CN104539625A - Network security defense system based on software-defined network and working method of network security defense system - Google Patents
Network security defense system based on software-defined network and working method of network security defense system Download PDFInfo
- Publication number
- CN104539625A CN104539625A CN201510011590.2A CN201510011590A CN104539625A CN 104539625 A CN104539625 A CN 104539625A CN 201510011590 A CN201510011590 A CN 201510011590A CN 104539625 A CN104539625 A CN 104539625A
- Authority
- CN
- China
- Prior art keywords
- message
- attack
- ids
- sdn controller
- shielding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000007123 defense Effects 0.000 title abstract description 7
- 238000001514 detection method Methods 0.000 claims abstract description 49
- 238000012545 processing Methods 0.000 claims abstract description 14
- 238000006424 Flood reaction Methods 0.000 claims description 25
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 24
- 238000005070 sampling Methods 0.000 claims description 21
- 230000006378 damage Effects 0.000 claims description 16
- BCGWQEUPMDMJNV-UHFFFAOYSA-N imipramine Chemical compound C1CC2=CC=CC=C2N(CCCN(C)C)C2=CC=CC=C21 BCGWQEUPMDMJNV-UHFFFAOYSA-N 0.000 claims description 7
- 238000010586 diagram Methods 0.000 claims description 6
- 238000009826 distribution Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 6
- 230000006399 behavior Effects 0.000 description 7
- 239000011800 void material Substances 0.000 description 5
- 238000001914 filtration Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000016571 aggressive behavior Effects 0.000 description 2
- 238000000151 deposition Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 208000036829 Device dislocation Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000002203 pretreatment Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000004064 recycling Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network security defense system based on a software-defined network and a working method of the network security defense system. The network security defense system comprises an SDN controller, an IDS decision making server and an IDS device. The IDS device is suitable for spot-checking messages, and in other words, when the IDS device detects the messages with the DDoS attack characteristics, the messages are reported to the IDS decision making server; the IDS decision making server formulates a processing strategy corresponding to the messages with the DDoS attack characteristics according to reported information, and the processing strategy is issued to the SDN controller for threat processing. The messages are detected in a spot-checking mode, the burden on the SDN controller is greatly reduced, the burden on the server is further reduced in the mode that detection and decision making are separated, and the system is more suitable for network transmission of high-flow data.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of network security protection system and method for work thereof.
Background technology
Current, the expansion of internet scale, the report of the up-to-date issue of national computer network emergence technology process Consultation Center shows: DDOS attack event is in the trend of increasing substantially, and the internet security of country, enterprise is faced with severe challenge.
Wherein, distributed denial of service attack (Distributed Denial of Service, DDoS) remains and affects one of topmost threat of the Internet security of operation.In the past few years, the number of ddos attack, size, type all sharp rise.
Software defined network (Software Defined Network, SDN) have can real-time update routing policy with rule, supports the characteristics such as profound data packet analysis, thus can threaten for the DDoS in complex network environment provide rapider network monitoring accurately and defense function.
But the technical scheme of software defined network finds that in concrete implementation process SDN controller is when processing attack, very high to hardware requirement, especially when extensive DDOS attack, easily causes SDN controller to respond.
Summary of the invention
The object of this invention is to provide a kind of network security protection system and method for work, to solve when a large amount of ddos attack, effectively can alleviate the burden of SDN controller, reduce hardware requirement and maintenance cost.
In order to solve the problems of the technologies described above, the invention provides a kind of network security protection system, comprising: SDN controller, IDS policy server and IDS equipment; Described IDS equipment is suitable for inspecting by random samples message, namely when IDS equipment Inspection is to when having the message of ddos attack feature, reports to IDS policy server; Described IDS policy server, according to reporting information, makes the processing policy corresponding with the message with ddos attack feature, and processing policy is issued to SDN controller with the process that impends.
Preferably, in order to realize the sampling observation to ddos attack in IDS equipment, comprise in described IDS equipment: time block, the sampling observation interval time of setting message; Deception packet check module, detects the deceptive practices of link layer and internetwork layer address; Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected; Exception message detection module, detects the formula attack that floods of application layer and transport layer; Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module within each interval time; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
Preferably, described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then attack main frame by the shielding of SDN controller; Maybe when attack threatens not in OpenFlow territory, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of SDN controller to attacker or attack main frame; And when message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the OF switch access interface traffic redirect corresponding to this message by SDN controller.
Preferably, set up main frame " reference mechanism ", namely establish shielding timing module and a guarding counter in described SDN controller; Be provided with the shielding time in described shielding timing module, this shielding time is suitable for limiting shielding and attacks host time; Described guarding counter is provided with a shield threshold value, is suitable for when attacking main frame shielding number of times and exceeding this shield threshold value, permanent this attack main frame of shielding.
On the other hand, present invention also offers a kind of method of work of network security protection system.
The method of work of present networks safety defense system, comprises the steps:
Step S100, initial configuration; Step S200, makes IDS equipment threaten sampling observation according to carrying out DDoS the interval time of presetting; And step S300, formulate respective handling policy distribution to SDN controller with the process that impends according to threat detection.
Preferably, in described step S100, the step of initial configuration is as follows: step S101, and the described IDS policy server in described network security protection system and IDS equipment are set up special SSL traffic channel; Step S102, described SDN controller builds network equipment information binding table, and by network equipment information binding table real-time update in IDS equipment; Step S104, described SDN controller issues the stream table of mirror policy, is transmitted to IDS equipment corresponding in net territory by all port flow mirror images being loaded with main frame that drags of OF switch; And step S105, described SDN controller issues DDoS threat identification rule to IDS equipment corresponding in each net territory.
