CN105429974B - A kind of intrusion prevention system and method towards SDN - Google Patents
A kind of intrusion prevention system and method towards SDN Download PDFInfo
- Publication number
- CN105429974B CN105429974B CN201510763337.2A CN201510763337A CN105429974B CN 105429974 B CN105429974 B CN 105429974B CN 201510763337 A CN201510763337 A CN 201510763337A CN 105429974 B CN105429974 B CN 105429974B
- Authority
- CN
- China
- Prior art keywords
- intrusion prevention
- controller
- module
- prevention system
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/15—Interconnection of switching modules
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of intrusion prevention system and method towards SDN, the system deployment are responsible for more interchangers of monitoring on the controller in SDN network, and every interchanger can be monitored by multiple intrusion prevention systems.By main intrusion prevention system control is multiple whole network is monitored from intrusion prevention system.Present system includes intrusion prevention controller module, detection module and wafer breaker module.Intrusion prevention controller coordinates the decision-making device in detection module to realize fine-grained intrusion prevention function.The flexible deployment that intrusion prevention system is not fixed position may be implemented in the present invention, reduces lower deployment cost;Multiple intrusion prevention system co-ordinations, improve the overall utilization rate of intrusion prevention system;Accurate and efficient detection method, ensure that the safety of network, will not cause network congestion, have extensive technology and market application value.
Description
Technical field
The present invention relates to a kind of intrusion prevention system and method towards SDN, belongs to computer network and information security skill
Art field.
Technical background
With the rapid development of computer and popularizing for network, also increasingly increase from network-external and internal threat,
Network security problem becomes the very important key point of computer network field.In order to ensure the safety of computer and internet,
Firewall technology is introduced in a computer network.Fire wall has stronger protection energy for known internal-external network behavior
Power, but it is insufficient to the prevention ability of unknown attack, there is the problems such as can not effectively carrying out dynamic protection, intruding detection system
As the supplement of fire wall, abnormal network behavior can be immediately identified, realize quickly dynamic safety detection.
Intrusion prevention system is a kind of Network Security Device based on intruding detection system.It combines dynamic intrusion detection
It is prevented with real-time threaten, there is higher security protection ability, but there is also certain disadvantages.First:In traditional network,
In order to protect internal network from threatening, intrusion prevention system is generally used the mode of " single-point detection ", that is, is deployed in network
The entry/exit mouth of environment, deployed position are fixed, and Quick Extended and the variation of network topology can not be adapted to;Second:Heterogeneous networks position
And the different periods, data volume to be treated is all different, and mutual disjunct multiple intrusion prevention systems cannot achieve effectively
Collaboration;Third:Intrusion prevention equipment price is more expensive, and how effective and reasonable deployment also becomes a problem.With software definition
The development of network (SDN), detection of the intrusion prevention system in new network framework face the test of bigger with defence capability.
Software defined network (Software Defined Network, SDN), is by Stanford Univ USA Clean
A kind of new network of Emulex network innovation framework that Slate seminar proposes.Its core is to divide the control plane of the network equipment and data surface
From to realize the centralized control to network flow, good platform is provided for the innovation of core network and application.At this
In one new network environment, while centralized control is brought convenience, a large amount of insecurity is also brought.The attack of attacker
Object, which is increasingly concentrated, makes the reduction of attack difficulty, and once may cause " single point failure " by invasion, to make Tie-line Opening.And
The present invention can well solve problem above.
Invention content
Present invention aims at solve the non-dynamic detection of intrusion prevention system, " single-point detection " integration system efficiency it is low with
And the problems such as of high cost, it is proposed that a kind of intrusion prevention system and method towards SDN.This method combination SDN centralization controls
Feature, intrusion prevention system is deployed on SDN controllers, with virtualization technology, improves and network intrusions is prevented
Model defence capability realizes a kind of flexible intrusion prevention scheme in SDN environment.Model of the present invention is to by interchanger
All information, are handled by allocation methods, are detected if dynamically giving passive node, in conjunction with controller strategy, realize invasion
Defense function.
The technical scheme adopted by the invention to solve the technical problem is that:The system of the present invention includes three modules, respectively
It is:Wafer breaker module, detection module and intrusion prevention controller module.
Wafer breaker module, the Transparent Proxy being equivalent between interchanger and detection module, by a large amount of data on interchanger
If being subdivided into dry plate according to certain fragment rule, detection module is sent to.
