CN105721627B - A kind of online de-identification method of IP network flow data - Google Patents
A kind of online de-identification method of IP network flow data Download PDFInfo
- Publication number
- CN105721627B CN105721627B CN201610104441.5A CN201610104441A CN105721627B CN 105721627 B CN105721627 B CN 105721627B CN 201610104441 A CN201610104441 A CN 201610104441A CN 105721627 B CN105721627 B CN 105721627B
- Authority
- CN
- China
- Prior art keywords
- address
- anonymization
- aft
- flow table
- subflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2539—Hiding addresses; Keeping addresses anonymous
Abstract
The invention discloses a kind of online de-identification methods of IP network flow data.The method include the steps that 1) initialize an anonymization flow table;2) for each network packet of acquisition, the source IP address and purpose IP address of the network packet are parsed: the anonymization flow table being searched according to IP address, and if so, being replaced with lookup result;Otherwise be replaced after carrying out anonymization to the IP address using anonymization algorithm, and using the IP address as keyword key, anonymization after IP address as key assignments value, composition flow entry is inserted into the anonymization flow table;The type for detecting the network packet, if it is the data packet of IPv4 type, then the verification of the network packet after recalculating anonymization and;The network packet after exporting anonymization;The utilization rate of the anonymization flow table is detected, if utilization rate reaches or is more than given threshold, deletes current anonymization flow table, and re-establish new anonymization flow table.
Description
Technical field
The invention belongs to computer network communication field, it is related to a kind of IP address that the high-performance based on flow table is expansible and exists
Line de-identification method.
Background technique
Its essence is the IP address to network packet for network flow anonymization, and the fields such as load are using encryption or its other party
Formula carries out anonymization processing, and the information that makes that treated is with raw information absolutely not correlation, therefore network flow is anonymous
Change can protect the private datas such as User IP information, content and will not be compromised to generate security risk, therefore for portions such as ISP
Administration obtains the network flow in simultaneously anonymization actual environment, generates phase in the places such as core network or certain network exits
The network flow data of pass, so that relevant researcher and developer use.
It is related to the data of privacy of user in existing research discovery network flow data, is other than load contents
IP address information is normally provided to the information that the network flow data that researcher uses only retains data packet head, load
Information is removed, therefore the present invention is concerned with IP address anonymization problem.IP address anonymization algorithm mainly have cutting algorithm,
Random permutation algorithm, prefix retain algorithm these three.It is 0 that algorithm, which is cut off, by the fixed position bit of IP address, is only retained remaining
Position (typical bit has 8,16,24), since the mapping of IP address is not injection, the IP address meeting with corresponding prefix length
It is mapped to a value, it is as a result irreversible, and relationship and routing characteristic between original IP address can be lost.Black marker
It is turned off the special case of method, deletes or replace using a fixed value all information in a domain, this application value is not high.
Random permutation algorithm generates an one-to-one mapping to the IP address for needing anonymization by random function, will be in IP flow data
IP address be mapped in the IP address of another necessary being.If it is known that this mapping relations are then reversible, otherwise
It is irreversible.TCPurify is exactly the typical case of this algorithm, its advantage is that retain with can be convenient it is some do not need conversion
Address, such as private address, multicast address.Due to mapping relations formula completely random, thus the IP address after anonymization is lost
The relationship and routing characteristic between original IP address are lost, security performance is related with random algorithm, is only adapted to data requirements not
High occasion.Most popular is that prefix retains algorithm, prefix retain algorithm refer to if two IP address it is longest it is common before
It is embroidered with K bit, then the longest common prefix of IP address after their anonymizations also has K bit, and this anonymization is able to maintain address
Between hierarchical relationship and routing characteristic, be most widely used anonymization technology.Main prefix, which retains anonymization algorithm, to be had
- the A50 and Crypto-PAn of TCPdpriv.The A50 method design philosophy of the Tcpdpriv of Greg Minshall exploitation is simple,
It is easily achieved, but the IP address of different address section can be mapped to different addresses, it cannot be under distributed environment concurrently
Processing.The mapping relations of Crypto-PAn algorithm are unrelated with the precedence that former IP address distribution file occurs, as long as key K phase
Together, the IP address in different IP addresses distribution file will not be mapped to identical address.Crypto-PAn algorithm utilizes
The anonymization function of Rijndael Encryption Algorithm construction, in actual application, most of Crypto-PAn algorithm that uses is provided
Traffic flow information after anonymization is analyzed for research and data.
Above-mentioned anonymization algorithm is inherently to all or part of of the source address of each data packet and destination address
Anonymization processing is carried out, the expense of a large amount of computations can be generated, even if in such a way that IP address prestores anonymization, for
The address IPv4, address space is smaller, has feasibility, but do not have feasibility for the address IPv6, because of the address IPV6
Space is very big, and the single address IPv6 needs the memory space of 16 bytes, prestores the address for needing to store before and after anonymization, such as
All preparatory off-line anonymous of IPV6 address prefix are then store in memory headroom by fruit anonymization systems, needed for deposit
Storage space is 2*16*2128The memory headroom of byte, common server is unable to satisfy.The present invention carry out anonymization object be
10,000,000,000 link of IPv4/IPv6 dual stack, if only prestoring first 16 of the address IPv4 and the address IPv6 in the way of prestoring
First 64, it is also desirable to 32*264+4*216The memory headroom of bytes of storage space, common server is still unable to satisfy, simultaneously
Latter 16 of the address IPv4 and latter 64 of the address IPv6 still need online anonymization, with the abundant of mobile network's application and
The popularization of 4G network, the backbone bandwidth of operator is increasing, for example in China, the bandwidth of provider backbone is commonly
40Gbps, these existing methods not can be carried out the real-time anonymousization processing of big bandwidth traffic, are applied only for offline or adopt
Sample.
Summary of the invention
For the technical problems in the prior art, it is an object of the invention to propose a kind of high speed network flow data
Online de-identification method.The technical solution of the present invention is as follows:
A kind of online de-identification method of IP network flow data, as shown in Figure 1, its step are as follows:
1) create anonymization flow table and initialize anonymization flow table (anonymization flow table, hereinafter referred to as
Flow table);
2) network packet being analyzed and acquired by obtains the source IP address and purpose IP address of data packet;
3) flow table is searched according to source IP address, if there are the records of source IP address in flow table, with the stream of source IP address
Table index value obtains corresponding anonymization IP address as index in flow table, and with its replacement data packet source IP address;
4) such as the record in flow table there is no source IP address, then de-identification method is called to carry out anonymization to source IP address,
With the source IP address of the IP address replacement data packet after anonymization, and using original source IP address as keyword key, anonymization
Source IP address afterwards forms in flow entry insertion flow table as key assignments value;
5) flow table is searched according to purpose IP address, if there are the records of purpose IP address in flow table, with destination IP
The flow table index value of location obtains corresponding anonymization IP address as index in flow table, and with its replacement data packet destination IP
Address;
6) such as the record in flow table there is no purpose IP address, then de-identification method is called to carry out purpose IP address anonymous
Change, with the purpose IP address of the IP address replacement data packet after anonymization, and using original purpose IP address as key, anonymity
Purpose IP address after change forms in flow entry insertion flow table as value;
7) if it is the data packet of IPv4 type, then recalculate after anonymization the verification of data packet and;
8) data packet after anonymization is exported;
9) judge whether flow table utilization rate reaches or more than threshold value, if so, deleting current flow table, while creating and hideing
Nameization flow table simultaneously initializes;
10) step 2) is gone to, new data packets are continued with.
The data structure of the flow table are as follows: flow table keyword array AFT_keys, for saving initial IP record;Flow table value
Array AFT_values, for saving the record of the IP after anonymization, size is equal to AFT_keys;Flow table size AFT_size,
For indicating the size of AFT_keys;Flow table has used unit number AFT_used, for indicating AFT_keys or AFT_values
In the flow entry number that has used;Flow table maximum utilization rate AFT_bound, for indicating AFT_used and AFT_size ratio
The upper limit, when flow table utilization rate be greater than AFT_bound after need to delete current flow table.The data of the flow table
Structure is as shown in Figure 2.
The flow table utilization rate is defined as UAFT, UAFTCalculation formula are as follows:
The relevant operation of the flow table are as follows: flow table initial method AFT_init, flow stream searching method AFT_find, flow table
Insertion method AFT_insert, flow table delet method.
Wherein steps are as follows by flow table initial method AFT_init:
1) flow table pointer AFT is created, the value of AFT_size, AFT_used, AFT_bound in flow table are initialized, wherein
The integral number power that AFT_size value is 2 is to accelerate Hash positioning, and specific value is determined according to memory size, AFT_used 0,
AFT_bound is some value between 0~1.
2) storage for distributing flow table AFT_keys array and AFT_values array according to the size of flow table AFT_size is empty
Between;
Wherein steps are as follows by flow stream searching method AFT_find:
1) cryptographic Hash for calculating IP address to be found, according to cryptographic Hash in the AFT_keys array of flow table with searching the IP
Location;
If hash-collision occurs when 2) searching, is solved in a manner of linear probing;
If 3) search successfully, return sets index value of the IP address in AFT_keys array;Otherwise failure is searched, is returned
Make the return trip empty value.
Wherein steps are as follows by flow table insertion method AFT_insert:
1) using the original ip address that is inserted into as key and calculate the cryptographic Hash of key, according to cryptographic Hash flow table AFT_
The insertion position of key is searched in keys array;
If hash-collision occurs when 2) searching, is solved in a manner of linear probing;
3) assume that index of the key in AFT_keys array is i, then it, will using the IP address after anonymization as value
Key and value is inserted respectively into i-th of position of flow table array AFT_keys and AFT_values.
Wherein steps are as follows by flow table delet method AFT_destroy:
1) the occupied memory headroom of AFT_keys and AFT_values of flow table is discharged;
2) flow table is deleted.
The IP address de-identification method is Anon_IP, and for the address IPv4, Anon_IP is by calling anonymization to calculate
Method Crypto-Pan is handled;For the address IPv6, Anon_IP is by calling at anonymization algorithm Crypto-PAn6
Reason.
Wherein Crypto-PAn6 algorithm is the extension of Crypto-PAn algorithm, extended method are as follows:
1) IP address representation is modified, i.e., the struct in6_addr structure defined with POSIX standard replaces
32 integer types in Crypto-PAn make it support the address IPv6;
2) it modifies to the cycle-index of IP address bit circulation encryption in Crypto-PAn, i.e., by the address encryption IP v4
32 cyclic extensions make it support to encrypt the circulation of each bit in the address IPv6 to 128 times.
The structure of the flow table can extend, and the address IPv4 and IPv6 is stored in respectively in two sub- flow tables after extension, can
For in IPv4/IPv6 dual stack link, the flow table structure after extension to be as shown in Figure 3.Its extended method are as follows:
1) two sub- flow tables are established, the storage address IPv4 and the address IPv6 are respectively intended to;
2) flow table head node AFT is established, and creates two pointers AFT_P_4 and AFT_P_6 for it.
3) AFT_P_4 is made to be directed toward IPv4 subflow Table A FT4 respectively, AFT_P_6 is directed toward IPv6 subflow Table A FT6;
After being extended to flow table, the requirements of process increases judgment step:
After parsing source data packet address or destination address, address style is judged, if it is the address IPv4, then pass through AFT_
P_4 pointer makes AFT be directed toward AFT4 subflow table and carries out subsequent processing;If it is the address IPv6, then by AFT_P_6 pointer, make
AFT is directed toward AFT6 subflow table and carries out subsequent processing.
Steps are as follows by flow table initial method AFT_init after extension:
1) unified flow table head node is created, which includes sub- pointer AFT_P_4 and AFT_P_6;
Subflow Table A FT4 is created, the value of AFT_size, AFT_used, AFT_bound in initialization flow Table A FT4, wherein
The integral number power that AFT_size value is 2 is to accelerate Hash positioning, and specific value is determined according to memory size, AFT_used 0,
AFT_bound is some value between 0~1;Flow table AFT_keys array and AFT_ are distributed according to the size of flow table AFT_size
The memory space of values array;
2) subflow Table A FT6 is created, the value of AFT_size, AFT_used, AFT_bound in initialization flow Table A FT4, wherein
The integral number power that AFT_size value is 2 is to accelerate Hash positioning, and specific value is determined according to memory size, AFT_used 0,
AFT_bound is some value between 0~1;Flow table AFT_keys array and AFT_ are distributed according to the size of flow table AFT_size
The memory space of values array;
3) flow table head node AFT is created, and creates two pointers AFT_P_4 and AFT_P_6 for it;
4) AFT_P_4 is made to be directed toward IPv4 subflow Table A FT4 respectively, AFT_P_6 is directed toward IPv6 subflow Table A FT6;
Steps are as follows by flow table delet method AFT_destroy after extension:
1) the occupied memory of AFT_keys and AFT_values for discharging IPv4 subflow table and IPv6 subflow table respectively is empty
Between;
2) IPv4 subflow table and IPv6 subflow table are deleted;
3) flow table head node AFT is deleted.
Compared with prior art, the positive effect of the present invention are as follows:
1) higher based on the high-speed network flow de-identification method of anonymization flow table and existing de-identification method performance, this
The data packet of viewpoint of the method based on network flow, same network flow (source address+destination address) can frequent and concentration appearance
In high speed network link, for user's access there are hot spot, test result finds that the anonymization average time of IPv4 data packet is reduced
20 times or more, the anonymization time of IPv6 data packet averagely reduces 50 times or more;
2) in the high-speed network flow de-identification method based on anonymization flow table, the time overhead that address encryption needs compares
Greatly, the time of flow stream searching is compared and can ignore.Test is found, can generate a large amount of data packet in 5 seconds after flow table initialization
Anonymization operation is encrypted, cryptographic operation number is fewer and fewer later, so, the network flow entirety anonymization time substantially relies on
In the flow stream searching time, the expense of the time of anonymization encryption can be ignored, and greatly reduce the overall overhead of anonymization;
3) the high-speed network flow de-identification method based on anonymization flow table supports the anonymization of the address IPv6, existing side
For method due to the dependence to Encryption Algorithm, 128 bit address expense of the address IPv6 is very big, cannot achieve 10,000,000,000 or the above high speed network
The real-time anonymous of network link, this method cache the address information encrypted recently by anonymization flow table, greatly reduce high frequency
The cost for spending anonymization processing, solves this problem in that;
4) the high-speed network flow de-identification method based on anonymization flow table has good scalability, and flow table structure can root
According to needing to extend, for new network structure, anonymization flow table does not need to redefine entire data structure and method name,
Only increase relevant sub AFT and encryption interface, so, the method for the present invention has good generalization.
Detailed description of the invention
Fig. 1 is flow chart of the method for the present invention.
Fig. 2 is the data structure schematic diagram of flow table of the present invention;
Fig. 3 is the flow table schematic diagram that the present invention is used for the address IPv4 and IPv6 anonymization;
Fig. 4 is the flow table content of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out complete table
It states.Include:
1. initialization:
1) initiation parameter is calculated.For IPv4 subflow table and IPv6 subflow table, its AFT_size is set respectively as S4 and S6,
If flow table maximum committed memory is M.Since the flow table record of IPv4 and IPv6 occupies 12 bytes and 36 bytes respectively
Space, therefore have following relationship:
s4*8+s6* (1) 32=M
It needs to meet following expression between IPv4 subflow table size and IPv6 subflow table size:
s4=C*s6 (2)
What C expression occurred in handled chain road certain time does not repeat IPv4 number of addresses and does not repeat the address IPv6
The ratio of quantity, above-mentioned relation ensure that the utilization memory source for capableing of equality between two sub- flow tables.If server memory is
128G is respectively set independent 16 AFT flow tables using 16 threads and is handled, and setting AFT memory maximum usage amount is 128G*
20%, then the memory maximum usage amount that each flow table obtains isC=200 is set, according to formula (1) (2)
Obtain S4=196078431, S6=980392.In order to improve flow stream searching performance, S is set4And S6It is adjusted for 2 integral number power
Obtain S4=227=134217728, S6=220=1048576.
2) it executes AFT_init and creates flow table structure.
It 3) is 134217728 according to the size AFT_size of calculated result setting ipv4 subflow table in 1), setting ipv6
The size AFT_size of flow table is 1048576;
4) AFT_bound that IPv4 subflow table and IPv6 subflow table is arranged is 0.77.
Then anonymization key is set are as follows:
Unsigned char my_key [32]=21,34,23,141,51,164,207,128,19,10,91,22,
73,144,125,16,216,152,143,131,121,121,101,39,98,87,76,45,42,132,34,2};The present invention
The flow table content of embodiment is as shown in Figure 4.
2. packet capture and anonymization treatment process:
By taking following input data as an example:
Wherein the packet header IPv4 of serial number 1 and serial number 2 is respectively (hexadecimal representation):
| 1 | 45 00 00 28 72 9a 40 00 80 06 d4 a2 42 09 95 bb 0c 16 cf b8 |
| 2 | 45 00 00 28 72 9a 40 00 80 06 e6 57 42 09 84 06 0c 16 cf b8 |
Steps are as follows for anonymization:
1) data packet 1 is extracted, src=66.9.149.187, dst=12.22.207.184 are parsed;
2) it is key with src=66.9.149.187, AFT_find method is called to search AFT4.AFT_find method calculates
Out the cryptographic Hash of 66.9.149.187 be 52703269, search keys array, result be there is no;
3) the data a_src=3.241.234.95 after anonymization is calculated by Crypto-Pan algorithm;
4) AFT_insert method is called, src and a_src are respectively written into keys and vals, writing position is
52703269;
5) it is key with dst=12.22.207.184, AFT_find is called to search AFT4.AFT_find method calculates
12.22.207.184 cryptographic Hash be 53834646, search keys array, result be there is no;
6) the data a_dst=115.212.176.88 after anonymization is calculated by Crypto-Pan algorithm;
7) AFT_insert method is called, dst and a_dst are respectively written into keys and vals, writing position is
53834646;
8) with the src and dst in a_src and a_dst replacement data packet 1;
9) verification is recalculated and for 75b8;
10) output data packet 1;
11) data packet 2 is extracted, src=66.9.132.6, dst=12.22.207.184 are parsed;
12) it is key with src=66.9.132.6, AFT_find method is called to search AFT4, AFT_find method calculates
66.9.132.6 cryptographic Hash be 9025253, search keys array, result be there is no;
13) the data a_src=3.241.251.249 after anonymization is calculated by Crypto-Pan algorithm;
14) AFT_insert method is called, src and a_src are respectively written into keys and vals, writing position is
9025253;
15) it is key with dst=12.22.207.184, AFT_find is called to search AFT4.AFT_find method calculates
12.22.207.184 cryptographic Hash is 53834646, searches keys array, and result is to exist, and takes the data at 53834646
It 115.212.176.88 is a_dst;
16) with the src and dst in a_src and a_dst replacement data packet 2;
17) verification is recalculated and for 64 1e;
18) output data packet 2;
19) data packet 3 is extracted, src=3ffe:2501:200:3::1, dst=3ffe:2501:200 are parsed:
1fff::2;
20) it is key with src=3ffe:2501:200:3::1, AFT_find method is called to search AFT6.The side AFT_find
Method calculate 3ffe:2501:200:3::1 cryptographic Hash be 75905, search keys array, result be there is no;
21) the data a_src=5f99:357e:823f:f8c3 after anonymization is calculated by Crypto-Pan algorithm:
7d8f:700e:ef09:ddee;
22) AFT_insert method is called, src and a_src are respectively written into keys and vals, writing position 75905;
23) it is key with dst=3ffe:2501:200:1fff::2, AFT_find is called to search AFT6.The side AFT_find
Method calculate 3ffe:2501:200:1fff::2 cryptographic Hash be 968833, search keys array, result be there is no;
24) the data a_dst=5f99:357e:823f:eff0 after anonymization is calculated by Crypto-Pan algorithm:
e00f:ae00:e103:3ee0;
25) AFT_insert method is called, dst and a_dst are respectively written into keys and vals, writing position is
968833;
26) with the src and dst in a_src and a_dst replacement data packet 3, output data packet 3;
27) data packet 4 is extracted, src=3ffe:2501:200:3::1, dst=3ffe:501:8::260 are parsed:
97ff:fe40:efab;
28) it is key with src=3ffe:2501:200:3::1, AFT_find method is called to search AFT6.The side AFT_find
The cryptographic Hash that method calculates ff02::1 is 75905, searches keys array, and result is to exist, and takes the data 5f99 at 75905:
357e:823f:f8c3:7d8f:700e:ef09:ddee is a_dst;
29) it is key with dst=3ffe:501:8::260:97ff:fe40:efab, AFT_find is called to search AFT6.
The cryptographic Hash that AFT_find method calculates 3ffe:501:8::260:97ff:fe40:efab is 613580, searches keys number
Group, result be there is no;
30) the data a_dst=5f99:501:e00c:1dfd after anonymization is calculated by Crypto-Pan algorithm:
e1b0:8b24:4171:6859;
31) AFT_insert method is called, dst and a_dst are respectively written into keys and vals, writing position is
613580;
32) with the src and dst in a_src and a_dst replacement data packet 4, output data packet 4.
Claims (9)
1. a kind of online de-identification method of IP network flow data, the steps include:
1) an anonymization flow table is initialized;
2) for each network packet of acquisition, the source IP address and purpose IP address of the network packet are parsed;
A) the anonymization flow table is searched according to the source IP address, if there is the record of the source IP address, then with the source IP address
Flow table index value obtain corresponding anonymization IP address in anonymization flow table as index, and with the anonymization IP address
Replace the source IP address of the network packet;Otherwise anonymization is carried out to the source IP address using anonymization algorithm, then with hideing
Source IP address after nameization replaces the source IP address in the network packet, and using the source IP address as keyword key, hide
Source IP address after nameization forms flow entry and is inserted into the anonymization flow table as key assignments value;
B) the anonymization flow table is searched according to the purpose IP address, if there is the record of the purpose IP address, then with the purpose
The flow table index value of IP address obtains corresponding anonymization IP address as index in anonymization flow table, and with the anonymization
IP address replaces the purpose IP address of the network packet;Otherwise the purpose IP address is carried out using anonymization algorithm anonymous
Change, then replaces the purpose IP address in the network packet with the purpose IP address after anonymization, and with the destination IP
Location, as key assignments value, forms flow entry and is inserted into the anonymization flow table as the purpose IP address after keyword key, anonymization
In;
C) type for detecting the network packet, the net if it is the data packet of IPv4 type, then after recalculating anonymization
The verification of network data packet and;If it is the data packet of IPv6 type, then without verifying and calculating;
D) network packet after anonymization is exported;Detect the utilization rate of the anonymization flow table, if utilization rate reach or
When more than given threshold, then current anonymization flow table is deleted, and re-establishes new anonymization flow table.
2. the method as described in claim 1, which is characterized in that the anonymization flow table includes one for saving initial IP record
Keyword array AFT_keys, one for saving the flow table value array AFT_values of the IP record after anonymization, a flow table
Size field AFT_size, one for recording the field AFT_ for having used flow entry number in AFT_keys or AFT_values
A used and flow table utilization rate threshold field AFT_bound.
3. method according to claim 2, which is characterized in that the anonymization flow table further includes for storing the address IPv4
IPv4 subflow Table A FT4 and IPv6 subflow Table A FT6 for storing the address IPv6, and first-class gauge outfit node, it includes pointers
AFT_P_4 and AFT_P_6;Wherein, AFT_P_4 pointer is directed toward IPv4 subflow table, and AFT_P_6 pointer is directed toward IPv6 subflow table.
4. method as claimed in claim 3, which is characterized in that with parsing source IP address and the destination IP of the network packet
Behind location, address style is judged, if it is the address IPv4, then data search or insertion are carried out to sub- flow table AFT4;If it is IPv6
Address then carries out data search or insertion to sub- flow table AFT6.
5. method as claimed in claim 3, which is characterized in that the method for deleting current anonymization flow table are as follows: distinguish first
After discharging the keyword array AFT_keys of the preservation initial IP record of IPv4 subflow table and IPv6 subflow table and saving anonymization
IP record the occupied memory headroom of flow table value array AFT_values;Then IPv4 subflow table and IPv6 subflow are deleted
Then table deletes subflow list index AFT_P_4 and AFT_P_6, delete flow table head node AFT.
6. method as claimed in claim 3, which is characterized in that the flow entry of composition is inserted into the method in the anonymization flow table
Are as follows: it first determines whether to be inserted into IP address type, if the IP address is the address IPv4, subflow table is found according to AFT_P_4 pointer
AFT4 is inserted into;If the IP address is the address IPv6, subflow Table A FT6 is found according to AFT_P_6 pointer and is inserted into;So
Afterwards using the original ip address that is inserted into as key, the IP address after anonymization calculates the cryptographic Hash of key as value, according to
The keyword array AFT_keys and preservation that the cryptographic Hash records the key and value preservation initial IP for being inserted into corresponding subflow table
The corresponding position of the flow table value array AFT_values of IP record after anonymization;Conflict is solved using the method for linear probing.
7. method as claimed in claim 3, which is characterized in that the method for searching anonymization flow table are as follows: first determine whether to be found
IP address type finds IPv4 subflow table according to AFT_P_4 pointer and is searched if the IP address is the address IPv4;If should
IP address is the address IPv6, then finds IPv6 subflow table according to AFT_P_6 pointer and searched;Then IP address to be found is calculated
Cryptographic Hash, the keyword array that the preservations initial IP in corresponding subflow table records is searched according to Hash table linear probing method
AFT_keys then returns to the IP address in the keyword array AFT_keys of corresponding subflow table if there is the IP address
Otherwise index value searches failure.
8. the method as claimed in claim 3 or 4, which is characterized in that the stream of IPv4 subflow table and IPv6 subflow table is respectively set
Table utilization rate threshold field AFT_bound, and by the field for having used flow entry number of IPv4 subflow table and IPv6 subflow table
AFT_used is initialized as the integral number power that 0, flow table size field AFT_size is initialized as 2.
9. the method as described in Claims 1 to 5 is any, which is characterized in that using anonymization algorithm to the purpose IP address into
The method of row anonymization are as follows: for the network packet of IPv4 type, the anonymization algorithm Crypto-PAn of use carries out anonymous
Change;For the network packet of IPv6 type, anonymization is carried out using Crypto-PAn6 algorithm;Wherein, Crypto-PAn6 is calculated
Method is the extension of Crypto-PAn algorithm, extended method are as follows: 32 integer types in modification Crypto-PAn algorithm make it
Support the address IPv6;It modifies in Crypto-PAn to the cycle-index of IP address bit circulation encryption, supports it to IPv6
The circulation of each bit in address encrypts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610104441.5A CN105721627B (en) | 2016-02-25 | 2016-02-25 | A kind of online de-identification method of IP network flow data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610104441.5A CN105721627B (en) | 2016-02-25 | 2016-02-25 | A kind of online de-identification method of IP network flow data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105721627A CN105721627A (en) | 2016-06-29 |
| CN105721627B true CN105721627B (en) | 2018-12-11 |
Family
ID=56157074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610104441.5A Active CN105721627B (en) | 2016-02-25 | 2016-02-25 | A kind of online de-identification method of IP network flow data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105721627B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108337172B (en) * | 2018-01-30 | 2020-09-29 | 长沙理工大学 | Large-scale OpenFlow flow table accelerated searching method |
| CN113452674B (en) * | 2021-05-21 | 2024-05-07 | 南京逸智网络空间技术创新研究院有限公司 | Galois field-based flow log multi-view anonymization method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500191A (en) * | 2013-09-17 | 2014-01-08 | 华为技术有限公司 | Flow table configuration, query and table item deleting method and device |
| CN104168265A (en) * | 2014-07-16 | 2014-11-26 | 南京邮电大学 | Distributed hash table network-based anonymous communication method |
| CN104601583A (en) * | 2015-01-21 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Online real-time anonymization system and method for IP stream data |
| CN105141641A (en) * | 2015-10-14 | 2015-12-09 | 武汉大学 | Chaos moving target defense method based on SDN and system thereof |
| CN105357128A (en) * | 2015-10-30 | 2016-02-24 | 迈普通信技术股份有限公司 | Stream table creating and querying method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020194378A1 (en) * | 2001-04-05 | 2002-12-19 | George Foti | System and method of hiding an internet protocol (IP) address of an IP terminal during a multimedia session |
-
2016
- 2016-02-25 CN CN201610104441.5A patent/CN105721627B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500191A (en) * | 2013-09-17 | 2014-01-08 | 华为技术有限公司 | Flow table configuration, query and table item deleting method and device |
| CN104168265A (en) * | 2014-07-16 | 2014-11-26 | 南京邮电大学 | Distributed hash table network-based anonymous communication method |
| CN104601583A (en) * | 2015-01-21 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Online real-time anonymization system and method for IP stream data |
| CN105141641A (en) * | 2015-10-14 | 2015-12-09 | 武汉大学 | Chaos moving target defense method based on SDN and system thereof |
| CN105357128A (en) * | 2015-10-30 | 2016-02-24 | 迈普通信技术股份有限公司 | Stream table creating and querying method |
Non-Patent Citations (1)
| Title |
|---|
| 一种高效的OpenFlow 流表存储与查找实现方法;鄂跃鹏等;《中国科学:信息科学》;20151020;第45卷(第10期);第1280-1288页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105721627A (en) | 2016-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11102120B2 (en) | Storing keys with variable sizes in a multi-bank database | |
| US7089240B2 (en) | Longest prefix match lookup using hash function | |
| US6654701B2 (en) | Method and apparatus for measuring protocol performance in a data communication network | |
| US20150131666A1 (en) | Apparatus and method for transmitting packet | |
| US20070171911A1 (en) | Routing system and method for managing rule entry thereof | |
| CN105224692A (en) | Support the system and method for the SDN multilevel flow table parallel search of polycaryon processor | |
| WO2020093737A1 (en) | Message processing method and device, storage medium and optical network terminal | |
| CN107528783A (en) | Utilize the IP route-cachings that two search phases are carried out to prefix length | |
| CN101651628A (en) | Implementation method of three-state content addressable memory and device | |
| CN109921995A (en) | A kind of network equipment of the method for configuration address table, the FPGA and application FPGA | |
| Luo et al. | A hybrid IP lookup architecture with fast updates | |
| WO2021104393A1 (en) | Method for achieving multi-rule flow classification, device, and storage medium | |
| Luo et al. | A hybrid hardware architecture for high-speed IP lookups and fast route updates | |
| CN105721627B (en) | A kind of online de-identification method of IP network flow data | |
| US20190294549A1 (en) | Hash Table-Based Mask Length Computation for Longest Prefix Match Caching | |
| Hsieh et al. | Multiprefix trie: A new data structure for designing dynamic router-tables | |
| Hsieh et al. | A classified multisuffix trie for IP lookup and update | |
| CN111865804B (en) | Method and system for improving route issuing efficiency through hardware packet issuing mechanism | |
| Lee et al. | Hybrid memory-efficient multimatch packet classification for NIDS | |
| CN101494603B (en) | Paralleling high-speed route addressing method for 128 bits Internet address | |
| CN111327532A (en) | Method for realizing capacity of super-large forwarding policy table of network equipment | |
| Tang et al. | RICS‐DFA: a space and time‐efficient signature matching algorithm with Reduced Input Character Set | |
| Erdem et al. | Value-coded trie structure for high-performance IPv6 lookup | |
| KR100862195B1 (en) | Method and Apparatus for searching by range matching using content addressable memory | |
| Huang et al. | A hybrid approach to scalable name prefix lookup |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |