CN104883362A - Method and device for controlling abnormal access behaviors - Google Patents

Method and device for controlling abnormal access behaviors Download PDF

Info

Publication number
CN104883362A
CN104883362A CN201510236254.8A CN201510236254A CN104883362A CN 104883362 A CN104883362 A CN 104883362A CN 201510236254 A CN201510236254 A CN 201510236254A CN 104883362 A CN104883362 A CN 104883362A
Authority
CN
China
Prior art keywords
access
packet
attack
network
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510236254.8A
Other languages
Chinese (zh)
Inventor
张宏科
王铭鑫
陈佳
周华春
苏伟
王洪超
朱佳佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201510236254.8A priority Critical patent/CN104883362A/en
Publication of CN104883362A publication Critical patent/CN104883362A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and device for controlling abnormal access behaviors and belongs to the field of network security. The method for controlling abnormal access behaviors comprises: receiving at least one piece of stream summary information transmitted by an access forwarding device; determining whether an attack behavior exists in the Internet according to the received at least one piece of stream summary information; if yes, generating a first stream table rule according to the stream summary information; transmitting the first stream table rule to the access forwarding device and prohibiting forwarding data packets restricted by the first stream table rule by using the access forwarding device. The method and the device solves a problem that a mapping server cannot correctly discriminate existed attack behaviors in some cases when analyzing whether attack behaviors exist in the Internet according to a mapping request in the prior art, and achieve effects of correctly discriminating various attack behaviors and guaranteeing network security.

Description

Abnormal access Behavior-Based control method and device
Technical field
The present invention relates to network safety filed, particularly a kind of abnormal access Behavior-Based control method and device.
Background technology
Network is divided into Access Network and backbone network by integrated identification network, introduce Access Network mark (AccessIdentifier, AID) with Route Distinguisher (Routing Identifier, RID), fundamentally solve Internet protocol address (Internet Protocol Address, IP) problem of double attribute, and can well merge with existing the Internet and the network architecture.
In integrated identification network, access forwarding unit is after receiving packet, the target AID that whether there is this packet in access forwarding unit can be inquired about and need the mapping relations between the RID that replaces, if do not exist, then send the mapping request for obtaining the mapping relations between the RID corresponding with this target AID to mapping server, so that replace the target AID in the packet received, and the RID after replacing is utilized to forward.The mapping request that mapping server can access forwarding unit transmission according to each analyzes current network and whether there is attack, such as, when asking identical target AID in mapping request, (English: Distributed Denial of Service is called for short: DDoS) attack then to show to there is distributed denial of service.
Realizing in process of the present invention, inventor finds that prior art at least exists following problem: mapping server, when analyzing network according to mapping request and whether there is attack, correctly cannot distinguish the attack of existence in some cases.Such as, multiple attack terminal is not sending the packet with same target AID to access forwarding unit in the same time, in this case, the mapping relations of access forwarding unit not in the same moment to mapping server acquisition request target AID, but obtain from mapping server respectively, now mapping server can't judge that these behaviors are as attack, after each access forwarding unit successfully to get the mapping relations of same target AID from mapping server, the mapping relations of acquisition then can be directly utilized to forward the packet attacking SS later transmission, each is attacked terminal and completes ddos attack.
Summary of the invention
In order to solve in prior art mapping server when analyzing network according to mapping request and whether there is attack, correctly cannot distinguish the problem of the attack of existence in some cases, embodiments provide a kind of abnormal access Behavior-Based control method and device.Described technical scheme is as follows:
First aspect, provide a kind of abnormal access Behavior-Based control method, described method comprises:
Receive the stream summary info that at least one access forwarding unit sends, described stream summary info is that described access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message;
Utilize at least one the stream summary info received, determine whether there is attack in network;
If determine to there is attack in described network, then generate first-class table rule according to described stream summary info, described first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in described stream summary info;
Described first-class table rule is sent to described access forwarding unit, is forbidden forwarding the packet meeting described first-class table rule and limit by described access forwarding unit;
Wherein, described key message comprises source access mark, object access mark, source port number, destination slogan and protocol type.
Optionally, at least one stream summary info that described utilization receives, determine whether there is attack in network, comprising:
Extract the key message in described stream summary info, the described key message extracted is stored as a stream summary record;
To make a reservation for a described stream summary record and carry out entropy quantification, obtain entropy vector;
The entropy vector obtained is inputed in disaggregated model, obtain sorted access behavior type, described access behavior type is normal access behavior or attack access behavior, and described attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack.
Optionally, described according to described stream summary info generate first-class table rule, comprising:
According to the key message in described stream summary info, generate the first-class table rule being used to indicate and forbidding forwarding in packet header and there is the packet of described key message.
Optionally, described method also comprises:
The mapping request that continuous reception at least two access forwarding unit sends after receiving packet, described mapping request is used for access in packet header described in acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of described packet;
Whether attack will be produced according in each mapping request anticipation network;
If judge in advance will produce attack in described network according to described mapping request, then the packet generated for forbidding having in packet header described access mark carries out the second table rule forwarded;
Described second table rule is sent to each access forwarding unit.
Optionally, describedly whether will produce attack according in each mapping request anticipation network, comprise:
Whether the target access mark detected in the access mark in each mapping request is identical, if the target access mark in each mapping request is all identical, then judges will produce type in described network as DDOS attack behavior;
Or,
Whether the source access mark detected in the access mark in each mapping request is identical, if the source target access mark in each mapping request is all identical, then judges will produce type in described network as DRDoS attack.
Second aspect, provide a kind of abnormal access Behavior-Based control device, described device comprises:
First receiver module, for receiving the stream summary info that at least one access forwarding unit sends, described stream summary info is that described access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message;
Determination module, at least one the stream summary info received for utilizing described first receiver module, determines whether there is attack in network;
First generation module, during for determining to there is attack in described network at described determination module, generate first-class table rule according to described stream summary info, described first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in described stream summary info;
First sending module, sends to described access forwarding unit for the described first-class table rule generated by described first generation module, is forbidden forwarding the packet meeting described first-class table rule and limit by described access forwarding unit;
Wherein, described key message comprises source access mark, object access mark, source port number, destination slogan and protocol type.
Optionally, described determination module, comprising:
Extraction unit, for extracting the key message in described stream summary info, is stored as a stream summary record by the described key message extracted;
Quantifying unit, for carrying out entropy quantification to a described predetermined described stream summary record, obtains entropy vector;
Taxon, entropy vector for described quantifying unit being quantized to obtain inputs in disaggregated model, obtain sorted access behavior type, described access behavior type is normal access behavior or attack access behavior, and described attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack.
Optionally, described first generation module, also for:
According to the key message in described stream summary info, generate the first-class table rule being used to indicate and forbidding forwarding in packet header and there is the packet of described key message.
Optionally, described device also comprises:
Second receiver module, for receiving the mapping request that at least two access forwarding units send after receiving packet continuously, described mapping request is used for access in packet header described in acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of described packet;
Whether anticipation module, will produce attack in each mapping request anticipation network of receiving according to described second receiver module;
Second generation module, for when described anticipation module judges to produce attack in described network according to described mapping request in advance, the packet generated for forbidding having in packet header described access mark carries out the second table rule forwarded;
Second sending module, for sending the described second table rule that described second generation module generates to each access forwarding unit.
Optionally, described anticipation module, comprising:
First identifying unit, whether the target access mark for detecting in the access mark in each mapping request that described second receiver module receives is identical, if the target access mark in each mapping request is all identical, then judge will produce type in described network as DDOS attack behavior;
Or,
Second identifying unit, whether the source access mark for detecting in the access mark in each mapping request that described second receiver module receives is identical, if the source target access mark in each mapping request is all identical, then judge will produce type in described network as DRDoS attack.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
By collecting the key message of the packet that each access forwarding unit obtains, whether attack is there is to utilize the key message determination network in these packets, if there is attack, then generate the packet being used to indicate and forbidding forwarding these attacks and produce; Owing to can judge attack according to the key message of packet, therefore result of determination can reflect the real conditions that network is current more really, solve mapping server in prior art and, when analyzing network according to mapping request and whether there is attack, correctly cannot distinguish the problem of the attack of existence in some cases; Reach and all can correctly distinguish various attack, and when learning that network exists attack, instruction access forwarding unit forbids the forwarding of the packet corresponding to these attacks, has ensured the effect of the fail safe of network.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the implementation environment schematic diagram involved by abnormal access Behavior-Based control method provided in section Example of the present invention;
Fig. 2 is the method flow diagram of the abnormal access Behavior-Based control method provided in one embodiment of the invention;
Fig. 3 is the method flow diagram of the abnormal access Behavior-Based control method provided in another embodiment of the present invention;
Fig. 4 is the method flow diagram of the abnormal access Behavior-Based control method provided in another embodiment of the present invention;
Fig. 5 A is the method flow diagram of the abnormal access Behavior-Based control method provided in another embodiment of the present invention;
Fig. 5 B is the method flow diagram of the abnormal access Behavior-Based control method provided in another embodiment of the present invention;
Fig. 6 is the structural representation of the abnormal access Behavior-Based control device provided in one embodiment of the invention;
Fig. 7 is the structural representation of the abnormal access Behavior-Based control device provided in another embodiment of the present invention;
Fig. 8 is the structural representation of the abnormal access Behavior-Based control device provided in another embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Shown in Figure 1, it is the implementation environment schematic diagram involved by abnormal access Behavior-Based control method provided in section Example of the present invention, and this implementation environment comprises access network 110 and integrated identification network 120.
Access network 110 comprises the mobile terminal 111 that at least one user holds, and mobile terminal 111 said here can comprise smart mobile phone, has the panel computer of call function, multimedia player or Wearable device etc.
Integrated identification network 120 can comprise access forwarding unit 130, and access forwarding unit here can be that (English: Gateway GSN is called for short: GGSN) gateway GSN.
Integrated identification network 120 can also comprise forwarding unit 121, tactful equipment 122, this tactful equipment 122 can be a part for mapping server 123, also can be the equipment of containment mapping server 123, can also be the equipment independent of mapping server 123.
Optionally, tactful equipment 122 can be an equipment, also can be the cluster of multiple equipment, and such as, tactful equipment 122 can comprise security centre equipment 122a and master controller 122b.
Access forwarding unit 130 in Fig. 1 is the equipment being simultaneously arranged in access network 110 and integrated identification network 120, and namely accessing forwarding unit 130 is access network 110 and integrated identification network 120 fringe nodes when merging.
General, access forwarding unit 130 is after the packet receiving mobile terminal 111 transmission, source access mark AID in packet can be replaced with the Route Distinguisher RID that can identify in integrated identification network 120, source RID is replaced with by the source AID in packet, similar, also the target AID in packet can be replaced with target RID, wherein the mark of router in the integrated marked network 120 of Route Distinguisher RID.Like this, packet, after replacing access mark through access forwarding unit 130, can forward by the forward-path in integrated identification network 120 inside corresponding to source RID and target RID.
Optionally, access forwarding unit 130 after reception of the data packet, obtain the source AID in this packet and target AID, for the source AID of packet, access forwarding unit 130 determines a RID according to the address pool of this access forwarding unit 130, set up the mapping relations between this source AID and this RID determined, and these mapping relations are stored in the local mapping table of this access forwarding unit 130, these mapping relations set up are uploaded in mapping server 123 simultaneously and store.Finally utilize the source AID in this RID replacement data bag.
For the target AID of packet, first access forwarding unit 130 searches the opposite end mapping table stored in access forwarding unit 130, this opposite end mapping table comprise other each access forwarding unit RID and with the mapping relations between these AID accessing the access device that forwarding unit is connected.
In general, after an access forwarding unit A and this mobile terminal P establishes and once communicates to connect, then the mapping relations between the AID of this mobile terminal P and the RID of the access forwarding unit be connected with this mobile terminal P can be saved in the opposite end mapping table of this access forwarding unit A.
When access forwarding unit 130 does not find the mapping relations corresponding with this target AID in this opposite end mapping table, then send mapping request to mapping/certificate server 123, with the mapping relations that acquisition request is corresponding with this target AID, and the RID in the mapping relations of utilization acquisition replaces the target AID in this packet.
And when this access forwarding unit 130 with there is the access forwarding unit that this target AID is connected communicated, then can find the mapping relations corresponding with this target AID in this opposite end mapping table, and utilize the RID in the mapping relations that find to replace target AID in this packet.Optionally, the mapping relations of acquisition can also be stored in the far-end mapping table in access forwarding unit 130 this locality by this access forwarding unit 130.
Packet after access forwarding unit 130 docks inlet identity replacement forwards.
In order to ensure effectively to control the packet involved by attack, in each embodiment of the present invention by integrated identification network 120 points in order to the access forwarding unit 130 of forwarding plane and forwarding unit 121, and increased the tactful equipment 122 of management layer newly, like this, tactful equipment 122 according to management layer can limit the forwarding behavior of the access forwarding unit 130 of forwarding plane and indicate, the packet involved by the 130 pairs of attacks of access forwarding unit such as can be indicated to abandon, or forbid accessing the packet involved by the behavior of forwarding unit 130 forwarding attack, be illustrated below by the process of several embodiment to the abnormal access Behavior-Based control in integrated identification network.
Shown in Figure 2, it is the method flow diagram of the abnormal access Behavior-Based control method provided in one embodiment of the invention, this abnormal access Behavior-Based control method is mainly illustrated to be applied in the tactful equipment 122 in implementation environment shown in Fig. 1, and this abnormal access Behavior-Based control method comprises:
Step 201, receive the stream summary info that at least one access forwarding unit sends, every bar stream summary info is that access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message.
General; access forwarding unit after reception of the data packet; can learn in order to tactful equipment can be made whether packet is the packet that attack produces; key message in the packet header received can extract by access forwarding unit usually, and the key message after extracting is sent to tactful equipment.
Optionally, in order to reduce the amount of communications between access forwarding unit and tactful equipment, to reduce bandwidth occupancy, the key message corresponding to multiple packet can be merged.Concrete, each packet obtained in unit interval can be shunted according to attribute by access forwarding unit, the packet with same alike result (i.e. key message) forms a stream, for each stream, the key message corresponding with this stream is packaged into one according to flow template and flows summary info.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general, each stream summary info is except comprising corresponding key message, the moment of first packet received in each packet of this stream of composition can also be comprised, receive the moment of last packet, the parameters such as the byte shared by each packet.
Here said key message generally includes source access mark AID, object access mark AID, source port number, destination slogan and protocol type, the five-tuple of namely what is often called packet.
Generally, usually can arrange a tactful equipment in same integrated identification network, now this tactful equipment can receive the stream summary info that in this integrated identification network, each access forwarding unit sends.Optionally, when the access forwarding unit existed in integrated identification network is many, in order to reduce the requirement to tactful device handler, again two or more tactful equipment can also be set in integrated identification network, each tactful equipment receives the stream summary info that access forwarding unit corresponding to equipment tactful in this sends, these stream summary infos can be shared between each tactful equipment, or the result of determination in tactful equipment can be shared between each tactful equipment.
Step 202, utilizes at least one the stream summary info received, determines whether there is attack in network.
For each stream summary info, tactful equipment extracts key message from this stream summary info, and this key message is stored as a stream summary record, whether there is attack according in predetermined bar stream summary record determination network.
Step 203, if determine to there is attack in network, then generates first-class table rule according to stream summary info, and first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in this stream summary info.
If determine to there is attack in network, tactful equipment then generates first-class table rule according to stream summary info, for limiting the attribute forbidding the packet forwarded in this first-class table rule.
Step 204, sends to access forwarding unit by first-class table rule, is forbidden forwarding the packet meeting first-class table rule and limit by access forwarding unit.
First-class table rule can be sent to each access forwarding unit by strategy equipment, is forbidden forwarding the packet meeting first-class table rule and limit by these access forwarding units.
In sum, the abnormal access Behavior-Based control method that the embodiment of the present invention provides, by collecting the key message of the packet that each access forwarding unit obtains, whether attack is there is to utilize the key message determination network in these packets, if there is attack, then generate the packet being used to indicate and forbidding forwarding these attacks and produce; Owing to can judge attack according to the key message of packet, therefore result of determination can reflect the real conditions that network is current more really, solve mapping server in prior art and, when analyzing network according to mapping request and whether there is attack, correctly cannot distinguish the problem of the attack of existence in some cases; Reach and all can correctly distinguish various attack, and when learning that network exists attack, instruction access forwarding unit forbids the forwarding of the packet corresponding to these attacks, has ensured the effect of the fail safe of network.
In a kind of possible implementation, step 202 can obtain the access behavior type of packet by grader when specific implementation, namely the step 202 in Fig. 2 can be replaced with step 202a in Fig. 3 to step 202c, step 202 specifically describes as follows to step 202c:
Step 202a, obtains a predetermined stream summary record of storage, and every bar stream summary record is that the key message extracted from a stream summary info forms.
Step 202b, carries out entropy quantification to predetermined stream summary record, obtains entropy vector.
For example, the characteristic value of certain attribute X in stream summary info is designated as N (having occurred N number of Different Results), X={n i, i=1,2 ... N} represents that characteristic value i there occurs n in measurement data iit is secondary, the total degree that representation feature value occurs, so just can calculate the comentropy of attribute X in this information flow:
H ( X ) = - Σ i = 1 N ( n i S ) lo g 2 ( n i S )
Information entropy is positioned at interval (0, log 2n).
Under normal circumstances, unit discharge (stream summary info, a predetermined summary info, or the summary info in predetermined amount of time) in the five-tuple entropy of each group key message comparatively stable, different proportion and other abnormal flow various types of change obviously on entropy.Because abnormal flow changes microstructure and the heavytailed distribution feature of network traffics, the average information entropy of unit discharge must be made to occur significantly changing, therefore abnormality detection is carried out to various flow and can be converted into classification to entropy.
Step 202c, inputs in disaggregated model by the entropy vector obtained, and obtains sorted access behavior type.
Access behavior type is normal access behavior or attack access behavior, and attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack etc.
Corresponding, the step 203 in Fig. 2 can also be replaced with following step 203a.
Step 203a, according to the key message in stream summary info, generates the first-class table rule being used to indicate and forbidding forwarding in packet header and have the packet of key message.
Such as, when key message comprises source AID1, target AID1, source port 1, target port 1 and protocol type 1, the first-class table rule now generated may be used for indicating the packet forbidden forwarding in packet header and comprise source AID1, target AID1, source port 1, target port 1 and protocol type 1.
Obviously, for the attack in the following application scenarios of network layer, first-class table rule limits in the packet forbidding forwarding and can also comprise the information such as source MAC and object MAC.
In sum, the abnormal access Behavior-Based control method that the embodiment of the present invention provides, by collecting the key message of the packet that each access forwarding unit obtains, whether attack is there is to utilize the key message determination network in these packets, if there is attack, then generate the packet being used to indicate and forbidding forwarding these attacks and produce; Owing to can judge attack according to the key message of packet, therefore result of determination can reflect the real conditions that network is current more really, solve mapping server in prior art and, when analyzing network according to mapping request and whether there is attack, correctly cannot distinguish the problem of the attack of existence in some cases; Reach and all can correctly distinguish various attack, and when learning that network exists attack, instruction access forwarding unit forbids the forwarding of the packet corresponding to these attacks, has ensured the effect of the fail safe of network.
In a kind of possible implementation, the mapping request that strategy equipment 122 can also send according to access forwarding unit, anticipation is carried out to the attack of network, and when this network of anticipation will produce attack, produce second table rule, for instruction access forwarding unit to forbid attack produce the forwarding of packet.Specifically shown in Figure 4, this abnormal access Behavior-Based control method also comprises the steps:
Step 401, the mapping request that continuous reception at least two access forwarding unit sends after receiving packet, mapping request is used for access in this packet header of acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of this packet.
Usually store in access forwarding unit and obtain each group of mapping relations accessed between mark with Route Distinguisher from mapping server.
After access forwarding unit receives a packet, in order to ensure that this packet can forward in integrated identification network, need the Route Distinguisher access mark in this packet header being replaced with route in this integrated identification network, now access the Route Distinguisher of forwarding unit needs from this packet of mapping relationship searching stored corresponding to access mark.When access forwarding unit does not find the Route Distinguisher in this packet corresponding to access mark in the mapping relations stored, then send mapping request to tactful equipment, this mapping request is used for access in this packet header of acquisition request and identifies the mapping relations with the Route Distinguisher of route in integrated identification network.
Corresponding, tactful equipment can receive the mapping request that each access forwarding unit sends.
Can learn thus, the mapping relations identified between Route Distinguisher are accessed when access forwarding unit gets this packet internal object for a packet from tactful equipment, subsequently received there is the packet in identical packet header time, access forwarding unit directly forwards these packets according to the mapping relations obtained.That is, when accessing the mapping relations stored in forwarding unit, for same packet header, only a mapping request is sent to tactful equipment.
Whether step 402, will produce attack according in each mapping request anticipation network.
Whether strategy equipment will produce attack according in each mapping request anticipation network, usually at least can comprise the following two kinds situation:
In the first situation, whether the target access mark detected in the access mark in each mapping request is identical, if the target access mark in each mapping request is all identical, then will produce type in decision network is DDOS attack behavior.
For DDoS, typically refer to multiple assailant and attack same victim, now, after the packet that these multiple assailants send is access in forwarding unit reception, can determine that these packets have identical target access mark AID, but there is different source access mark AID, now, when the target access mark homogeneous phase in each mapping request simultaneously, then can will produce type in decision network is DDOS attack behavior.
In the second situation, whether the source access mark detected in the access mark in each mapping request is identical, if the source target access mark in each mapping request is all identical, then will produce type in decision network is DRDoS attack.
For DRDoS attack, puppet's main frame that normally assailant controls all carries the AID address, source of victim host, that is the packet that sends of assailants of these camouflages is when sending to different servers, and these packets have identical source AID.Therefore, when a DRDoS attacks generation, if puppet's main frame is distributed in different Access Networks send packet, source AID is all by disguise as AIDX, first access forwarding unit needs to carry out mark to the AID forged and replaces, and now needs to tactful device request mapping relations; Mapping services submodule in strategy equipment is easy to judge that the mapping relations source AID of different access forwarding unit request is identical.That is, when tactful equipment judges that source target access mark homogeneous phase in each mapping request simultaneously, then can will produce type in decision network is DRDoS attack.
Obviously, tactful equipment, according to when whether will produce attack in each mapping request anticipation network, can also adopt different criterion for the feature of various attack, will not enumerate here.
Step 403, if will produce attack according in the pre-decision network of mapping request, then the packet generated for forbidding having in packet header this access mark will carry out the second table rule forwarded.
Such as, when key message comprises source AID1, target AID1, source port 1, target port 1 and protocol type 1, the second table that now generates rule may be used for indicating the packet forbidden forwarding in packet header and comprise source AID1, target AID1, source port 1, target port 1 and protocol type 1.
Obviously, for the attack in the following application scenarios of network layer, second table rule limits in the packet forbidding forwarding can also comprise the information such as source MAC and object MAC.
Step 404, sends second table rule to each access forwarding unit.
In sum, the abnormal access Behavior-Based control method that the embodiment of the present invention provides, by the mapping request that access forwarding unit sends, anticipation is carried out to the attack of network, and when this network of anticipation will produce attack, produce second table rule, for instruction access forwarding unit to forbid attack produce the forwarding of packet, thus ensured the fail safe of network.
It should be added that, the step in Fig. 4 can carry out combining to realize becoming different embodiments from Fig. 2 or Fig. 3, and the present invention does not limit the embodiment that combination possible between each step in Fig. 2, Fig. 3 and Fig. 4 is formed.
Possible realize in scene a kind of, above-mentioned Fig. 2, Fig. 3 and Fig. 4 are that an equipment is illustrated with tactful equipment 122, in actual applications, strategy equipment 122 can also be the cluster of two or more equipment, comprises security centre equipment 122a below and the process of master controller 122b to abnormal access Behavior-Based control is illustrated for tactful equipment 122.Specifically can see the description in Fig. 5 A and Fig. 5 B.
Refer to shown in Fig. 5 A, it is the method flow diagram of the abnormal access Behavior-Based control method provided in another embodiment of the present invention, and this abnormal access Behavior-Based control method comprises:
Step 501, access forwarding unit receives the packet of user's access, shunts packet, and the packet often in group stream has identical key message.
General, access forwarding unit can receive the packet that in access network, SGSN sends.The mobile terminal that this packet is normally connected with SGSN sends when accessing.
Key message is generally arranged in the packet header of this packet, also namely accesses forwarding unit and can extract key message from the packet header of packet.
Concrete, each packet obtained in the unit interval can divide into groups according to attribute by access forwarding unit, and the packet with same alike result (i.e. key message) forms a stream.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general, each stream summary info is except comprising corresponding key message, the moment of first packet received in each packet of this stream of composition can also be comprised, receive the moment of last packet, the byte etc. shared by each packet.
Step 502, for often organizing stream, the key message corresponding with this group stream is packaged into stream summary info according to flow template by access forwarding unit.
Similar with the description in step 201; access forwarding unit after reception of the data packet; can learn in order to security centre's equipment can be made whether packet is the packet that attack produces; key message in the packet header received can extract by access forwarding unit usually, and the key message after extracting is sent to security centre's equipment.
Optionally, in order to reduce the amount of communications between access forwarding unit and security centre's equipment, to reduce bandwidth occupancy, the key message corresponding to multiple packet can be merged.Concrete, each packet obtained in unit interval can be shunted according to attribute by access forwarding unit, the packet with same alike result (i.e. key message) forms a stream, for each stream, the key message corresponding with this stream is packaged into one according to flow template and flows summary info.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general, each stream summary info is except comprising corresponding key message, the moment of first packet received in each packet of this stream of composition can also be comprised, receive the moment of last packet, the parameters such as the byte shared by each packet.
Step 503, stream summary info and flow template are sent to security centre's equipment by access forwarding unit.
Step 504, security centre's equipment receives stream summary info and the flow template of access point transmission.
Step 505, security centre's equipment extracts the key message in each stream summary info, the key message extracted is stored as a stream summary record.
Step 506, security centre's equipment carries out entropy quantification to predetermined stream summary record, obtains entropy vector; The entropy vector obtained is inputed in disaggregated model, obtains sorted access behavior type.
Access behavior type can be normal access behavior or attack access behavior, and described attack access behavior is DoS attack behavior, ddos attack behavior or DRDoS attack.
Step 507, the key message in the access behavior type obtained and stream summary info is sent to master controller by security centre's equipment.
Step 508, master controller generates first-class table rule according to access behavior type and key message.
First-class table rule is used to indicate forbids forwarding the packet in packet header with this key message.
Step 509, first-class table rule is sent to access forwarding unit by master controller, is forbidden forwarding the packet meeting first-class table rule and limit by access forwarding unit.
In sum, the abnormal access Behavior-Based control method that the embodiment of the present invention provides, the characteristic information of packet when accessing by obtaining user, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then turn down the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
In a kind of possible implementation, the mapping request that strategy equipment 122 can also send according to access forwarding unit, anticipation is carried out to the attack of network, and when this network of anticipation will produce attack, produce second table rule, for instruction access forwarding unit to forbid attack produce the forwarding of packet.In figure 5b, this abnormal access Behavior-Based control method can also comprise:
Step 510, access forwarding unit receives packet.
Step 511, access forwarding unit find access forwarding unit in do not store the mapping relations accessing mark in this packet time, to master controller send mapping request.
Mapping request is used for access in this packet header of acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of this packet.
Step 512, master controller receives the mapping request that at least two access forwarding units send after receiving packet continuously.
Mapping request is used for access in this packet header of acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of this packet.
Optionally, when tactful equipment 122 is independent of mapping server 123, mapping relations said here and forward-path get after can asking in mapping server 123.When tactful equipment 122 containment mapping server 123, mapping relations said here and forward-path can directly extract from mapping server 123.
Step 513, whether master controller will produce attack according in each mapping request anticipation network.
Specifically see the realization of step 402, just can repeat no more here.
Step 514, if will produce attack according in the pre-decision network of mapping request, the master controller packet then generated for forbidding having in packet header this access mark will carry out the second table rule forwarded.
Step 515, master controller sends second table rule to each access forwarding unit.
In sum, the abnormal access Behavior-Based control method provided in the embodiment of the present invention, by the mapping request that access forwarding unit sends, anticipation is carried out to the attack of network, and when this network of anticipation will produce attack, produce second table rule, for instruction access forwarding unit to forbid attack produce the forwarding of packet, thus ensured the fail safe of network.
It should be added that, some are needed to the attack of high-res, security centre's equipment can collect the network packet of fixed time window by command center controller, return to high parsing application in security centre's equipment and carry out further deep packet analysis, last according to analysis result determination attack type and mean of defense, and will attack type be analyzed and mean of defense feeds back to master controller.Master controller generates corresponding stream table rule according to attack type and mean of defense, and stream is shown rule and be handed down to access forwarding unit, to limit the attack in network.
Shown in Figure 6, it is the structural representation of the abnormal access Behavior-Based control device provided in one embodiment of the invention, and this abnormal access Behavior-Based control device can be applied in the certificate server in integrated identification network.This abnormal access Behavior-Based control device comprises: the first receiver module 610, determination module 620, first generation module 630 and the first sending module 640.
First receiver module 610, for receiving the stream summary info that at least one access forwarding unit sends, described stream summary info is that described access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message;
Determination module 620, at least one the stream summary info received for utilizing described first receiver module 610, determines whether there is attack in network;
First generation module 630, for when described determination module 620 determines to there is attack in described network, generate first-class table rule according to described stream summary info, described first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in described stream summary info;
First sending module 640, sends to described access forwarding unit for the described first-class table rule generated by described first generation module 630, is forbidden forwarding the packet meeting described first-class table rule and limit by described access forwarding unit;
Wherein, described key message comprises source access mark, object access mark, source port number, destination slogan and protocol type.
In a kind of possible implementation, shown in Figure 7, determination module 620, comprising: extraction unit 622, quantifying unit 623 and taxon 624.
Extraction unit 622, for extracting the key message in described stream summary info, is stored as a stream summary record by the described key message extracted;
Quantifying unit 623, carries out entropy quantification for the predetermined described stream summary record extracted described extraction unit 622, obtains entropy vector;
Taxon 624, entropy vector for described quantifying unit 623 being quantized to obtain inputs in disaggregated model, obtain sorted access behavior type, described access behavior type is normal access behavior or attack access behavior, and described attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack.
In a kind of possible implementation, the first generation module 630 also for:
According to the key message in described stream summary info, generate the first-class table rule being used to indicate and forbidding forwarding in packet header and there is the packet of described key message.
In a kind of possible implementation, shown in Figure 8, this abnormal access Behavior-Based control device also comprises: the second receiver module 650, anticipation module 660, second generation module 670 and the second sending module 680.
Second receiver module 650, for receiving the mapping request that at least two access forwarding units send after receiving packet continuously, described mapping request is used for access in packet header described in acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of described packet;
Whether anticipation module 660, will produce attack in each mapping request anticipation network of receiving according to described second receiver module 650;
Second generation module 670, for when described anticipation module 660 judges to produce attack in described network according to described mapping request in advance, the packet generated for forbidding having in packet header described access mark carries out the second table rule forwarded;
Second sending module 680, for sending the described second table rule that described second generation module 670 generates to each access forwarding unit.
In a kind of possible implementation, still shown in Figure 8, anticipation module 660, comprising: the first identifying unit 661, or, the second identifying unit 662.
First identifying unit 661, whether the target access mark for detecting in the access mark in each mapping request that described second receiver module 650 receives is identical, if the target access mark in each mapping request is all identical, then judge will produce type in described network as DDOS attack behavior;
Or,
Second identifying unit 662, whether the source access mark for detecting in the access mark in each mapping request that described second receiver module 650 receives is identical, if the source target access mark in each mapping request is all identical, then judge will produce type in described network as DRDoS attack.
In sum, the abnormal access Behavior-Based control device that the embodiment of the present invention provides, the characteristic information of packet when accessing by obtaining user, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then turn down the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
In addition, the abnormal access Behavior-Based control device that the embodiment of the present invention provides, by the mapping request that access forwarding unit sends, anticipation is carried out to the attack of network, and when this network of anticipation will produce attack, produce second table rule, for instruction access forwarding unit to forbid attack produce the forwarding of packet, thus ensured the fail safe of network.
It should be added that, modules in Fig. 6, Fig. 7 and Fig. 8 and the division of unit are not limited thereto, in actual applications, can also be according to actual needs, these modules or all or part of of unit are carried out combination in any or merging, also all or part of in these modules or unit can be split.
It should be noted that: when the abnormal behaviour of abnormal access Behavior-Based control device when accessing user provided in above-described embodiment controls, only be illustrated with the division of above-mentioned each functional module, in practical application, can distribute as required and by above-mentioned functions and be completed by different functional modules, internal structure by the tactful equipment in integrated network marked network is divided into different functional modules, to complete all or part of function described above.In addition, the abnormal access Behavior-Based control device that above-described embodiment provides and abnormal access behavioural analysis control embodiment and belong to same design, and its specific implementation process refers to embodiment of the method, repeats no more here.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. an abnormal access Behavior-Based control method, is characterized in that, described method comprises:
Receive the stream summary info that at least one access forwarding unit sends, described stream summary info is that described access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message;
Utilize at least one the stream summary info received, determine whether there is attack in network;
If determine to there is attack in described network, then generate first-class table rule according to described stream summary info, described first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in described stream summary info;
Described first-class table rule is sent to described access forwarding unit, is forbidden forwarding the packet meeting described first-class table rule and limit by described access forwarding unit;
Wherein, described key message comprises source access mark, object access mark, source port number, destination slogan and protocol type.
2. method according to claim 1, is characterized in that, at least one stream summary info that described utilization receives, and determines whether there is attack in network, comprising:
Extract the key message in described stream summary info, the described key message extracted is stored as a stream summary record;
To make a reservation for a described stream summary record and carry out entropy quantification, obtain entropy vector;
The entropy vector obtained is inputed in disaggregated model, obtain sorted access behavior type, described access behavior type is normal access behavior or attack access behavior, and described attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack.
3. method according to claim 1, is characterized in that, described according to described stream summary info generate first-class table rule, comprising:
According to the key message in described stream summary info, generate the first-class table rule being used to indicate and forbidding forwarding in packet header and there is the packet of described key message.
4., according to described method arbitrary in claims 1 to 3, it is characterized in that, described method also comprises:
The mapping request that continuous reception at least two access forwarding unit sends after receiving packet, described mapping request is used for access in packet header described in acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of described packet;
Whether attack will be produced according in each mapping request anticipation network;
If judge in advance will produce attack in described network according to described mapping request, then the packet generated for forbidding having in packet header described access mark carries out the second table rule forwarded;
Described second table rule is sent to each access forwarding unit.
5. method according to claim 4, is characterized in that, describedly whether will produce attack according in each mapping request anticipation network, comprising:
Whether the target access mark detected in the access mark in each mapping request is identical, if the target access mark in each mapping request is all identical, then judges will produce type in described network as DDOS attack behavior;
Or,
Whether the source access mark detected in the access mark in each mapping request is identical, if the source target access mark in each mapping request is all identical, then judges will produce type in described network as DRDoS attack.
6. an abnormal access Behavior-Based control device, is characterized in that, described device comprises:
First receiver module, for receiving the stream summary info that at least one access forwarding unit sends, described stream summary info is that described access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message;
Determination module, at least one the stream summary info received for utilizing described first receiver module, determines whether there is attack in network;
First generation module, during for determining to there is attack in described network at described determination module, generate first-class table rule according to described stream summary info, described first-class table rule is used to indicate forbids forwarding the packet in packet header with key message in described stream summary info;
First sending module, sends to described access forwarding unit for the described first-class table rule generated by described first generation module, is forbidden forwarding the packet meeting described first-class table rule and limit by described access forwarding unit;
Wherein, described key message comprises source access mark, object access mark, source port number, destination slogan and protocol type.
7. device according to claim 6, is characterized in that, described determination module, comprising:
Extraction unit, for extracting the key message in described stream summary info, is stored as a stream summary record by the described key message extracted;
Quantifying unit, for carrying out entropy quantification to a described predetermined described stream summary record, obtains entropy vector;
Taxon, entropy vector for described quantifying unit being quantized to obtain inputs in disaggregated model, obtain sorted access behavior type, described access behavior type is normal access behavior or attack access behavior, and described attack access behavior is the behavior of denial of service DoS attack, the behavior of distributed denial of service ddos attack or distributed reflection denial of service DRDOS attack.
8. device according to claim 6, is characterized in that, described first generation module, also for:
According to the key message in described stream summary info, generate the first-class table rule being used to indicate and forbidding forwarding in packet header and there is the packet of described key message.
9., according to described device arbitrary in claim 6 to 8, it is characterized in that, described device also comprises:
Second receiver module, for receiving the mapping request that at least two access forwarding units send after receiving packet continuously, described mapping request is used for access in packet header described in acquisition request and identifies and the mapping relations of Route Distinguisher of route in integrated identification network and the forward-path of described packet;
Whether anticipation module, will produce attack in each mapping request anticipation network of receiving according to described second receiver module;
Second generation module, for when described anticipation module judges to produce attack in described network according to described mapping request in advance, the packet generated for forbidding having in packet header described access mark carries out the second table rule forwarded;
Second sending module, for sending the described second table rule that described second generation module generates to each access forwarding unit.
10. device according to claim 9, is characterized in that, described anticipation module, comprising:
First identifying unit, whether the target access mark for detecting in the access mark in each mapping request that described second receiver module receives is identical, if the target access mark in each mapping request is all identical, then judge will produce type in described network as DDOS attack behavior;
Or,
Second identifying unit, whether the source access mark for detecting in the access mark in each mapping request that described second receiver module receives is identical, if the source target access mark in each mapping request is all identical, then judge will produce type in described network as DRDoS attack.
CN201510236254.8A 2015-05-11 2015-05-11 Method and device for controlling abnormal access behaviors Pending CN104883362A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510236254.8A CN104883362A (en) 2015-05-11 2015-05-11 Method and device for controlling abnormal access behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510236254.8A CN104883362A (en) 2015-05-11 2015-05-11 Method and device for controlling abnormal access behaviors

Publications (1)

Publication Number Publication Date
CN104883362A true CN104883362A (en) 2015-09-02

Family

ID=53950696

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510236254.8A Pending CN104883362A (en) 2015-05-11 2015-05-11 Method and device for controlling abnormal access behaviors

Country Status (1)

Country Link
CN (1) CN104883362A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357434A (en) * 2016-08-30 2017-01-25 国家电网公司 Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network
CN106411872A (en) * 2016-09-21 2017-02-15 杭州迪普科技有限公司 Method and device for compressing messages based on data message classification
CN109362235A (en) * 2016-05-29 2019-02-19 微软技术许可有限责任公司 Classify to the affairs at network accessible storage device
WO2021244449A1 (en) * 2020-05-30 2021-12-09 华为技术有限公司 Data processing method and apparatus
CN115150278A (en) * 2021-03-29 2022-10-04 迈络思科技有限公司 Using a Data Processing Unit (DPU) as a preprocessor for Graphics Processing Unit (GPU) based machine learning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7712134B1 (en) * 2006-01-06 2010-05-04 Narus, Inc. Method and apparatus for worm detection and containment in the internet core
CN102447707A (en) * 2011-12-30 2012-05-09 北京交通大学 DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN103095701A (en) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 Open flow table security enhancement method and device
CN103281336A (en) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 Network intrusion detection method
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7712134B1 (en) * 2006-01-06 2010-05-04 Narus, Inc. Method and apparatus for worm detection and containment in the internet core
CN102447707A (en) * 2011-12-30 2012-05-09 北京交通大学 DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN103095701A (en) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 Open flow table security enhancement method and device
CN103281336A (en) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 Network intrusion detection method
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杭静文: "一体化标识网络流量异常监测技术研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
梁洋洋: "《Visual C++黑客编程揭秘与防范》", 31 July 2009 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109362235A (en) * 2016-05-29 2019-02-19 微软技术许可有限责任公司 Classify to the affairs at network accessible storage device
CN109362235B (en) * 2016-05-29 2021-10-26 微软技术许可有限责任公司 Method of classifying transactions at a network accessible storage device
CN106357434A (en) * 2016-08-30 2017-01-25 国家电网公司 Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network
CN106411872A (en) * 2016-09-21 2017-02-15 杭州迪普科技有限公司 Method and device for compressing messages based on data message classification
WO2021244449A1 (en) * 2020-05-30 2021-12-09 华为技术有限公司 Data processing method and apparatus
CN115150278A (en) * 2021-03-29 2022-10-04 迈络思科技有限公司 Using a Data Processing Unit (DPU) as a preprocessor for Graphics Processing Unit (GPU) based machine learning

Similar Documents

Publication Publication Date Title
CN101175078B (en) Identification of potential network threats using a distributed threshold random walk
CN107231384B (en) DDoS attack detection and defense method and system for 5g network slices
Ganesh Kumar et al. Improved network traffic by attacking denial of service to protect resource using Z-test based 4-tier geomark traceback (Z4TGT)
CN104883362A (en) Method and device for controlling abnormal access behaviors
CN108282497A (en) For the ddos attack detection method of SDN control planes
CN104618377B (en) Botnet detecting system and detection method based on NetFlow
CN104883363A (en) Method and device for analyzing abnormal access behaviors
US20130294449A1 (en) Efficient application recognition in network traffic
CN108521408A (en) Resist method of network attack, device, computer equipment and storage medium
CN109120602B (en) IPv6 attack tracing method
US9894074B2 (en) Method and system for extracting access control list
CN109327426A (en) A kind of firewall attack defense method
CN106357685A (en) Method and device for defending distributed denial of service attack
US10623278B2 (en) Reactive mechanism for in-situ operation, administration, and maintenance traffic
CN112615854B (en) Terminal access control method, device, access server and storage medium
CN101577645B (en) Method and device for detecting counterfeit network equipment
CN108833430B (en) Topology protection method of software defined network
CN110213254A (en) A kind of method and apparatus that Internet protocol IP packet is forged in identification
CN109347889A (en) A method of it is detected for the mixed type ddos attack of software defined network
CN108632267A (en) A kind of topology pollution attack defense method and system
CN1152517C (en) Method of guarding network attack
CN117040943B (en) Cloud network endophytic security defense method and device based on IPv6 address driving
Tahmasebi et al. A novel feature-based DDoS detection and mitigation scheme in SDN controller using queueing theory
CN111600929B (en) Transmission line detection method, routing strategy generation method and proxy server
CN112615851A (en) Boundary router combining multiple safety inspection mechanisms under CoLoR architecture

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150902

RJ01 Rejection of invention patent application after publication