Preferably, IDS equipment is made to threaten the method for sampling observation to comprise according to carrying out DDoS the interval time of presetting in described step S200: successively to the deceptive practices of link layer and internetwork layer address within the interval time of presetting, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer is inspected by random samples; If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
Preferably, the method that the deceptive practices of link layer and internetwork layer address detect is comprised: by deception packet check module, deceptive practices are detected, namely first, call network equipment information binding table by deception packet check module; Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, OF switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is carried out next and detect; If the above-mentioned information in message is not mated, then message is proceeded to step S300; Described internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise: arrange abnormal behaviour to flag bit detect by destroying packet check module, namely each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to and carry out next detection; If each flag bit of message does not meet, then message is proceeded to step S300; The method that the formula that the floods attack of described application layer and transport layer is carried out inspecting by random samples comprises: detected the formula attack of flooding by exception message detection module, namely the Hash table for identifying the formula attack message that floods is built at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table, and judged result is proceeded to step S300.
Preferably, described step S300 formulates respective handling policy distribution according to threat detection and comprises with the method for the process that impends to SDN controller: if message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for attacking main frame by the shielding of SDN controller; And threaten not in OpenFlow territory when attacking, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; If message has abnormal behaviour, then described IDS policy server is shielded by the flow of SDN controller to attacker or attack main frame; If message has the formula attack that floods, then the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by SDN controller by described IDS policy server; After main frame is attacked in shielding, setting shielding time and shield threshold value, this shielding time is suitable for limiting shielding and attacks host time; And when attacking main frame shielding number of times and exceeding described shield threshold value, permanent this attack main frame of shielding; And/or go out path optimizing according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described SDN controller draws corresponding forwarding flow table according to this optimal path and issues each OF switch.
Preferably, the method of program and/or attack main frame that described IDS policy server shielding sends message comprises: first, build corresponding Hash table and the setting respective threshold of counting, namely in the unit interval, the first Hash table that deceptive practices are counted is built in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts; Set first, second, third threshold values in first, second, third Hash table simultaneously; Secondly, shielding sends the program of this message and/or attacks main frame, and namely for the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends the program of this message and/or attacks main frame.
Beneficial effect of the present invention: (1) the present invention, by adopting the mode of sampling observation to detect to message, greatly reduces the burden of SDN controller, and by detecting the mode be separated with decision-making, reduce further the burden of server; And the efficiency of detection is improve by deception packet check module, destruction packet check module and exception message detection module; Therefore, the present invention, by the mode of combination, while effectively alleviating SDN controller burden, improves detection efficiency, is more applicable to the Internet Transmission of massive dataflow.(2) ddos attack cannot be forged to address under the invention enables legacy network architectural framework to carry out identifying that the difficult problem with tracing to the source fundamentally is resolved; When there is ddos attack or normal large discharge business in a network, SDN controller based on the real-time perception to network parameters such as link remaining bandwidths, can realize the routing optimality of normal stream amount, significantly promotes the experience of user; (3) process framework of the present invention adopts open-ended modularity design, achieves the efficient detection to DDoS threat and sweetly disposition; Deception packet check module, destruction packet check module and acquisition packet information adopt independently Interface design, reduce the coupling relevance of intermodule; Each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.
Accompanying drawing explanation
Below in conjunction with drawings and Examples, the present invention is further described.
Fig. 1 shows the structured flowchart of network security protection system of the present invention;
Fig. 2 shows the theory diagram of network security protection system;
Fig. 3 shows the flow process of the method for work of network security protection system of the present invention;
Fig. 4 shows the FB(flow block) that preset interval time carries out the method for DDoS threat detection.
Embodiment
In conjunction with the accompanying drawings, the present invention is further detailed explanation.These accompanying drawings are the schematic diagram of simplification, only basic structure of the present invention are described in a schematic way, and therefore it only shows the formation relevant with the present invention.
Embodiment 1
Fig. 1 shows the structured flowchart of network security protection system of the present invention.
As shown in Figure 1, a kind of network security protection system, comprising: SDN controller, IDS policy server, distributed IDS equipment; Described IDS equipment is suitable for inspecting by random samples message, namely, when IDS equipment (i.e. intrusion detection device) detects the message with ddos attack feature, IDS policy server (also can report to IDS policy server by SSL traffic channel) is reported to; Described IDS policy server, according to reporting information, makes the processing policy corresponding with the message with ddos attack feature, and processing policy is issued to SDN controller with the process that impends.To be described in the examples below that about processing policy.
Wherein, ddos attack characterizing definition is: to the deceptive practices of link layer and internetwork layer address, the abnormal behaviour that arranges internetwork layer and transport layer flag bit, and to flood formula attack to application layer and transport layer.
The sampling observation time be spaced apart preset interval time, can set as required, such as sampling observation in 2 seconds is once, or 3 seconds, or sampling observation in 5 seconds is once; Also random time can be adopted to inspect by random samples, and such as random time is set in 1-10S to be inspected by random samples at random.
The present invention greatly reduces the burden of SDN controller by the mode of sampling observation, is particularly suitable for the Internet Transmission of massive dataflow.
Fig. 2 shows the theory diagram of network security protection system.
As shown in Figure 2, further, comprise in described IDS equipment:
Time block, the sampling observation interval time of setting message, (do not draw in Fig. 2, time block can be realized by IDS internal clocking.); This time block can adopt clock module to realize; Deception packet check module, detects the deceptive practices of link layer and internetwork layer address; Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected; Exception message detection module, detects the formula attack that floods of application layer and transport layer; Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module within each interval time; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
Further, described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then attack main frame by the shielding of SDN controller; Maybe when attack threatens not in OpenFlow territory, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of SDN controller to attacker or attack main frame; And when message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the OF switch access interface traffic redirect corresponding to this message by SDN controller.
The present invention adopts from deception packet check module to destruction packet check module, then to the order that exception message detection module detects successively, wherein, each module obtains packet information and adopts independently Interface design, reduces the coupling relevance of intermodule; And each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.The mode of this detection ordering and sampling observation, while the burden effectively reducing SDN controller, improves the detection efficiency to message data, and reduces loss.
Call network equipment information binding table by described deception packet check module, and in described IDS policy server, build the first Hash table being suitable for that packet cheating behavior is counted in the unit interval, and set the first threshold values in this first Hash table; Described deception packet check module, the type of the message be encapsulated in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, OF switch and the port number information of Packet-In message, and each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is proceeded to and destroy packet check module; If the above-mentioned information in message is not mated, then proceed to described IDS policy server, abandon, and count deceptive practices simultaneously message, when this count value is more than the first threshold values, shielding sends the program of this message and/or attacks main frame.
Concrete, described deception packet check module is used for carrying out first time judgement to message, namely judges whether message is IP spoofing attack message, port spoofing attack message or MAC spoofing attack message.
Concrete steps comprise: parse source, target MAC (Media Access Control) address and OF switch entrance first in ethernet frames, then parse different messages according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source, object IP address then these information to be tabled look-up coupling to the information in network equipment information binding table, if match corresponding information, then give and destroy packet check resume module.If do not mate, then this message is proceeded to the process of IDS policy server; And accumulated counts is carried out to deceptive practices simultaneously, when this count value is more than the first threshold values, shielding sends the program of this message and/or attacks main frame.
Have a device manager module DeviceManagerImpl in Floodlight, when an equipment in a network mobile device time tracking equipment, and according to newly flowing define equipment.
Equipment manager learns equipment from PacketIn request, and from PacketIn message, obtain device network parameter information (information such as source, object IP, MAC, VLAN), by entity classification device, equipment is carried out dividing into OF switch or attacking main frame.Under default situations, entity classification device uses MAC Address and/or vlan table to show an equipment, mark equipment that these two attributes can be unique.The important information of another one be equipment mounting points (No. DPID of OF switch and port numbers) (, in an openflow region, an equipment can only have a mounting points, and here openflow region refers to the set of the multiple OF switches be connected with same Floodlight example.Equipment manager is also provided with expired time for IP address, mounting points, equipment, and last timestamp is as judging the foundation whether they are expired.)
Therefore only need call the IDeviceService that DeviceManagerImpl module provides inside network equipment information binding table module, simultaneously to the monitoring interface of this service interpolation IDeviceListener.
The monitoring interface that wherein IDeviceListener provides has:
| Interface name | Function |
| public void deviceAdded(IDevice device) | Main frame adds response |
| public void deviceRemoved(IDevice device) | Main frame removes response |
| public void deviceMoved(IDevice device) | Host mobility responds |
| public void deviceIPV4AddrChanged(IDevice device) | Host IP address changes response |
| public void deviceVlanChanged(IDevice device) | Main frame VLAN changes response |
ISP: IFloodlightProviderService, IDeviceService
Rely on interface: IFloodlightModule, IDeviceListener
Record in table can refresh the record in binding table in real time according to the low and high level trigger mechanism (low level triggering PortDown extracted by netting twine, and netting twine pulls out the high level of triggering Port Up) of OF switch.
Traditional ddos attack cannot touch, revise the information of Switch DPID and Switch Port, utilizes this advantage, can detect spoofing attack more flexibly.
In described IDS policy server, build being suitable in the unit interval the second Hash table that abnormal behaviour counts is arranged to the flag bit of message, and set the second threshold values in this second Hash table; The each flag bit of described destruction packet check module to message detects, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to exception message detection module; If each flag bit of message does not meet, then proceed to described IDS policy server, abandon message, and arrange abnormal behaviour to flag bit simultaneously and count, when this count value is more than the second threshold values, shielding sends the program of this message and/or attacks main frame.
Concrete, described destruction packet check module, judges for carrying out second time to message, namely judges whether message is the attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but not limited to IP attack message, TCP attack message.Implementation step comprises: detection IP attack message and TCP/UDP attack message wherein being realized to the flag bit of each message, namely identifies whether each flag bit meets ICP/IP protocol specification.If met, just directly transfer to abnormal number packet check resume module.If do not meet, be then judged as attack message, proceed to the process of IDS policy server.
With typical attack such as Tear Drop for row, an offset field and a burst mark (MF) is had in IP packet header, if assailant is arranged to incorrect value offset field, IP fragmentation message just there will be the situation overlapping or disconnect, and target machine system will be collapsed.
In IP heading, have a protocol fields, this field specifies this IP message and carries which kind of agreement.The value of this field is less than 100, if assailant sends to target machine the IP message that a large amount of bands is greater than the protocol fields of 100, the protocol stack in target machine system will be damaged, and is formed and attacks.
Therefore in destruction packet check module, first extract each flag bit of message, then check whether normal.
If normal, then give subsequent module for processing.
If abnormal, then abandon this packet, and to corresponding Hash table rolling counters forward.If when unit interval inside counting device exceedes described second threshold values of setting, then call IDS policy server and corresponding program is shielded and/or directly shields corresponding main frame.
After packet filtering by deception packet check module, the address in the follow-up packet handled by destruction packet check module is all real.Like this, effectively avoid target machine and have received destruction message, may directly cause the protocol stack of target machine to collapse, even target machine directly collapses.
The processing capacity destroying packet check module is roughly similar with deception packet check handling process, and whether normal the flag bit of what difference was that destruction packet check module parses is each message, then detect each flag bit.
If talked about normally, just directly to follow-up exception message detection module process.
If abnormal, then abandon this packet, and to the corresponding Hash table inside counting device counting of host application reference mechanism.If exceed the threshold values of setting, then shield corresponding attacker or directly shield and attack main frame.
The Hash table for identifying the formula attack message that floods is built at described exception message detection module, in described IDS policy server, build the 3rd Hash table being suitable for that the formula attack of flooding is counted in the unit interval, and set the 3rd threshold values in the 3rd Hash table; Described exception message detection module, is suitable for judging whether described message has attack according to the threshold values set in described Hash table; If without attack, then by data distributing; If have attack, then proceed to described IDS policy server, abandon, and count attack simultaneously message, when count value is more than the 3rd threshold values, shielding sends the program of this message and/or attacks main frame.
Concrete, described exception message detection module, judges for carrying out third time to message, namely judges whether message is the formula attack message that floods.
Concrete steps comprise: utilize the identification to building to flood adding up to the respective record in Hash table of formula attack message, and detect whether exceed threshold value, to judge whether the being formula attack message that floods.
Through above-mentioned deception packet check module, the filtering destroying packet check module two modules, the packet of subsequent module for processing belongs to packet under normal circumstances substantially.But, under normal circumstances, also have ddos attack and produce, in the prior art, generally only carry out deception packet check module, destroy packet check module, and in the technical program, in order to avoid ddos attack as much as possible.
Following examples to after carrying out deception packet check module, destroying packet check modular filtration, then shield the embodiment of ddos attack by exception message detection module.This execution mode is for UDPFlooding and ICMP Flooding.
About UDP Floodling, utilizing the mechanism of udp protocol without the need to connecting, sending a large amount of UDP message to target machine.Target machine can spend a large amount of time-triggered protocol UDP messages, and these UDP attack messages not only can make the cache overflow depositing UDP message, and can take a large amount of network bandwidths, and target machine (or little) cannot receive legal UDP message.
Because different main frames sends a large amount of UDP message bag to single main frame, so certainly have the situation that udp port takies, so the technical program can receive the unreachable packet of port of an ICMP.
So the technical program can set up a Hash table to All hosts, be used for specially depositing in the unit interval number of times receiving the unreachable packet of ICMP port.If exceed the threshold values of setting, then directly shield corresponding attacker.
About ICMP Floodling, directly unit interval inside counting is carried out for ICMP Flooding.If exceed corresponding threshold values, then direct corresponding shielding is carried out to respective host, although the method is simple, directly effective.
Therefore, exception message detection module, if the type of message detected is exception message type of detection, then carries out corresponding counter detection and whether exceedes threshold value, if do not exceed threshold value, also can be issued by optimum routing policy this packet.If exceeded threshold value, then shield corresponding attacker, or directly corresponding shielding has been carried out to respective host.
When in described deception packet check module, destruction packet check module and exception message detection module, arbitrary module judges that described message is above-mentioned attack message, then this attack message is proceeded to IDS policy server, namely, abandon described message, and shielding sends the program of this message and/or attacks main frame.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need packet discard or needs to shield threat main frame time.Directly call IDS policy server and carry out corresponding threat process operation.
The concrete implementation step of described IDS policy server comprises:
Abandon described message, namely the step of packet discard comprises as follows:
OpenFlowOF switch is not matching under corresponding stream expression condition, can this data envelope be contained in Packet In message, this packet exists in local buffer memory by OF exchange opportunity simultaneously, packet is deposited in the buffer, there is No. ID, a buffer area, this No. ID also can be encapsulated in the buffer_id of Packet In message, by the form of Packet out, the buffer_id simultaneously in Packet out message fills in the buffer area ID (buffer_id in corresponding Packet In message) of the packet that will abandon.
The step that main frame is attacked in shielding comprises as follows:
OpenFlow protocol streams list structure is as follows:
| Territory, packet header | Counter | Action |
The structure in its middle wrapping head territory is:
IDS policy server comprises the step that application programs carries out shielding and comprises as follows:
Step 1: fill in corresponding matching field in the territory, packet header of stream table, and by arranging Wildcards mask field, obtaining shielding attacker or attacking host information.Wherein, as attacker need be shielded, then in territory, stream table packet header, fill in following matching field: IP, MAC, VLAN, SwtichDPID, Swtich Port, protocol type and port numbers thereof etc.As attack main frame need be shielded, then fill in territory, stream table packet header: the matching fields such as IP, MAC, VLAN, Swtich DPID, Swtich Port.
Step 2: stream is shown action lists and puts sky, realizes the data packet discarding of attacker/main frame.
Step 3: call the record value in each Hash table, calculates stream table time-out erasing time automatically.
Step 4: issue stream table mask program or attack main frame.
Preferably, shielding timing module and a guarding counter is established in described SDN controller; Be provided with the shielding time in described shielding timing module, this shielding time is suitable for limiting shielding and attacks host time; Described guarding counter is provided with a shield threshold value, is suitable for when attacking main frame shielding number of times and exceeding this shield threshold value, permanent this attack main frame of shielding.
Therefore, the network of the technical program can effectively identify and filtering attack packets.
Optionally, after above-mentioned each module, by issuing of the real-time optimum routing policy of normal message.
The step of optimum routing policy is as follows:
First the topological interface (API) entered to SDN controller submits the request of acquisition to, to obtain full mesh topology, then goes out total network links remaining bandwidth by the total network links state computation obtained.
The calculating of described real-time optimal path, algorithm adopts classical dijkstra's algorithm, and the weights of algorithm change the inverse of the total network links remaining bandwidth that previous step obtains into, to ensure that the path calculated is the most unobstructed, the path that propagation delay time is minimum.Concrete implementation step about optimal path has carried out detailed discussion in example 2.
Finally, the optimal path calculated is converted to the real-time optimal path strategy be made up of stream table, issue.
Step S1, uses topological interface, the api interface that described SDN controller carries, and use LLDP (Link Layer Discovery Protocol) and broadcast packet to find link, then SDN controller calculates network topology automatically.
The topological interface of step S2, SDN controller obtains feedback of request to " full mesh topology acquisition module " topology of " real-time optimal path computation module ".
In step S3, " total network links state acquisition module " files a request to " OF switch query interface module ", obtains total network links state.Wherein, " OF switch query interface module " carries on " OF switch characteristic enquiry module " and " OF switch status enquiry module " basis at SDN controller and expands, and achieves calculating and the query function of link remaining bandwidth.
Then, " OF switch query module " sends the broadcast packet of OF switch property request by step S4 all OF switches in network.Receive the message of OF switch characteristic feedback in automatic network again by step S5, parse the curr field inside message, obtain each OF switch ports themselves current bandwidth B.
Next, this module sends the broadcast packet of OF switch status request by step S6 all OF switches in network, comprises port and sends the message status such as bag number, port transmission byte number, port accepts byte number, port accepts bag number.Then, this module receives the message of OF switch status feedback in automatic network by step S7, parses tx_bytes field, obtains sending byte number N
1, obtain current time t
1.
Next, this module sends the broadcast packet of OF switch status request by step S8 all OF switches in network, and then, this module receives the message of OF switch status feedback in automatic network by S9, and timing stops, and obtains current time t
2.Parse tx_bytes field, obtain sending byte number N
2.
Then can calculate present port remaining bandwidth is: B-(N
2-N
1)/(t
2-t
1).
Then, the remaining bandwidth that the network topology that recycling obtains carries out every bar link calculates:
If the connection between OF switch and OF switch, then obtain the remaining bandwidth of the OF switch ports themselves of this both link ends, the remaining bandwidth of this link is the smaller in two port remaining bandwidths.
If the connection between main frame and OF switch, then obtain the remaining bandwidth of the OF switch ports themselves connecting main frame, this link remaining bandwidth is the OF switch ports themselves remaining bandwidth connecting this main frame.
Step S4, SDN controller sends FeatureRequest message with the form of broadcast to all OF switches of the whole network.
Step S5, SDN controller receives OF switch in automatic network and feeds back to the Feature Reply message of SDN controller.
Step S6, SDN controller sends StatsRequest message with the form of broadcast to all OF switches of the whole network.
Step S7, SDN controller receives OF switch in automatic network and feeds back to the Stats Reply message of SDN controller.
Step S8, SDN controller sends StatsRequest message with the form of broadcast to all OF switches of the whole network.
Step S9, SDN controller receives OF switch in automatic network and feeds back to the Stats Reply message of SDN controller.
The link remaining bandwidth information feed back that calculates is given " total network links state acquisition module " by step S10, OF switch query interface.
Step S11, routing policy issues the real-time optimum routing policy that module calculates, and the stream table calculated is handed down to relevant OF switch by step S12.
Step S12, this interface is the api interface that SDN controller carries, for issuing the optimum routing policy calculated.
Be defending DDOS attack while by described optimal path strategy, the average transmission time delay of network does not increase sharply.
Embodiment 2
The method of work of a kind of network security protection system on embodiment 1 basis, by inspecting by random samples and threaten process separately, effectively alleviates the work load of SDN controller, improves detection efficiency and data transmission rate.
Fig. 3 shows the flow chart of the method for work of network security protection system of the present invention.
As shown in Figure 3, the method for work of network security protection system of the present invention, comprises the steps:
Step S100, initial configuration; Step S200, makes IDS equipment threaten sampling observation according to carrying out DDoS the interval time of presetting; And step S300, formulate respective handling policy distribution to SDN controller with the process that impends according to threat detection.
The mode of the present invention's employing to sampling observation realizes the sampling observation to DDoS, greatly reduces the burden of SDN controller.
Wherein, see the relevant discussion of embodiment 1, can repeat no more here about preset interval time.
Further, in described step S100, the step of initial configuration is as follows:
Step S101, sets up special SSL traffic channel by the IDS policy server in described network security protection system and IDS equipment; Step S102, described SDN controller builds network equipment information binding table, and by network equipment information binding table real-time update in IDS equipment; Step S104, described SDN controller issues the stream table of mirror policy, is transmitted to IDS equipment corresponding in net territory by all port flow mirror images being loaded with main frame that drags of OF switch; And step S105, described SDN controller issues DDoS threat identification rule to IDS equipment corresponding in each net territory.
IDS equipment is made to threaten the method for sampling observation to comprise according to carrying out DDoS the interval time of presetting in described step S200: successively to the deceptive practices of link layer and internetwork layer address within the interval time of presetting, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer is inspected by random samples; If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
Fig. 4 shows the FB(flow block) that preset interval time carries out the method for DDoS threat detection.
As shown in Figure 4, concrete implementation step comprises: step S210, detects the deceptive practices of link layer and internetwork layer address; Step S220, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged; Step S230, inspects by random samples the formula that the floods attack of application layer and transport layer; Step S240, if by message successively by after described step S210, step S220, step S230, when arbitrary step judges that message exists deception, exception, attack, then proceeds to step S300 by described message.
In described step S210, step S211 is comprised the steps: to the method that the deceptive practices of link layer and internetwork layer address detect, call network equipment information binding table by deception packet check module; Step S212, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, OF switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then proceed to step S220 by message; If the above-mentioned information in message is not mated, then message is proceeded to step S300.
Arrange to internetwork layer and transport layer flag bit the method that abnormal behaviour detects in described step S220 to comprise: detect each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to S230; If each flag bit of message does not meet, then message is proceeded to step S300.
In described step S230, step S231 being comprised the steps: to the method that the formula that the floods attack of application layer and transport layer is inspected by random samples, building the Hash table for identifying the formula attack message that floods at exception message detection module; Step S232, judge whether described message is the formula attack message that floods by exception message detection module according to the threshold values set in described Hash table, and judged result is proceeded to step S300, even without attack, then data normally to be issued or by above-mentioned optimal path policy distribution; If have attack, then take corresponding shielding measure.
Threaten the method for process and/or routing optimality to comprise in described step S300: if message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for attacking main frame by the shielding of SDN controller; And threaten not in OpenFlow territory when attacking, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; If message has abnormal behaviour, then described IDS policy server is shielded by the flow of SDN controller to attacker or attack main frame; Concrete implementation step comprises: for destruction message aggression, because IDS equipment have passed deception packet check, so this message address is real when the message of pre-treatment.It is that the stream table of Drop is by attacker or the flow shielding of attacking main frame that IDS policy server only need issue action by the northbound interface of SDN controller.But this is all the decision-making of coarseness, be only applicable to the destruction message aggression that attack packets is a small amount of; If message has the formula attack that floods, then the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by SDN controller by described IDS policy server; Optionally, the safety means of flow cleaning center also can by the result feedback of protection to SDN controller, adjustment network strategy, the Multidimensional protection under realizing SDN and being mixed with legacy network situation; After main frame is attacked in shielding, setting shielding time and shield threshold value, this shielding time is suitable for limiting shielding and attacks host time; And when attacking main frame shielding number of times and exceeding described shield threshold value, permanent this attack main frame of shielding.