Detection module will produce the detection node consistent with the flow piece quantity that wafer breaker generates.Each detection node by
Three parts form:Collector, analyzer, decision-making device.Collector is mainly collected arrangement and note to the data packet received
Record.Analyzer groundwork is to carry out analysis detection to data packet.Decision-making device is according to analyzer as a result, providing corresponding strategy.
Intrusion prevention controller module is for coordinating detection module inside intrusion prevention system, wafer breaker module and outer
Portion's higher level controller application and interchanger.
The present invention also provides a kind of implementation methods of the intrusion prevention system towards SDN, and this method comprises the following steps:
Step 1:Flow reaches interchanger, and intrusion prevention controller, which controls all flows (including flow table) and is forwarded to invade, to be prevented
Imperial system;
Step 2:Wafer breaker carries out fragment according to stripping strategy to receiving data, generates several pieces (i.e. N number of);
Step 3:Intrusion prevention controller controls detection module and generates the N number of detection node of respective numbers;
Step 4:Collector records the data packet summary info that the detection node receives;
Step 5:Analyzer is detected, and judges whether data are suspicious traffic, malicious traffic stream or normal discharge, and incite somebody to action
As a result decision-making device is informed;
Step 6:Analyzer testing result is normal discharge, then data packet is transferred to high level controller to carry out down by decision-making device
The processing of one step;
Step 7:Analyzer testing result is malicious traffic stream, then decision-making device notice intrusion prevention controller is abandoned;
Step 8:Analyzer testing result is non-malicious flow, then decision-making device is marked as suspicious traffic, is marked to it
Number plus one;
Step 9:Decision-making device judge mark number is not up to threshold values, then forwards the packet to high level controller;
Step 10:Decision-making device judge mark number has reached threshold values, then forwards the packet to high level controller;
Step 11:Decision-making device notifies the flow that intrusion prevention controller has reached reference numerals threshold values to carry out QoS;
Step 12:High level controller handles non-malicious flow;
Step 13:Interchanger carries out flow forwarding according to handling result.
Advantageous effect:
1, flexible deployment;The present invention devises intrusion prevention system, need not be fixed on the entry/exit interface of network, only
It need to be deployed on controller, it is convenient and flexible.
2, inexpensive;The present invention need not dispose an intrusion prevention system as traditional scheme for every interchanger,
More interchangers can share an intrusion prevention system, reduce the lower deployment cost of equipment.
3, anti-interference;The present invention improves data processing speed by allocation methods, on legacy data forwarding influence compared with
It is small, it ensure that the normal forwarding of flow.
4, accuracy;The present invention has ensured intrusion prevention using detection techniques and complete malicious traffic stream mark sheets such as DPI
The accuracy of system.
Description of the drawings
Fig. 1 is the system architecture diagram of intrusion prevention in SDN environment of the present invention.
Fig. 2 is the internal system structure chart of the present invention.
Fig. 3 is flow chart of the method for the present invention.
Specific implementation mode
The invention is described in further detail with reference to the accompanying drawings of the specification.
As shown in Figure 1, intrusion prevention system proposed by the present invention is on the controller being deployed in SDN environment.Due to
Every interchanger is connected with multiple controllers, so the intrusion prevention system on a controller is responsible for monitoring more exchanges
Machine, every interchanger can be monitored by multiple intrusion prevention systems.Synchronization, there are a main intrusion prevention systems and multiple
From intrusion prevention system.When initial, the intrusion prevention system on master controller is main intruding detection system, from controller
Intrusion prevention system is from intrusion prevention system.
As shown in Fig. 2, the internal system of the present invention includes three modules, it is respectively:Wafer breaker module, detection module and enter
Invade defence controller module.
Wafer breaker module is equivalent to the Transparent Proxy between interchanger and detection module.By will largely be counted on interchanger
If being subdivided into dry plate according to according to certain fragment rule, then it is detected analysis, solved between mass data and quickly detection
Contradiction.Fragment rule can be defined as (switch port, source mesh IP address, IP agreement, the source ends mesh UDP or TCP by the present invention
Mouthful) ((switch port, src/dst IP address, IP protocol, src/dst UDP/TCP port)).
The function of detection module is detected to flow by a large amount of detection node.Detection module will produce and fragment
The consistent detection node of flow piece quantity that device generates.Each detection node is made of three parts:Collector, analyzer, decision
Device.
Collector is mainly that the data packet received is collected arrangement, is prepared for further analysis;
Analyzer groundwork is to carry out analysis detection to data packet, by the technologies such as high-speed DPI and the detection of fluid layer grade, is sentenced
Whether disconnected data packet is malicious traffic stream, suspicious traffic also or is normal discharge;Data traffic is judged in analyzer
Decision-making device can be sent the result to later.
Decision-making device possesses the permission of modification interchanger forwarding strategy.For malicious traffic stream, decision-making device can control interchanger not
It is forwarded, directly abandons;Suspicious traffic and normal discharge will after keeping a record, be transmitted to more advanced controller application do into
The processing of one step.When suspicious traffic counts reach certain threshold values, it will execute corresponding qos policy and carry out rate limit to it
System.
The function of intrusion prevention controller module is primarily used to coordinate detection module, wafer breaker inside intrusion prevention system
Module and external higher level controller application and interchanger etc..Including:Intrusion prevention controller is made by changing stream entry
It obtains by the data packet on each interchanger, will all be sent to intrusion prevention system and be detected.Intrusion prevention controller meeting
The parameters such as the bandwidth of data flow and detection module load, formulate corresponding stripping strategy on integrated switch, control wafer breaker
Module carries out flow fragment.When data flow is divided into N pieces, intrusion prevention controller will control detection module and generate N number of detection
Node.Intrusion prevention controller receives the analysis result of detection module, and different operations is carried out to different types of flow.For
Non-malicious flow, intrusion prevention controller can forward it to higher level controller application, normally be forwarded.
As shown in figure 3, the present invention also provides a kind of implementation method of the intrusion prevention system towards SDN, this method packet
Include following steps:
Step 1:Flow reaches interchanger, and intrusion prevention controller, which controls all flows (including flow table) and is forwarded to invade, to be prevented
Imperial system;
Step 2:Wafer breaker carries out fragment according to stripping strategy to receiving data, generates several pieces (i.e. N number of);
Step 3:Intrusion prevention controller controls detection module and generates the N number of detection node of respective numbers;
Step 4:Collector records the data packet summary info that the detection node receives;
Step 5:Analyzer is detected, and judges whether data are suspicious traffic, malicious traffic stream or normal discharge, and incite somebody to action
As a result decision-making device is informed;
Step 6:Analyzer testing result is normal discharge, then data packet is transferred to high level controller to carry out down by decision-making device
The processing of one step;
Step 7:Analyzer testing result is malicious traffic stream, then decision-making device notice intrusion prevention controller is abandoned;
Step 8:Analyzer testing result is non-malicious flow, then decision-making device is marked as suspicious traffic, is marked to it
Number plus one;
Step 9:Decision-making device judge mark number is not up to threshold values, then forwards the packet to high level controller;
Step 10:Decision-making device judge mark number has reached threshold values, then forwards the packet to high level controller;
Step 11:Decision-making device notifies the flow that intrusion prevention controller has reached reference numerals threshold values to carry out QoS;
Step 12:High level controller handles non-malicious flow;
Step 13:Interchanger carries out flow forwarding according to handling result.
Claims (2)
1. a kind of intrusion prevention system towards SDN, which is characterized in that the intrusion prevention system is deployed in SDN controllers
On, including wafer breaker module, detection module and intrusion prevention controller module;
Transparent Proxy of the wafer breaker module between interchanger and detection module, by by a large amount of data on interchanger according to one
If fixed fragment rule is subdivided into dry plate, then is detected analysis, solves the contradiction between mass data and quickly detection;
The consistent detection node of detection module will produce with wafer breaker generates flow piece quantity, each node that detects is by three parts
Composition:Collector, analyzer, decision-making device;
The data packet received is collected arrangement and record by the collector, is prepared for further analysis;Analysis
Device work is to carry out analysis detection to data packet, by high-speed DPI and fluid layer grade detection technique, judges whether data packet is malice
Also or be normal discharge, data traffic can be sent the result to after being judged in analyzer for flow, suspicious traffic
Decision-making device;Decision-making device possesses the permission of modification interchanger forwarding strategy;
The function of intrusion prevention controller module is to coordinate detection module inside intrusion prevention system, wafer breaker module and outside more
High level controller is applied and interchanger, work include:Intrusion prevention controller is by changing stream entry so that by every
Data packet on a interchanger will all be sent to intrusion prevention system and be detected;Intrusion prevention controller can integration switch
The bandwidth of data flow and detection module load parameter on machine, formulate corresponding stripping strategy, and control wafer breaker module is flowed
Measure fragment;When data flow is divided into N pieces, intrusion prevention controller will control detection module and generate N number of detection node;Invasion is anti-
Imperial controller receives the analysis result of detection module, and different operations is carried out to different types of flow.
2. a kind of intrusion prevention system towards SDN according to claim 1, which is characterized in that the system is to difference
The operation of type flow is:For malicious traffic stream, decision-making device can control interchanger without forwarding, directly abandon;Suspicious traffic
It will be transmitted to more advanced controller application after keeping a record and be further processed with normal discharge, when suspicious traffic counting time
When number reaches certain threshold values, it will execute corresponding qos policy and handle it;Corresponding qos policy is rate limit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510763337.2A CN105429974B (en) | 2015-11-10 | 2015-11-10 | A kind of intrusion prevention system and method towards SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510763337.2A CN105429974B (en) | 2015-11-10 | 2015-11-10 | A kind of intrusion prevention system and method towards SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105429974A CN105429974A (en) | 2016-03-23 |
| CN105429974B true CN105429974B (en) | 2018-09-11 |
Family
ID=55507916
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510763337.2A Active CN105429974B (en) | 2015-11-10 | 2015-11-10 | A kind of intrusion prevention system and method towards SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105429974B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3286900B1 (en) | 2016-06-22 | 2019-03-27 | Huawei Technologies Co., Ltd. | System and method for detecting and preventing network intrusion of malicious data flows |
| CN106789351A (en) * | 2017-01-24 | 2017-05-31 | 华南理工大学 | A kind of online intrusion prevention method and system based on SDN |
| CN107770174A (en) * | 2017-10-23 | 2018-03-06 | 上海微波技术研究所(中国电子科技集团公司第五十研究所) | A kind of intrusion prevention system and method towards SDN |
| CN111294344A (en) * | 2020-01-19 | 2020-06-16 | 中移(杭州)信息技术有限公司 | Data forwarding control system, method, electronic device and storage medium |
| CN112351044A (en) * | 2020-12-02 | 2021-02-09 | 杭州云梯科技有限公司 | Network security system based on big data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN103973676A (en) * | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | Cloud computing safety protection system and method based on SDN |
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9692775B2 (en) * | 2013-04-29 | 2017-06-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system to dynamically detect traffic anomalies in a network |
-
2015
- 2015-11-10 CN CN201510763337.2A patent/CN105429974B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN103973676A (en) * | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | Cloud computing safety protection system and method based on SDN |
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105429974A (en) | 2016-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429974B (en) | A kind of intrusion prevention system and method towards SDN | |
| CN107959690B (en) | DDoS attack cross-layer cooperative defense method based on software defined network | |
| Dharma et al. | Time-based DDoS detection and mitigation for SDN controller | |
| Cui et al. | SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| CN107770174A (en) | A kind of intrusion prevention system and method towards SDN | |
| CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
| CN106921666A (en) | A kind of ddos attack system of defense and method based on Synergy | |
| CN101572701A (en) | Security gateway system for resisting DDoS attack for DNS service | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| CN103561011A (en) | Method and system for preventing blind DDoS attacks on SDN controllers | |
| CN107623663A (en) | Handle the method and device of network traffics | |
| CN106341337A (en) | Flow detection and control mechanism capable of realizing application perception under SDN and method | |
| CN109617931A (en) | A kind of the ddos attack defence method and system of defense of SDN controller | |
| CN101286996A (en) | Storm attack resisting method and apparatus | |
| CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
| Zhang et al. | Floodshield: Securing the sdn infrastructure against denial-of-service attacks | |
| CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| CN114513340B (en) | Two-stage DDoS attack detection and defense method in software defined network | |
| CN103095717B (en) | Prevent method and the network equipment of mac address table flooding | |
| CN108028828A (en) | A kind of distributed denial of service ddos attack detection method and relevant device | |
| CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
| CN104320305A (en) | Forwarding service monitoring method and system for network equipment | |
| Ramprasath et al. | Mitigation of malicious flooding in software defined networks using dynamic access control list |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |