kind of SDN dynamic object system of defense realizes based on SDN, by dynamic object defense module and SDN controller management module composition, specifically as shown in Figure 1.
Dynamic object defense module comprises flow analysis module, map information memory module, targeted transformation module, encrypted transmission module, load balancing module, security authentication module and Business Stream database of record, map information database of record.
Flow analysis module analysis packet, can obtain traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information; Analyze the agreement of the business belonging to packet that draws thus, affiliated business, the real machine address of target to be visited; The sensitivity of final this Business Stream of judgement, generates level of security index.
Map information memory module is responsible for the storage administration of Business Stream database of record, and the stream table that the out-of-service time is exceeded set point by periodic scanning database clears out from database.Targeted transformation module can use MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPv6 address, port address, and can convert protocol-identifier if needed; Comprise MAC mapping block, IP mapping block, port mapping module, protocol-identifier change module.
Encrypted transmission module is guaranteed between MTD server, the safety of MTD server and other net element communications.The object of security authentication module to access MTD carries out certification, only allows entering of the interior network element of access rights.The operating load of load balancing module to current MTD server is monitored, and transfers to other MTD servers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value.Business Stream database of record deposits Business Stream record list item, and map information database of record deposits map information record list item.
Wherein the data structure of Business Stream record list item is as shown in table 1:
The data structure of table 1 Business Stream record list item
Business | Safety | Association | Outside MAC | External IP | Outer end | Intranet is true | Intranet is true | Intranet real ports ground |
Mark | Rank | View | Address | Address | Port address | MAC Address | IP address | Location |
The data structure of map information record list item is as shown in table 2:
The data structure of table 2 map information record list item
Service identification | Effective time | Virtual mac address | Virtual ip address | Virtual port address | Protocol-identifier |
SDN controller management module comprises stream table generation module, stream table distribution/synchronization module, routing selecting module, DNS service module, load balancing module, distributed management module, secure communication module, redundancy backup module, security authentication module and stream table database.
Stream table generation module obtains traffic forwarding rule from MTD server, and according to the stream table of this traffic forwarding generate rule SDN edge switch to be deployed to.Stream table is pushed to relevant SDN edge switch by stream table distribution/synchronization module, and according to keeping the consistency of stream table on controller and switch, realizes the synchronous of the stream table between multi-controller.Routing selecting module is responsible for the decision-making work of route.The operating load of load balancing module to current SDN controller is monitored, and transfers to other SDN controllers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value.Distributed management module carries out distributed management to SDN controller cluster.Secure communication module guarantees that the safety of communication behavior is carried out.Redundancy backup module is prevent from SDN controller from breaking down to affect the normal work of whole system.The object of security authentication module to access SDN carries out certification, only allows entering of the interior network element of access rights.The not out of date stream list item that the SDN edge switch that stream table database purchase current controller manages is correlated with.Controller clustered control module uses southbound interface agreement by exchange interface communication module and supports that the switch of SDN communicates.
The network of SDN dynamic object defence method is divided into SDN dynamic object system of defense supervising the network and a business network, and these two networks are independently two networks.As shown in Figure 2, wherein solid line represents service traffics to a kind of network topological diagram of SDN dynamic object defence method, and some solid line represents system management traffic.
Packet enters the flow process of Intranet as shown in Figure 3 by outer net:
When packet enters the flow process of Intranet by outer net:
(1) SDN edge switch receives the packet that the external world is transmitted to Intranet;
(2) SDN edge switch checks whether this packet mates forwarding flow table;
(3) if coupling, SDN edge switch forwards this packet according to stream table;
(4) if do not mated, SDN edge switch extracts packet information and is transmitted to SDN controller;
(5) stream table database searched by SDN controller, checks and whether mates existing stream table;
(6) if coupling, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
(7) if do not mated, the information received is transmitted to MTD server process by SDN controller;
(8) this packet of flow analysis module analysis of MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
(9) flow analysis module is according to obtained information searching Business Stream database of record;
(10) if store in a database;
A) map information memory module is according to the record list item in the information searching map record database of packet;
B) map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record;
C) map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
D) list item information is sent to SDN controller by MTD server in a secured manner;
E) the convert information stream table that will receive of the stream table generation module of SDN controller;
F) this stream table is handed down to relevant SDN edge switch by SDN controller;
G) SDN edge switch forwards this packet according to stream table;
(11) if do not find this record in a database;
A) agreement of flow analysis module analysis new business, affiliated business, the real machine address of target to be visited;
B) flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C) map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D) map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
E) list item information is sent to SDN controller by MTD server in a secured manner;
F) the convert information stream table that will receive of the stream table generation module of SDN controller;
G) this stream table is handed down to relevant SDN edge switch by SDN controller;
H) SDN edge switch forwards this packet according to stream table;
Packet mails to the flow process of outer net as shown in Figure 4 by Intranet:
When packet mails to the flow process of outer net by Intranet:
(1) SDN edge switch receives the packet that Intranet mails to outer net;
(2) SDN edge switch checks whether this packet mates forwarding flow table;
(3) if coupling, SDN edge switch forwards this packet according to stream table;
(4) if do not mated, SDN edge switch extracts packet information and is transmitted to SDN controller;
(5) stream table database searched by SDN controller, checks and whether mates existing stream table;
(6) if coupling, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
(7) if do not mated, the information received is transmitted to MTD server process by SDN controller;
(8) this packet of flow analysis module analysis of MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
(9) flow analysis module is according to obtained information searching Business Stream database of record;
(10) if information is stored in database;
A) map information memory module is according to the record list item in the information searching map record database of packet;
B) map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record, checks that whether this list item is expired;
If c) not expired;
I. map information memory module obtains Business Stream list item information corresponding belonging to this packet;
Ii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iii.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by iv.SDN controller;
If d) expired;
I. target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
Ii. map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
Iii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iv.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by v.SDN controller;
Vi.SDN edge switch forwards this packet according to stream table;
(11) as information is not stored in database;
A) agreement of flow analysis module analysis new business, affiliated business;
B) flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C) map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D) target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
E) map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
F) the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
G) the stream table generation module of SDN controller is according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
H) this stream table is handed down to relevant SDN edge switch by SDN controller;
I) SDN edge switch forwards this packet according to stream table;
By the present invention by the information MAP of network element in real to the space greatly more vast than raw address space, and generate the term of validity with the address of transformed mappings according to the level of security different random of institute's access destination, the difficulty making assailant detect target information increases greatly.
A kind of SDN dynamic object system of defense provided the embodiment of the present invention above and method are described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (4)
1. a SDN dynamic object system of defense, is characterized in that, this system is by dynamic object defense module and SDN controller management module composition;
Dynamic object is protected defense module and is comprised flow analysis module, map information memory module, targeted transformation module, encrypted transmission module, load balancing module, security authentication module and Business Stream database of record, map information database of record;
Flow analysis module analysis packet, traffic stream identifier, agreement, destination-mac address, target ip address, target port address can be obtained, source MAC, source IP address, source port address information, analyze the agreement of the business belonging to packet that draws thus, affiliated business, the real machine address of target to be visited, finally judges the sensitivity of this Business Stream, generates level of security index;
Map information memory module is responsible for the storage administration of Business Stream database of record, and the stream table that the out-of-service time is exceeded set point by periodic scanning database clears out from database;
Targeted transformation module can use Random Maps algorithm according to the level of security index of Business Stream, and source MAC, source IP address, source port address are mapped to virtual MAC Address, IPv6 address, port address;
Encrypted transmission module is guaranteed between MTD server, the safety of MTD server and other net element communications;
The object of security authentication module to access MTD carries out certification, only allows entering of the interior network element of access rights;
The operating load of load balancing module to current MTD server is monitored, and transfers to other MTD servers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value;
Business Stream database of record deposits Business Stream record list item, and map information database of record deposits map information record list item;
SDN controller management module comprises stream table generation module, stream table distribution/synchronization module, routing selecting module, DNS service module, load balancing module, distributed management module, secure communication module, redundancy backup module, security authentication module and stream table database;
Stream table generation module obtains traffic forwarding rule from MTD server, and according to the stream table of this traffic forwarding generate rule SDN edge switch to be deployed to;
Stream table is pushed to relevant SDN edge switch by stream table distribution/synchronization module, and according to keeping the consistency of stream table on controller and switch, realizes the synchronous of the stream table between multi-controller;
Routing selecting module is responsible for the decision-making work of route;
The operating load of load balancing module to current SDN controller is monitored, and transfers to other SDN controllers carry out processing or perform as this type of safety measure of simple packet loss when load exceedes threshold value;
Distributed management module carries out distributed management to SDN controller cluster;
Secure communication module guarantees that the safety of communication behavior is carried out;
Redundancy backup module is prevent from SDN controller from breaking down to affect the normal work of whole system;
The object of security authentication module to access SDN carries out certification, only allows entering of the interior network element of access rights;
The not out of date stream list item that the SDN edge switch that stream table database purchase current controller manages is correlated with;
Controller clustered control module uses southbound interface agreement by exchange interface communication module and supports that the switch of SDN communicates.
2. system according to claim 1, is characterized in that, targeted transformation module comprises MAC mapping block, IP mapping block, port mapping module, protocol-identifier change module.
3. system according to claim 1, is characterized in that, targeted transformation module can use random algorithm to comprise MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm according to the level of security index of Business Stream.
4. the method for a SDN dynamic object defence, it is characterized in that, the method by the information MAP of network element in real to the space greatly more vast than raw address space, and generate the term of validity with the address of transformed mappings according to the level of security different random of institute's access destination, the difficulty making assailant detect target information increases greatly, and idiographic flow is:
Packet enters the flow process of Intranet by outer net:
S11SDN edge switch receives the packet that the external world is transmitted to Intranet;
S12SDN edge switch checks whether this packet mates forwarding flow table;
If s13 mates, SDN edge switch forwards this packet according to stream table;
S14 is not if mated, and SDN edge switch extracts packet information and is transmitted to SDN controller;
Stream table database searched by s15SDN controller, checks and whether mates existing stream table;
If s16 mates, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
S17 is not if mated, and the information received is transmitted to MTD server process by SDN controller;
This packet of flow analysis module analysis of s18MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
S19 flow analysis module is according to obtained information searching Business Stream database of record;
If s110 stores in a database:
A11 map information memory module is according to the record list item in the information searching map record database of packet;
B11 map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record;
C11 map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
List item information is sent to SDN controller by d11MTD server in a secured manner;
The convert information stream table that the stream table generation module of e11SDN controller will receive;
This stream table is handed down to relevant SDN edge switch by f11SDN controller;
G11SDN edge switch forwards this packet according to stream table;
If s111 does not find this record in a database:
The agreement of a12 flow analysis module analysis new business, affiliated business, the real machine address of target to be visited;
B12 flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C12 map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D12 map information memory module obtains the real destination-mac address of Business Stream belonging to this packet, real target ip address, real target port address;
List item information is sent to SDN controller by e12MTD server in a secured manner;
The convert information stream table that the stream table generation module of f12SDN controller will receive;
This stream table is handed down to relevant SDN edge switch by g12SDN controller;
H12SDN edge switch forwards this packet according to stream table;
Packet mails to the flow process of outer net by Intranet:
The Intranet that receives s21SDN edge switch mails to the packet of outer net;
S22SDN edge switch checks whether this packet mates forwarding flow table;
If s23 mates, SDN edge switch forwards this packet according to stream table;
S24 is not if mated, and SDN edge switch extracts packet information and is transmitted to SDN controller;
Stream table database searched by s25SDN controller, checks and whether mates existing stream table;
If s26 mates, this stream table is handed down to relevant SDN edge switch by SDN controller, and SDN edge switch forwards this packet according to stream table;
S27 is not if mated, and the information received is transmitted to MTD server process by SDN controller;
This packet of flow analysis module analysis of s28MTD server, obtains traffic stream identifier, agreement, destination-mac address, target ip address, target port address, source MAC, source IP address, source port address information;
S29 flow analysis module is according to obtained information searching Business Stream database of record;
If s210 information is stored in database:
A21 map information memory module is according to the record list item in the information searching map record database of packet;
B21 map information memory module searches Business Stream record list item according to the service identification of record list item in Business Stream database of record, checks that whether this list item is expired;
If c21 does not have expired:
I. map information memory module obtains Business Stream list item information corresponding belonging to this packet;
Ii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iii.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by iv.SDN controller;
If d21 is expired:
I. target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
Ii. map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
Iii. the virtual MAC Address that in map information memory module, network element externally maps, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of iv.SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by v.SDN controller;
Vi.SDN edge switch forwards this packet according to stream table;
S211 such as information is not stored in database:
The agreement of a22 flow analysis module analysis new business, affiliated business;
B22 flow analysis module judges the sensitivity of this Business Stream, generates level of security index, is sent to map information memory module;
C22 map information memory module is by service identification, level of security index, protocol information, real destination-mac address, real target ip address, real target port address, source MAC, source IP address, source port address, according to service identification stored in Business Stream database of record;
D22 target modular converter uses MAC Random Maps algorithm, IP Random Maps algorithm, port Random Maps algorithm respectively according to the level of security index of this Business Stream, source MAC, source IP address, source port address are mapped to virtual MAC Address, IPV6 address, port address, and can convert protocol-identifier;
E22 map information memory module by the virtual mac address of service identification, effective time and generation, IPV6 address, port address together stored in map information database of record;
The virtual MAC Address that interior network element externally maps by f22 map information memory module, IP address, target port address, and the agreement after change passes to SDN controller;
The stream table generation module of g22SDN controller, according to information, generates stream table, and the replacement of the MAC Address of network element, IP address, port address within realization, changes TTL at random simultaneously, fill in the stream table term of validity, also can change protocol type;
This stream table is handed down to relevant SDN edge switch by h22SDN controller;
I22SDN edge switch forwards this packet according to stream table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410778930.XA CN104506511A (en) | 2014-12-15 | 2014-12-15 | Moving target defense system and moving target defense method for SDN (self-defending network) |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410778930.XA CN104506511A (en) | 2014-12-15 | 2014-12-15 | Moving target defense system and moving target defense method for SDN (self-defending network) |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104506511A true CN104506511A (en) | 2015-04-08 |
Family
ID=52948226
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410778930.XA Pending CN104506511A (en) | 2014-12-15 | 2014-12-15 | Moving target defense system and moving target defense method for SDN (self-defending network) |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104506511A (en) |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104853002A (en) * | 2015-04-29 | 2015-08-19 | 中国互联网络信息中心 | DNS resolution system and DNS resolution method based on SDN |
CN105141641A (en) * | 2015-10-14 | 2015-12-09 | 武汉大学 | Chaos moving target defense method based on SDN and system thereof |
CN105162608A (en) * | 2015-10-13 | 2015-12-16 | 上海斐讯数据通信技术有限公司 | Physical address bypass authentication method and device based on software-defined network |
CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
CN106357535A (en) * | 2016-08-29 | 2017-01-25 | 广州西麦科技股份有限公司 | Issuing method, system and controller of SDN flow table |
WO2017035717A1 (en) * | 2015-08-29 | 2017-03-09 | 华为技术有限公司 | Distributed denial of service attack detection method and associated device |
CN106603541A (en) * | 2016-12-21 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Honeynet system based on differentiated flow processing mechanism |
CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
CN108063761A (en) * | 2017-12-11 | 2018-05-22 | 新华三云计算技术有限公司 | Network processing method, cloud platform and software defined network SDN controllers |
CN108123916A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信集团辽宁有限公司 | Network safety protection method, device, server and system |
CN108353068A (en) * | 2015-10-20 | 2018-07-31 | 慧与发展有限责任合伙企业 | The intrusion prevention system of SDN controllers auxiliary |
CN109104404A (en) * | 2018-06-20 | 2018-12-28 | 广州中国科学院软件应用技术研究所 | A kind of medical big data system and method for dynamic encryption |
CN109218060A (en) * | 2017-07-07 | 2019-01-15 | 中兴通讯股份有限公司 | A kind of method and device of business configuration driving flow table |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
CN109510795A (en) * | 2017-09-14 | 2019-03-22 | 蓝盾信息安全技术股份有限公司 | A kind of intelligent DDOS defense technique based on isolated device |
CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
CN109862045A (en) * | 2019-04-01 | 2019-06-07 | 中科天御(苏州)科技有限公司 | A kind of industrial control system dynamic security method and device based on SDN |
CN109981803A (en) * | 2017-12-27 | 2019-07-05 | 中兴通讯股份有限公司 | Service request processing method and device |
CN110177031A (en) * | 2019-06-18 | 2019-08-27 | 深圳职业技术学院 | A kind of data monitoring control system and its method for monitoring and controlling based on SDN network |
CN110266518A (en) * | 2019-05-22 | 2019-09-20 | 清华大学 | The address IPv6 source tracing method, device and electronic equipment based on SDN |
CN111385228A (en) * | 2020-02-26 | 2020-07-07 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN108173827B (en) * | 2017-12-22 | 2020-09-08 | 南京邮电大学 | Block chain thinking-based distributed SDN control plane security authentication method |
CN112187523A (en) * | 2020-09-10 | 2021-01-05 | 华云数据控股集团有限公司 | Network high-availability implementation method and super-convergence system |
US10958478B2 (en) * | 2016-11-18 | 2021-03-23 | Securboration, Inc. | Resilient polymorphic network architectures |
CN112738165A (en) * | 2020-12-18 | 2021-04-30 | 北京中电普华信息技术有限公司 | OVS-DPDK framework based on OVS modification and data packet processing method |
CN113098900A (en) * | 2021-04-29 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN113098894A (en) * | 2021-04-22 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN IP address hopping method based on randomization algorithm |
CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113206848A (en) * | 2021-04-29 | 2021-08-03 | 福建奇点时空数字科技有限公司 | SDN moving target defense implementation method based on self-evolution configuration |
CN113225315A (en) * | 2021-04-08 | 2021-08-06 | 福建奇点时空数字科技有限公司 | MTD anti-network scanning method based on port fuzzy processing response |
CN114244586A (en) * | 2021-12-03 | 2022-03-25 | 中国人民解放军海军工程大学 | Self-adaptive moving target defense method and system for Web service |
CN114257538A (en) * | 2021-12-07 | 2022-03-29 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN115051836A (en) * | 2022-05-18 | 2022-09-13 | 中国人民解放军战略支援部队信息工程大学 | APT attack dynamic defense method and system based on SDN |
CN115174462A (en) * | 2022-06-28 | 2022-10-11 | 北京东土军悦科技有限公司 | Method and device for acquiring data forwarding table, forwarding equipment, controller and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152361A (en) * | 2013-03-26 | 2013-06-12 | 华为技术有限公司 | Access control method as well as equipment and system |
CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
US20140122668A1 (en) * | 2012-10-25 | 2014-05-01 | Tellabs Oy | Method and a controller device for configuring a software-defined network |
CN104184749A (en) * | 2014-09-15 | 2014-12-03 | 上海斐讯数据通信技术有限公司 | SDN network access method and system |
CN104202303A (en) * | 2014-08-11 | 2014-12-10 | 华中科技大学 | Policy conflict detection method and system for SDN (Software Defined Network) application |
-
2014
- 2014-12-15 CN CN201410778930.XA patent/CN104506511A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140122668A1 (en) * | 2012-10-25 | 2014-05-01 | Tellabs Oy | Method and a controller device for configuring a software-defined network |
CN103152361A (en) * | 2013-03-26 | 2013-06-12 | 华为技术有限公司 | Access control method as well as equipment and system |
CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
CN104202303A (en) * | 2014-08-11 | 2014-12-10 | 华中科技大学 | Policy conflict detection method and system for SDN (Software Defined Network) application |
CN104184749A (en) * | 2014-09-15 | 2014-12-03 | 上海斐讯数据通信技术有限公司 | SDN network access method and system |
Cited By (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104853002B (en) * | 2015-04-29 | 2018-04-27 | 中国互联网络信息中心 | A kind of dns resolution system and analytic method based on SDN network |
CN104853002A (en) * | 2015-04-29 | 2015-08-19 | 中国互联网络信息中心 | DNS resolution system and DNS resolution method based on SDN |
WO2017035717A1 (en) * | 2015-08-29 | 2017-03-09 | 华为技术有限公司 | Distributed denial of service attack detection method and associated device |
CN105162608A (en) * | 2015-10-13 | 2015-12-16 | 上海斐讯数据通信技术有限公司 | Physical address bypass authentication method and device based on software-defined network |
CN105141641A (en) * | 2015-10-14 | 2015-12-09 | 武汉大学 | Chaos moving target defense method based on SDN and system thereof |
CN105141641B (en) * | 2015-10-14 | 2018-05-11 | 武汉大学 | A kind of Chaos movement target defence methods and system based on SDN |
CN108353068A (en) * | 2015-10-20 | 2018-07-31 | 慧与发展有限责任合伙企业 | The intrusion prevention system of SDN controllers auxiliary |
CN108353068B (en) * | 2015-10-20 | 2021-05-07 | 慧与发展有限责任合伙企业 | SDN controller assisted intrusion prevention system |
CN105721457B (en) * | 2016-01-30 | 2019-04-30 | 北京卫达信息技术有限公司 | Network security protection system and network security defence method based on dynamic mapping |
CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
CN106357535A (en) * | 2016-08-29 | 2017-01-25 | 广州西麦科技股份有限公司 | Issuing method, system and controller of SDN flow table |
US10958478B2 (en) * | 2016-11-18 | 2021-03-23 | Securboration, Inc. | Resilient polymorphic network architectures |
CN108123916A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信集团辽宁有限公司 | Network safety protection method, device, server and system |
CN108123916B (en) * | 2016-11-28 | 2021-10-29 | 中国移动通信集团辽宁有限公司 | Network security protection method, device, server and system |
CN106603541A (en) * | 2016-12-21 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Honeynet system based on differentiated flow processing mechanism |
CN109218060A (en) * | 2017-07-07 | 2019-01-15 | 中兴通讯股份有限公司 | A kind of method and device of business configuration driving flow table |
CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
CN109510795A (en) * | 2017-09-14 | 2019-03-22 | 蓝盾信息安全技术股份有限公司 | A kind of intelligent DDOS defense technique based on isolated device |
CN108063761B (en) * | 2017-12-11 | 2019-09-13 | 新华三云计算技术有限公司 | Network processing method, cloud platform and software defined network SDN controller |
CN108063761A (en) * | 2017-12-11 | 2018-05-22 | 新华三云计算技术有限公司 | Network processing method, cloud platform and software defined network SDN controllers |
CN108173827B (en) * | 2017-12-22 | 2020-09-08 | 南京邮电大学 | Block chain thinking-based distributed SDN control plane security authentication method |
CN109981803A (en) * | 2017-12-27 | 2019-07-05 | 中兴通讯股份有限公司 | Service request processing method and device |
US11451510B2 (en) | 2017-12-27 | 2022-09-20 | Zte Corporation | Method and apparatus for processing service request |
CN109104404A (en) * | 2018-06-20 | 2018-12-28 | 广州中国科学院软件应用技术研究所 | A kind of medical big data system and method for dynamic encryption |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
CN109818953A (en) * | 2019-01-21 | 2019-05-28 | 常州工程职业技术学院 | A kind of sensor safe defense technique in mobile Internet of things system |
CN109862045A (en) * | 2019-04-01 | 2019-06-07 | 中科天御(苏州)科技有限公司 | A kind of industrial control system dynamic security method and device based on SDN |
CN109862045B (en) * | 2019-04-01 | 2021-06-01 | 中科天御(苏州)科技有限公司 | SDN-based industrial control system dynamic defense method and device |
CN110266518B (en) * | 2019-05-22 | 2020-05-15 | 清华大学 | IPv6 address tracing method and device based on SDN and electronic equipment |
CN110266518A (en) * | 2019-05-22 | 2019-09-20 | 清华大学 | The address IPv6 source tracing method, device and electronic equipment based on SDN |
CN110177031A (en) * | 2019-06-18 | 2019-08-27 | 深圳职业技术学院 | A kind of data monitoring control system and its method for monitoring and controlling based on SDN network |
CN110177031B (en) * | 2019-06-18 | 2021-01-01 | 深圳职业技术学院 | SDN network-based data monitoring control system and monitoring control method thereof |
CN111385228B (en) * | 2020-02-26 | 2022-02-18 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN111385228A (en) * | 2020-02-26 | 2020-07-07 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN112187523A (en) * | 2020-09-10 | 2021-01-05 | 华云数据控股集团有限公司 | Network high-availability implementation method and super-convergence system |
CN112738165A (en) * | 2020-12-18 | 2021-04-30 | 北京中电普华信息技术有限公司 | OVS-DPDK framework based on OVS modification and data packet processing method |
CN113225315A (en) * | 2021-04-08 | 2021-08-06 | 福建奇点时空数字科技有限公司 | MTD anti-network scanning method based on port fuzzy processing response |
CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113114666B (en) * | 2021-04-09 | 2022-02-22 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113098894A (en) * | 2021-04-22 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN IP address hopping method based on randomization algorithm |
CN113206848A (en) * | 2021-04-29 | 2021-08-03 | 福建奇点时空数字科技有限公司 | SDN moving target defense implementation method based on self-evolution configuration |
CN113098900A (en) * | 2021-04-29 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN113098900B (en) * | 2021-04-29 | 2023-04-07 | 厦门美域中央信息科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN114244586A (en) * | 2021-12-03 | 2022-03-25 | 中国人民解放军海军工程大学 | Self-adaptive moving target defense method and system for Web service |
CN114244586B (en) * | 2021-12-03 | 2023-06-20 | 中国人民解放军海军工程大学 | Self-adaptive mobile target defense method and system for Web service |
CN114257538A (en) * | 2021-12-07 | 2022-03-29 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN114257538B (en) * | 2021-12-07 | 2023-08-25 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN115051836A (en) * | 2022-05-18 | 2022-09-13 | 中国人民解放军战略支援部队信息工程大学 | APT attack dynamic defense method and system based on SDN |
CN115051836B (en) * | 2022-05-18 | 2023-08-04 | 中国人民解放军战略支援部队信息工程大学 | SDN-based APT attack dynamic defense method and system |
CN115174462A (en) * | 2022-06-28 | 2022-10-11 | 北京东土军悦科技有限公司 | Method and device for acquiring data forwarding table, forwarding equipment, controller and medium |
CN115174462B (en) * | 2022-06-28 | 2024-02-06 | 北京东土军悦科技有限公司 | Method and device for acquiring data forwarding table, forwarding equipment, controller and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104506511A (en) | Moving target defense system and moving target defense method for SDN (self-defending network) | |
CN108289104B (en) | Industrial SDN network DDoS attack detection and mitigation method | |
US9413718B1 (en) | Load balancing among a cluster of firewall security devices | |
CN105391771B (en) | A kind of cloud network system towards multi-tenant | |
CN105830395B (en) | For promoting the dialogue-based grouping routing of analysis | |
CN107332812B (en) | Method and device for realizing network access control | |
US9288183B2 (en) | Load balancing among a cluster of firewall security devices | |
CN103650427B (en) | For routeing the integrated system of Ethernet packet on Internet protocol network | |
Al-Shaer | Toward network configuration randomization for moving target defense | |
US9385949B2 (en) | Routing controlled by subnet managers | |
CN105991655B (en) | Method and apparatus for mitigating neighbor discovery-based denial of service attacks | |
EP2656559B1 (en) | Method and apparatus for applying client associated policies in a forwarding engine | |
CN105721457A (en) | Network security defense system and network security defense method based on dynamic transformation | |
Li et al. | A new method for providing network services: Service function chain | |
CN112383944B (en) | Unmanned aerial vehicle bee colony self-adaptive networking method with built-in block chain | |
CN106027491B (en) | Separated links formula communication processing method and system based on isolation IP address | |
Srinath et al. | Detection and Prevention of ARP spoofing using Centralized Server | |
Chen et al. | Design and implementation of a novel enterprise network defense system bymaneuveringmulti-dimensional network properties | |
Modarresi et al. | A framework for improving network resilience using SDN and fog nodes | |
Vatambeti et al. | Identifying and detecting black hole and gray hole attack in MANET using gray wolf optimization | |
Liu et al. | Netobfu: A lightweight and efficient network topology obfuscation defense scheme | |
CN102752266B (en) | Access control method and equipment thereof | |
Islam et al. | SDoT-NFV: Enhancing a distributed SDN-IoT architecture security with NFV implementation for smart city | |
Diwan et al. | Security mechanism in RIPv2, EIGRP and OSPF for campus network-a review | |
CN114710388B (en) | Campus network security system and network monitoring system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150408 |
|
WD01 | Invention patent application deemed withdrawn after publication |