As another preferred embodiment of sampling observation, after main frame is attacked in judgement, after the shielding time, recover the transfer of data of this attack main frame, but the time interval of sampling observation is improved to the data of this main frame, namely encrypt sampling observation.
Further, path optimizing is gone out according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described SDN controller draws corresponding forwarding flow table according to this optimal path and issues each OF switch.
The specific algorithm flow process of path optimizing is as follows:
The method of program and/or attack main frame that described IDS policy server shielding sends message comprises:
First, corresponding Hash table and the setting respective threshold of counting is built, namely
In unit interval, build the first Hash table counted deceptive practices in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts; Set first, second, third threshold values in first, second, third Hash table simultaneously; Secondly, shielding sends the program of this message and/or attacks main frame, and namely for the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends the program of this message and/or attacks main frame.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.
With above-mentioned according to desirable embodiment of the present invention for enlightenment, by above-mentioned description, relevant staff in the scope not departing from this invention technological thought, can carry out various change and amendment completely.The technical scope of this invention is not limited to the content on specification, must determine its technical scope according to right.
Claims (10)
1. a network security protection system, is characterized in that comprising: SDN controller, IDS policy server and IDS equipment;
Described IDS equipment is suitable for inspecting by random samples message, namely when IDS equipment Inspection is to when having the message of ddos attack feature, reports to IDS policy server;
This processing policy with processing policy corresponding to the message made with have ddos attack feature, and is issued to SDN controller with the process that impends according to reporting information by described IDS policy server.
2. network security protection system according to claim 1, is characterized in that, described IDS equipment comprises:
Time block, the sampling observation interval time of setting message;
Deception packet check module, detects the deceptive practices of link layer and internetwork layer address;
Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected;
Exception message detection module, detects the formula attack that floods of application layer and transport layer;
Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module within each interval time; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
3. network security protection system according to claim 2, is characterized in that,
Described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then attack main frame by the shielding of SDN controller; Maybe when attack threatens not in OpenFlow territory, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of SDN controller to attacker or attack main frame; And
When message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the OF switch access interface traffic redirect corresponding to this message by SDN controller.
4. network security protection system according to claim 3, is characterized in that, establishes shielding timing module and a guarding counter in described SDN controller; Be provided with the shielding time in described shielding timing module, this shielding time is suitable for limiting shielding and attacks host time; Described guarding counter is provided with a shield threshold value, is suitable for when attacking main frame shielding number of times and exceeding this shield threshold value, permanent this attack main frame of shielding.
5. a method of work for network security protection system, comprises the steps:
Step S100, initial configuration;
Step S200, makes IDS equipment threaten sampling observation according to carrying out DDoS the interval time of presetting; And
Step S300, formulates respective handling policy distribution to SDN controller with the process that impends according to threat detection.
6. the method for work of network security protection system according to claim 5, is characterized in that,
In described step S100, the step of initial configuration is as follows:
Step S101, sets up special SSL traffic channel by the IDS policy server in described network security protection system and IDS equipment;
Step S102, described SDN controller builds network equipment information binding table, and by network equipment information binding table real-time update in IDS equipment;
Step S104, all for OF switch port flow mirror images being loaded with main frame that drags are transmitted to IDS equipment corresponding in net territory by described SDN controller; And
Step S105, described SDN controller issues DDoS threat identification rule to IDS equipment.
7. the method for work of network security protection system according to claim 6, is characterized in that, makes IDS equipment threaten the method for sampling observation to comprise according to carrying out DDoS the interval time of presetting in described step S200:
Successively to the deceptive practices of link layer and internetwork layer address within the interval time of presetting, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer is inspected by random samples;
If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
8. the method for work of network security protection system according to claim 7, is characterized in that,
The method that the deceptive practices of link layer and internetwork layer address detect is comprised:
By deception packet check module, deceptive practices are detected, namely
First, network equipment information binding table is called by deception packet check module;
Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, OF switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above-mentioned information matches in message, then message is carried out next and detect;
If the above-mentioned information in message is not mated, then message is proceeded to step S300;
Described internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise:
Arrange abnormal behaviour by destruction packet check module to flag bit to detect, namely
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, then message is proceeded to and carry out next detection;
If each flag bit of message does not meet, then message is proceeded to step S300;
The method that the formula that the floods attack of described application layer and transport layer is carried out inspecting by random samples comprises:
By exception message detection module, the formula attack of flooding is detected, namely
Build the Hash table for identifying the formula attack message that floods at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table, and judged result is proceeded to step S300.
9. the method for work of network security protection system according to claim 8, is characterized in that, described step S300 formulates respective handling policy distribution according to threat detection and comprises with the method for the process that impends to SDN controller:
If message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for attacking main frame by the shielding of SDN controller; And threaten not in OpenFlow territory when attacking, then by SDN controller, the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
If message has abnormal behaviour, then described IDS policy server is shielded by the flow of SDN controller to attacker or attack main frame;
If message has the formula attack that floods, then the OF switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by SDN controller by described IDS policy server;
After main frame is attacked in shielding, setting shielding time and shield threshold value, this shielding time is suitable for limiting shielding and attacks host time; And when attacking main frame shielding number of times and exceeding described shield threshold value, permanent this attack main frame of shielding;
And/or, path optimizing is gone out according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described SDN controller draws corresponding forwarding flow table according to this optimal path and issues each OF switch.
10. the method for work of network security protection system according to claim 9, is characterized in that, the method for program and/or attack main frame that described IDS policy server shielding sends message comprises:
First, corresponding Hash table and the setting respective threshold of counting is built, namely
In unit interval, build the first Hash table counted deceptive practices in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts;
Set first, second, third threshold values in first, second, third Hash table simultaneously;
Secondly, shielding sends the program of this message and/or attacks main frame, namely
For the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends the program of this message and/or attacks main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510011590.2A CN104539625B (en) | 2015-01-09 | 2015-01-09 | A kind of network security protection system and its method of work based on software definition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510011590.2A CN104539625B (en) | 2015-01-09 | 2015-01-09 | A kind of network security protection system and its method of work based on software definition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104539625A true CN104539625A (en) | 2015-04-22 |
| CN104539625B CN104539625B (en) | 2017-11-14 |
Family
ID=52855094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510011590.2A Active CN104539625B (en) | 2015-01-09 | 2015-01-09 | A kind of network security protection system and its method of work based on software definition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104539625B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
| CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
| CN105516129A (en) * | 2015-12-04 | 2016-04-20 | 重庆邮电大学 | Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology |
| CN106168757A (en) * | 2015-05-22 | 2016-11-30 | 费希尔-罗斯蒙特系统公司 | Configurable robustness agency in factory safety system |
| CN107018084A (en) * | 2017-04-12 | 2017-08-04 | 南京工程学院 | DDOS attack defending against network security system and method based on SDN frameworks |
| CN107070851A (en) * | 2015-11-09 | 2017-08-18 | 韩国电子通信研究院 | The system and method that the generation of connection fingerprint and stepping-stone based on network flow are reviewed |
| CN107070714A (en) * | 2017-04-10 | 2017-08-18 | 中国人民解放军国防科学技术大学 | A kind of SDN abnormality monitoring method |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN107547308A (en) * | 2017-07-28 | 2018-01-05 | 新华三技术有限公司 | A kind of controller in message mirror-image method, device, software defined network SDN |
| CN108028835A (en) * | 2015-09-10 | 2018-05-11 | 阿尔卡特朗讯 | automatic configuration server and method |
| CN108183864A (en) * | 2018-01-29 | 2018-06-19 | 中国人民解放军国防科技大学 | IDS feedback-based software-defined network flow sampling method and system |
| CN108259466A (en) * | 2017-12-08 | 2018-07-06 | 中国联合网络通信集团有限公司 | DDoS flows re-injection method, SDN controllers and network system |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108306888A (en) * | 2018-02-05 | 2018-07-20 | 刘昱 | A kind of network protection method, apparatus and storage medium based on SDN |
| CN108881005A (en) * | 2017-05-15 | 2018-11-23 | 华为国际有限公司 | Inspection software defines network(SDN)In route loop system and method |
| CN108881324A (en) * | 2018-09-21 | 2018-11-23 | 电子科技大学 | A kind of the DoS attack Distributed Detection and defence method of SDN network |
| CN109600393A (en) * | 2019-01-17 | 2019-04-09 | 安徽云探索网络科技有限公司 | A kind of monitoring method for network security |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| CN111092840A (en) * | 2018-10-23 | 2020-05-01 | 中兴通讯股份有限公司 | Processing strategy generation method, system and storage medium |
| CN111147516A (en) * | 2019-12-31 | 2020-05-12 | 中南民族大学 | SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment |
| CN111490989A (en) * | 2020-04-10 | 2020-08-04 | 全球能源互联网研究院有限公司 | Network system, attack detection method and device and electronic equipment |
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| TWI723517B (en) * | 2019-08-26 | 2021-04-01 | 新加坡商鴻運科股份有限公司 | Method for preventing distributed denial of service attack and related equipment |
| CN112769849A (en) * | 2021-01-19 | 2021-05-07 | 杭州迪普科技股份有限公司 | Method, system, equipment and storage medium for virus confirmation and blocking |
| CN112804198A (en) * | 2020-12-29 | 2021-05-14 | 贵州大学 | anti-DDoS controller message scheduling method based on network state |
| CN113364797A (en) * | 2021-06-18 | 2021-09-07 | 广东省新一代通信与网络创新研究院 | Network system for preventing DDOS attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN103095716A (en) * | 2013-01-28 | 2013-05-08 | 北京航空航天大学 | Computer network defense decision-making system |
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
-
2015
- 2015-01-09 CN CN201510011590.2A patent/CN104539625B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN103095716A (en) * | 2013-01-28 | 2013-05-08 | 北京航空航天大学 | Computer network defense decision-making system |
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106168757A (en) * | 2015-05-22 | 2016-11-30 | 费希尔-罗斯蒙特系统公司 | Configurable robustness agency in factory safety system |
| CN106168757B (en) * | 2015-05-22 | 2022-03-18 | 费希尔-罗斯蒙特系统公司 | Configurable robustness agent in a plant safety system |
| CN108028835A (en) * | 2015-09-10 | 2018-05-11 | 阿尔卡特朗讯 | automatic configuration server and method |
| CN105282169B (en) * | 2015-11-04 | 2018-08-24 | 中国电子科技集团公司第四十一研究所 | Ddos attack method for early warning based on SDN controller threshold values and its system |
| CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
| CN107070851A (en) * | 2015-11-09 | 2017-08-18 | 韩国电子通信研究院 | The system and method that the generation of connection fingerprint and stepping-stone based on network flow are reviewed |
| CN107070851B (en) * | 2015-11-09 | 2020-07-14 | 韩国电子通信研究院 | System and method for connecting fingerprint generation and stepping stone tracing based on network flow |
| CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
| CN105516091B (en) * | 2015-11-27 | 2018-09-25 | 武汉邮电科学研究院 | A kind of safe flow filter and filter method based on SDN controllers |
| CN105516129A (en) * | 2015-12-04 | 2016-04-20 | 重庆邮电大学 | Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology |
| CN107070714A (en) * | 2017-04-10 | 2017-08-18 | 中国人民解放军国防科学技术大学 | A kind of SDN abnormality monitoring method |
| CN107070714B (en) * | 2017-04-10 | 2019-06-21 | 中国人民解放军国防科学技术大学 | A kind of SDN network abnormality monitoring method |
| CN107018084B (en) * | 2017-04-12 | 2020-10-27 | 南京工程学院 | DDOS attack defense network security method based on SDN framework |
| CN107018084A (en) * | 2017-04-12 | 2017-08-04 | 南京工程学院 | DDOS attack defending against network security system and method based on SDN frameworks |
| CN108881005A (en) * | 2017-05-15 | 2018-11-23 | 华为国际有限公司 | Inspection software defines network(SDN)In route loop system and method |
| CN107547308A (en) * | 2017-07-28 | 2018-01-05 | 新华三技术有限公司 | A kind of controller in message mirror-image method, device, software defined network SDN |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN108259466B (en) * | 2017-12-08 | 2020-06-05 | 中国联合网络通信集团有限公司 | DDoS flow reinjection method, SDN controller and network system |
| CN108259466A (en) * | 2017-12-08 | 2018-07-06 | 中国联合网络通信集团有限公司 | DDoS flows re-injection method, SDN controllers and network system |
| CN108183864B (en) * | 2018-01-29 | 2020-12-04 | 中国人民解放军国防科技大学 | IDS feedback-based software-defined network flow sampling method and system |
| CN108183864A (en) * | 2018-01-29 | 2018-06-19 | 中国人民解放军国防科技大学 | IDS feedback-based software-defined network flow sampling method and system |
| CN108289104B (en) * | 2018-02-05 | 2020-07-17 | 重庆邮电大学 | Industrial SDN network DDoS attack detection and mitigation method |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108306888A (en) * | 2018-02-05 | 2018-07-20 | 刘昱 | A kind of network protection method, apparatus and storage medium based on SDN |
| CN108306888B (en) * | 2018-02-05 | 2022-05-27 | 刘昱 | Network protection method and device based on SDN and storage medium |
| CN108881324A (en) * | 2018-09-21 | 2018-11-23 | 电子科技大学 | A kind of the DoS attack Distributed Detection and defence method of SDN network |
| CN111092840A (en) * | 2018-10-23 | 2020-05-01 | 中兴通讯股份有限公司 | Processing strategy generation method, system and storage medium |
| CN109600393A (en) * | 2019-01-17 | 2019-04-09 | 安徽云探索网络科技有限公司 | A kind of monitoring method for network security |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| TWI723517B (en) * | 2019-08-26 | 2021-04-01 | 新加坡商鴻運科股份有限公司 | Method for preventing distributed denial of service attack and related equipment |
| CN111147516A (en) * | 2019-12-31 | 2020-05-12 | 中南民族大学 | SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment |
| CN111490989A (en) * | 2020-04-10 | 2020-08-04 | 全球能源互联网研究院有限公司 | Network system, attack detection method and device and electronic equipment |
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN112804198A (en) * | 2020-12-29 | 2021-05-14 | 贵州大学 | anti-DDoS controller message scheduling method based on network state |
| CN112804198B (en) * | 2020-12-29 | 2022-11-04 | 贵州大学 | anti-DDoS controller message scheduling method based on network state |
| CN112769849A (en) * | 2021-01-19 | 2021-05-07 | 杭州迪普科技股份有限公司 | Method, system, equipment and storage medium for virus confirmation and blocking |
| CN112769849B (en) * | 2021-01-19 | 2023-06-09 | 杭州迪普科技股份有限公司 | Method, system, equipment and storage medium for virus diagnosis and blocking |
| CN113364797A (en) * | 2021-06-18 | 2021-09-07 | 广东省新一代通信与网络创新研究院 | Network system for preventing DDOS attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104539625B (en) | 2017-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104539625A (en) | Network security defense system based on software-defined network and working method of network security defense system | |
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN104468636A (en) | SDN structure for DDoS threatening filtering and link reallocating and working method | |
| CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
| CN104378380A (en) | System and method for identifying and preventing DDoS attacks on basis of SDN framework | |
| US7743415B2 (en) | Denial of service attacks characterization | |
| US7124440B2 (en) | Monitoring network traffic denial of service attacks | |
| US7043759B2 (en) | Architecture to thwart denial of service attacks | |
| US7836498B2 (en) | Device to protect victim sites during denial of service attacks | |
| US7278159B2 (en) | Coordinated thwarting of denial of service attacks | |
| US7398317B2 (en) | Thwarting connection-based denial of service attacks | |
| US7702806B2 (en) | Statistics collection for network traffic | |
| US7743134B2 (en) | Thwarting source address spoofing-based denial of service attacks | |
| US9166990B2 (en) | Distributed denial-of-service signature transmission | |
| KR100882809B1 (en) | DDoS PROTECTION SYSTEM AND METHOD IN PER-FLOW BASED PACKET PROCESSING SYSTEM | |
| CN105871773A (en) | DDoS filtering method based on SDN network architecture | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| CN105871771A (en) | SDN network architecture aimed at DDoS network attack | |
| CN105871772A (en) | Working method of SDN network architecture aimed at network attack | |
| Mopari et al. | Detection and defense against DDoS attack with IP spoofing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150422 Assignee: Nantong Ledeli Intelligent Technology Co., Ltd. Assignor: Jiangsu University of Technology Contract record no.: 2019320000018 Denomination of invention: Network security defense system based on software-defined network and working method of network security defense system Granted publication date: 20171114 License type: Exclusive License Record date: 20190219 |
|
| EC01 | Cancellation of recordation of patent licensing contract | ||
| EC01 | Cancellation of recordation of patent licensing contract |
Assignee: Nantong ledeli Intelligent Technology Co., Ltd Assignor: Jiangsu Institute of Technology Contract record no.: 2019320000018 Date of cancellation: 20211110 |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211130 Address after: Room 2411-2412, building 4, No. 9, Taihu East Road, Xinbei District, Changzhou City, Jiangsu Province Patentee after: Changzhou malafeng Network Technology Co.,Ltd. Address before: 213001, No. 1801, Wu Cheng Road, bell tower, Changzhou, Jiangsu Patentee before: JIANGSU University OF TECHNOLOGY |