CN105827634A - Safe routing switching method and system, and optimization judgment method of safe routing switching - Google Patents

Safe routing switching method and system, and optimization judgment method of safe routing switching Download PDF

Info

Publication number
CN105827634A
CN105827634A CN201610302385.6A CN201610302385A CN105827634A CN 105827634 A CN105827634 A CN 105827634A CN 201610302385 A CN201610302385 A CN 201610302385A CN 105827634 A CN105827634 A CN 105827634A
Authority
CN
China
Prior art keywords
tlv triple
feature
exchange device
packet
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610302385.6A
Other languages
Chinese (zh)
Other versions
CN105827634B (en
Inventor
徐恪
赵玉东
吴建平
沈蒙
陈文龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201610302385.6A priority Critical patent/CN105827634B/en
Publication of CN105827634A publication Critical patent/CN105827634A/en
Application granted granted Critical
Publication of CN105827634B publication Critical patent/CN105827634B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored

Abstract

The invention discloses a safe routing switching method and system, and an optimization judgment method of safe routing switching. The switching method comprises following steps of collecting first characteristic 3-tuples of all packets before the packets enter into a routing switching device; collecting second characteristic 3-tuples of the packets sent out by the routing switching device; searching the first characteristic 3-tuples matching with the second characteristic 3-tuples from a first characteristic 3-tuple set; auditing whether destination IP addresses conform to the directions of output interfaces or not if the matched first characteristic 3-tuples are found out, when the routing switching device is a boundary routing switching device and forwards the packets to external networks; forbidding outputting the packets if there is no matched first characteristic 3-tuple, when the source IP addresses in the second characteristic 3-tuples are not the routing switching device itself; and auditing whether the routing switching device has a right to send the packets to devices corresponding to the destination IP addresses or not when the source IP addresses in the second characteristic 3-tuples are the routing switching device itself. The methods and the system have the advantage of very high protection property of traffic sniffering attacks.

Description

Security routing exchange method, system and optimization determination methods
Technical field
The invention belongs to network safety filed, be specifically related to a kind of Security routing exchange method, system and optimize determination methods.
Background technology
For many years, utilize routing device leak to eavesdrop the aggressive behavior serious threat network subscriber information safety always of user data at core network, and user and Virtual network operator underestimated this type of harm attacked in the past.In June, 2013, " prism (PRISM) " plan exposure shows that this project, by the large-scale routing device in direct aggression the Internet, can obtain hundreds thousand of computer flow, highlights the raising information significance in core network transmission safety.
In terms of the document of prism exposure gate, there is the immanent cause that security breaches are core network information leakage in route exchange device.Assailant utilizes leak remotely to control route exchange device, when the packet that Alice mails to Bob flows through the leak equipment R shown in Fig. 1, original packet continues the normal route shown in black bold curve in edge and sends, but R backup groupings content, and utilize anomalous routes switch-activity that backup groupings is sent to assailant Eve, its transmission mode includes: 1, forge new message, distorts backup groupings purpose IP address into Eve;2, distorting backup groupings content, which will not directly contribute assailant and receive backup groupings, but may be used to evade operator and identify eavesdropping packet;3, mistake output interface, now backup groupings is along mistake link 3. outut device, and when the edge device that R is link Eve and core network, the behavior also can cause user profile to reveal.
Utilize the flow eavesdropping that leak implements to attack not only low cost, harm big, also there is stubbornness, the feature such as hidden, unidirectional.Stubbornness is embodied in not only equipment user and is difficult to leak, is limited by research staff's human-subject test and code levels, and equipment supplier self is also difficult to eradicate leak.In hidden finger Fig. 1, three kinds of anomalous routes switch-activities have stronger similarity with normal route switching behavior, and Virtual network operator is difficult to the two and distinguishes.Assailant unilaterally grasps equipment leak, causes network-combination yarn both sides' vulnerability exploit serious unbalance.These characteristics determines that utilizing the attack of leak eavesdropping user profile to be difficult to by user and operator identifies and constraint, the most still lacks theoretically secure TCP/IP network complete, general and can design the solution of realization.
Summary of the invention
It is contemplated that stop above-mentioned three kinds of abnormal packet output networks.
To this end, the first of the present invention purpose is to propose a kind of Security routing exchange method.
Second object of the present invention is to propose a kind of Security routing exchange system.
Third object of the present invention is to optimize abnormal packet determination methods, increases the work efficiency of Security routing exchange system.
To achieve these goals, embodiment of the invention discloses that a kind of Security routing exchange method, comprise the following steps: A: the fisrt feature tlv triple of all packets before collection entrance route exchange device, wherein, described fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load;B: gather the second feature tlv triple sending packet through described route exchange device, wherein, second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load, in described fisrt feature triplet sets, searching the fisrt feature tlv triple mated with described second feature tlv triple, if finding coupling, entering step C;C: when described route exchange device is not border routing switching equipment, forwards described fisrt feature tlv triple, and wherein, described edge device is and the route exchange device being connected between outer net;When described route exchange device is border routing switching equipment, described route exchange device is when outer net forwards message, and whether the IP address auditing described second mesh meets the sensing of output interface, if met, forwarding described packet, if do not met, refusal forwards described packet;If finding coupling, enter step D;D: when source IP address is not described route exchange device itself in second feature tlv triple, forbids that this packet exports described route exchange device;When in second feature tlv triple, source IP address is described route exchange device itself, audit whether described route exchange device possesses the authority of purpose IP address corresponding device transmission packet in described second feature tlv triple, if had permission, forward described packet, without authority, refusal forwards described packet.
To achieve these goals, embodiment of the invention discloses that a kind of Security routing exchange detecting system, including: information acquisition module, information entry front end with route switching system and information outlets rear end are set, described information acquisition module is for obtaining the fisrt feature tlv triple being input to described route exchange device and the second feature tlv triple exported from described route exchange device, and all send described fisrt feature tlv triple and described second feature tlv triple to decision-making module, wherein, described fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load, described second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load;Information matches module, for carrying out information matches according to described fisrt feature tlv triple and described second feature tlv triple, and sends matching result to decision-making module;And decision-making module, for deciding whether to forward message according to described matching result.
Present invention have the advantage that the protective attacking flow eavesdropping is high;While 100% clearance legitimate packet, identify and retrain more than 99.92% eavesdropping packet, its detection performance can meet current network demand.
It addition, Security routing exchange system according to the above embodiment of the present invention, it is also possible to have a following additional technical characteristic:
Further, also include border routing switching equipment judge module, for judging whether described route exchange device is border routing switching equipment, wherein, described edge device is and the route exchange device being connected between outer net, described decision-making module is for deciding whether to forward message to farther include according to described matching result: if described matching result is described second source feature tlv triple finds coupling in fisrt feature triplet sets, when described route exchange device is not border routing switching equipment, forward described message;When described route exchange device is border routing switching equipment, described route exchange device is when outer net forwards message, and whether the IP address auditing described second mesh meets the sensing of output interface, if met, forwarding described message, if do not met, refusal forwards described message;
If described matching result is described second feature tlv triple can not find coupling in fisrt feature triplet sets, when described output grouping source IP address is not route exchange device itself, refusal forwards described message;When described output grouping source IP address is route exchange device itself, audit whether described route exchange device possesses the authority of the described message of purpose IP address corresponding device transmission in described second feature tlv triple, if had permission, forward described message, without authority, refusal forwards described message.
To achieve these goals, embodiment of the invention discloses that the optimization determination methods that a kind of Security routing exchanges, detecting system is exchanged including preceding claim Security routing, also include the first packet input log, said method comprising the steps of: under original state, the described first packet input full table of log sets to 0;Obtain described fisrt feature tlv triple, utilize the first summary presetting the described fisrt feature tlv triple that hash algorithm calculates input, choose described summary the first predeterminated position and the first preset length as the first summary, choose described summary the first predeterminated position and the first preset length as first summary result, according to described summary result by described first packet input log in correspondence position put 1;Obtain described second feature tlv triple, utilize described default hash algorithm to calculate the second summary of the described second feature tlv triple inputted, choose described second described first predeterminated position of summary and described first preset length as the second summary result;In described first packet input log, search the state of described second summary result correspondence position, if this location status is 1, then find the input source of this output grouping, otherwise judge that this output grouping is passive.
The optimization determination methods of Security routing exchange according to embodiments of the present invention, is greatly improved efficiency and the accuracy of Security routing system.
It addition, the optimization determination methods of Security routing according to the above embodiment of the present invention exchange, it is also possible to have a following additional technical characteristic:
Further, described first packet input log resets every 2 ρ and restarts, and wherein ρ is the update cycle of input log, and ρ is more than described fisrt feature tlv triple and described second feature tlv triple life span in described route exchange device.
Further, also include the second packet input log, described second grouped record table and described first grouped record table synchronous recording data, described first packet input log and described second packet input log reset at timing node 2i × ρ and (2i+1) × ρ respectively and restart, wherein, i is 0 or positive integer, if described first grouped record table and described second grouped record table relevant position are 0, then judge that described second feature tlv triple can not find coupling in described fisrt feature tlv triple.
The additional aspect of the present invention and advantage will part be given in the following description, and part will become apparent from the description below, or is recognized by the practice of the present invention.
Accompanying drawing explanation
Above-mentioned and/or the additional aspect of the present invention and advantage will be apparent from easy to understand, wherein from combining the accompanying drawings below description to embodiment:
Fig. 1 is the schematic diagram of the Main Means that flow eavesdropping is attacked in prior art.
Fig. 2 is the route switching normal form overhaul flow chart of one embodiment of the invention.
Fig. 3 is the normal form device model structure chart of one embodiment of the invention
Fig. 4 is the output grouping normal form detection model structure chart of one embodiment of the invention.
Fig. 5 is the input and output grouping feature code Fast Match Algorithm figure of one embodiment of the invention.
Fig. 6 is that 20 simulation eavesdroppings of one embodiment of the invention are grouped the quantity detected by normal form.
Fig. 7 is the normal form detection cycle of the different length packet correspondence of one embodiment of the invention.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, and the most same or similar label represents same or similar element or has the element of same or like function.The embodiment described below with reference to accompanying drawing is exemplary, is only used for explaining the present invention, and is not considered as limiting the invention.
In describing the invention, it will be appreciated that, term " " center ", " longitudinally ", " laterally ", on " ", D score, " front ", " afterwards ", " left ", " right ", " vertically ", " level ", " push up ", " end ", " interior ", orientation or the position relationship of the instruction such as " outward " are based on orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description, rather than indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not considered as limiting the invention.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance.
In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " is installed ", " being connected ", " connection " should be interpreted broadly, and connects for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected;Can be to be mechanically connected, it is also possible to be electrical connection;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be the connection of two element internals.For the ordinary skill in the art, above-mentioned term concrete meaning in the present invention can be understood with concrete condition.
With reference to explained below and accompanying drawing, it will be clear that these and other aspects of embodiments of the invention.Describe at these and in accompanying drawing, specifically disclose some particular implementation in embodiments of the invention, representing some modes of the principle implementing embodiments of the invention, but it is to be understood that the scope of embodiments of the invention is not limited.On the contrary, all changes, amendment and the equivalent in the range of embodiments of the invention include falling into attached claims spirit and intension.
Describe Security routing exchange method, exchange system according to embodiments of the present invention below in conjunction with accompanying drawing and optimize determination methods.
A kind of Security routing exchange method, it is characterised in that comprise the following steps:
A: gathering the fisrt feature tlv triple before packet enters route exchange device, wherein, fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load;
B: gather the second feature tlv triple sending packet through route exchange device, wherein, second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load, searches the fisrt feature tlv triple mated with second feature tlv triple in fisrt feature triplet sets
If finding coupling, enter step C;
C: when route exchange device is not border routing switching equipment, forwards fisrt feature tlv triple, and wherein, edge device is and the route exchange device being connected between outer net;
When route exchange device is border routing switching equipment, route exchange device is when outer net forwards message, and whether the IP address auditing the second mesh meets the sensing of output interface,
If met, forward packet,
If do not met, refusal forwards packet;
If finding coupling, enter step D;
D: when source IP address is not route exchange device itself in second feature tlv triple, forbids that this packet exports route exchange device;
When in second feature tlv triple, source IP address is route exchange device itself, whether examination & verification route exchange device possesses purpose IP address corresponding device in second feature tlv triple sends the authority of packet,
If had permission, forward packet,
Without authority, refusal forwards packet.
A kind of Security routing exchange detecting system, including:
Information acquisition module, it is arranged at information entry front end and the information outlets rear end of route switching system, information acquisition module obtains the fisrt feature tlv triple being input to route exchange device and the second feature tlv triple from route exchange device output for bypassing, and all send fisrt feature tlv triple and second feature tlv triple to decision-making module, wherein, fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load, and second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load;
Information matches module, for carrying out information matches according to fisrt feature tlv triple and second feature tlv triple, and sends matching result to decision-making module;And
Decision-making module, for deciding whether to forward message according to matching result.
In one embodiment of the invention, Security routing exchange detecting system also includes border routing switching equipment judge module.Judge module is used for judging whether route exchange device is border routing switching equipment, and wherein, edge device is the route exchange device being directly connected to outer net, and decision-making module is for deciding whether to forward message to farther include according to matching result:
If matching result is the second source feature tlv triple finds coupling in fisrt feature triplet sets, when route exchange device is not border routing switching equipment, forward message;When route exchange device is border routing switching equipment, route exchange device is when outer net forwards message, and whether the IP address auditing the second mesh meets the sensing of output interface,
If met, forward message,
If do not met, refusal forwards message;
If matching result is the second source feature tlv triple can not find coupling in fisrt feature triplet sets, when output grouping source IP address is not route exchange device itself, refusal forwards message;When output grouping source IP address is route exchange device itself, whether examination & verification route exchange device possesses purpose IP address corresponding device in second feature tlv triple sends the authority of message,
If had permission, forward message,
Without authority, refusal forwards message.
The optimization determination methods of a kind of Security routing exchange, including above-mentioned Security routing exchange detecting system, also includes the first packet input log, and method comprises the following steps:
Under original state, the first packet input full table of log sets to 0;
Obtain fisrt feature tlv triple, utilize the first summary presetting the fisrt feature tlv triple that hash algorithm calculates input, choose summary the first predeterminated position and the first preset length as first summary result, according to summary result by first packet input log in correspondence position put 1.
Obtain second feature tlv triple, utilize the second summary presetting the second feature tlv triple that hash algorithm calculates input, choose second summary the first predeterminated position and the first preset length as the second summary result.
In the first packet input log, search the state of the second summary result correspondence position, if this location status is 1, then find the input source of this output grouping, otherwise judge that this output grouping is passive.
In one embodiment of the invention, the first packet input log resets every 2 ρ and restarts, and wherein ρ is the update cycle of input log, and ρ is more than fisrt feature tlv triple and second feature tlv triple life span in route exchange device.
In one embodiment of the invention, the optimization determination methods of Security routing exchange also includes the second packet input log, second grouped record table and the first grouped record table synchronous recording data, first packet input log and the second packet input log reset at timing node 2i × ρ and (2i+1) × ρ respectively and restart, wherein, i is 0 or positive integer:
If the first grouped record table and the second grouped record table relevant position are 0, then judge that second feature tlv triple can not find coupling in fisrt feature triplet sets.
For making it is further understood that the present invention, will be described in detail by following example.
Step 1: the route switching secure paradigm attacked towards flow eavesdropping
Step 1.1: route switching secure paradigm designs
The carried normal form of the present invention is made up of 3 route switching packet output rules, and in order to identify unit exception behavior, specific rules is as follows:
Rule 1 (R1) packet to encapsulation load, when source IP address is not routing device itself, with feature tlv triple<source IP address, purpose IP address, load>, as matching characteristic, output grouping is active;
Do not allow routing device to send self-produced packet to client host under rule 2 (R2) default setting, need to audit through access rights as really sent;
Rule 3 (R3) boundary routing device is when outer net directly forwards packet, and the purpose IP address of packet meets the sensing of output interface.
As in one of critical support technology grinding 863 projects " address drives network key technology and checking ", the safe completeness that flow eavesdropping is attacked by the present invention carried normal form system is strictly proved.
Step 1.2: route switching normal form testing process
As in figure 2 it is shown, route switching normal form testing process includes that input packet tlv triple collection apparatus and packet output behavior outcome normal form detect two module compositions.
Step 1.2.1: collection apparatus module judges whether the packet flowing into routing device R to be investigated comprises load, to comprising load extract respectively<source IP address, purpose IP address, load>triplet information, and inputs grouping feature tlv triple data base by its typing.
Step 1.2.2: packet output behavior outcome normal form detection module gathers output grouping feature tlv triple, and to input database is searched the input source of characteristic matching.To active output, if R is edge device, and output interface points to end system, according to the concordance of end system address prefix with packet purpose IP address, detecting system judges whether device service behavior meets normal form.To passive packet, its unique feasible scene is that routing device transmits data to end system, and whether detecting system is that device authorization accesses whether the object judgement behavior meets normal form according to end system.
Step 2: normal form device model
Step 2.1: normal form device model structure
As it is shown on figure 3, normal form equipment is composed in series by traditional routing switching equipment and normal form detecting system two parts, wherein detecting system mainly includes information acquisition module and packet output decision-making module.
Step 2.2: information acquisition module
Information acquisition module is made up of a bypass link, is arranged at traditional routing switching equipment front end, is responsible for the feature tlv triple that bypass obtains the packet of input legacy equipment, and sends decision-making module to.
Step 2.3: normal form detecting system
Normal form detecting system is by the chip designed based on route switching normal form testing process, and the internal memory of storage input grouping feature tlv triple data base is constituted, it is responsible for extracting the feature tlv triple of output grouping, and by searching coupling in input grouping feature tlv triple data base, judge to be grouped whether output behavior meets normal form, forbid violating the packet outut device of normal form simultaneously.
Step 3: output grouping normal form detection model
Step 3.1: output grouping normal form detection model structure
As shown in Figure 4, output grouping normal form detection model is made up of information acquisition module and packet output detections module,
Step 3.2: information acquisition module
Information acquisition module is made up of all " neighbours " route exchange devices of target device R, sends the packet fully entering output R to server bypass.
Step 3.3: packet output detections module
Packet output detections module is made up of a server possessing route switching normal form detection function, and this server is positioned at traditional routing equipment rear end, direct-connected with the bypass of all neighbor devices of the R of configuration information acquisition module.
First module records information acquisition module and is sent to the input packet of R, and detects whether output grouping follows normal form, thus judges whether the normal form detecting system in normal form equipment meets design requirement.
Step 3.4: other application of output grouping normal form detection model
Identify violate normal form packet on the premise of, the server in detection module by record flow eavesdropping packet, can perception immediately attack, verification assailant intend eavesdropping customer flow content, seat offence person's receiving terminal main frame simultaneously.
Step 4: normal form equipment Inspection efficiency optimization
Step 4.1: the necessity of normal form equipment Inspection efficiency optimization
Compare legacy equipment, normal form equipment inevitably increases extra storage, calculating and communication overhead, table one lists the expense of three rules, wherein input and output grouping feature code Rapid matching takies higher storage, calculating and communication overhead, normal form equipment Inspection efficiency may be had a strong impact on, other expense is the most negligible, it is therefore necessary to design Fast Match Algorithm.
Step 4.2: the Fast Match Algorithm of a kind of realization of tabling look-up based on summary result
As shown in Figure 5, normal form detecting system safeguards the packet input log table1 of a regular length, under original state, full table sets to 0, to each input packet, system utilizes fixing hash algorithm to calculate input ternary feature group summary I-digest, choose summary fixed position and length (30 bits of the such as the 65th to the 94th) conduct summary result I-digest-result, and I-digest-result correspondence position in log is put 1.For output grouping, system calculates and extracts output tlv triple summary result O-digest-result equally, and searches the state of this O-digest-result correspondence position in table1, if this location status is 1, then find the input source of this output grouping, otherwise judge that this output grouping is passive.
Increase along with input number of packet, the weight of table1 constantly increases, the false negative (attack packets is judged as legitimate packet because of coupling) of normal form testing result may be increased, table1 resets every 2 ρ and restarts, wherein ρ is the update cycle of input log, it is desirable to ρ is more than being grouped life span in a device.
For preventing up-to-date legitimate packet in table1 renewal process to be mistaken for illegally being grouped, another packet input log table2 in system maintenance Fig. 5, table1 and table2 is respectively at timing node 2i × ρ and (2i+1) × ρ (i=0,1,2, ...) reset and restart, if the output grouping summary result value in two table relevant positions is 0, then judge that this packet does not input coupling.
Step 5: normal form device model and normal form detection model specificity analysis
Step 5.1: the versatility of model
Normal form device model and the detection model of present invention design are composed in series by traditional routing switching equipment and normal form detecting system two parts, the wherein route switching behavior of normal form detecting system not direct interference legacy equipment, only the route switching behavior outcome of legacy equipment being carried out normal form detection, therefore normal form device model and normal form detection model are common to TCP/IP network.
Step 5.2: the designability of model
The present invention carried normal form detecting system is made up of 3 packet output rules, and these three rule can design realization the most under current technological conditions.
Owing to normal form detecting system is separate with legacy equipment, Virtual network operator can customize legacy equipment and normal form detecting system to different manufacturers respectively;Additionally detection model simple in construction, testing process is without network interdynamic, and the highest credible detecting system designs.
Step 5.3: the safe completeness that flow eavesdropping is attacked by model
The safe completeness that flow eavesdropping is attacked by the present invention carried normal form system is strictly proved;Owing to normal packets is different from eavesdropping packet ternary feature group, the two can be accurately distinguished by the present invention carried normal form system;Note for improving normal form detection efficiency, step 4 devises the Fast Match Algorithm of a kind of realization of tabling look-up based on summary result, this may cause normal packets to be judged break the rules (false positive), and attack packets meets the situation generation of rule (false negative), this will be estimated by step 6.
Step 6: normal form functions of the equipments are assessed
Step 6.1: theory analysis
Step 6.1.1: false positive results analysis
To arbitrarily inputting packet, it is assumed that its input time is IT, its output time is OT, makes ρi=[ρ × i, ρ × (i+1)), then must exist i (i=0,1,2 ...) so that IT ∈ ρi.By ρ >=τ know OT ∈ (IT, IT+ ρ], then or OT ∈ ρi, or OT ∈ ρi+1, therefore in any instant table1 and table2, at least one table record the summary result of this grouping feature tlv triple, i.e. normal packets are made, by system, the probability that false positive judges is 0.
Step 6.1.2: false negative result analysis
Affect the false-negative factor of normal form testing result and include the throughput Output of equipment, the update cycle ρ of packet input docket table and scale Hsize, work as Output=10Gbps, during ρ=0.5 second, the maximum input number of packet of two abstract records after duplicate removalIndividual.
Abstract renewal process is obeyed by input packet(0,1) distribution, therefore two tables at least one table summary result be the expected value of 1Individual.
The maximum of probability that arbitrary output grouping is verified with coupling manner by coupling is as 833010/1G=0.07758%, attack packets is made maximum probability that false negative judges less than 0.07758% by i.e. detecting system, i.e. normal form detecting system is not less than 99.92% to the correct verification and measurement ratio of attack packets.Now false negative judges that packet number is 0.07758%*833010=647
Step 6.2: simulating, verifying
Step 6.2.1: emulation experiment model
The present invention utilizes the workflow of X86 system emulation Paradigm Model, and employing MD5 is as hash algorithm, and selects the 65th to the 94th byte of feature tlv triple digest value as summary result, and experiment is with 1, and 250,450 packets are from the real traffic in actual environment.
Step 6.2.2: false positive experimental result
All packets are all verified by normal form, demonstrate the correctness of theoretical analysis result.
Step 6.2.2: false negative experimental result
The present invention is based on this simulation system implementation two kinds attack, and the first is attacked and the purpose IP address of front 833,333 packets is distorted is 10 random IP address, and the second is attacked on the basis of the first is attacked, and all load are negated by byte.Fig. 6 provides the quantity that in two kinds of attacks, eavesdropping packet is detected by normal form, and result meets the theory analysis of step 6.1.2.
Step 7: normal form equipment performance is assessed
The normal form equipment Inspection cycle is estimated by the emulation experiment model that the present invention utilizes step 6.2 to design, and Fig. 7 provides the experimental results under the conditions of different grouping length.Result shows on the premise of less than 1500 bytes, and block length is inconspicuous on the impact in normal form detection cycle.Using average 16.30 microsecond as the detection cycle, system normal form detection efficiency is different at 31.4Mbps to 736.2Mbps with block length.
The processor of experiment X86 system is Inteli5-2410 dual core processor, RAM capacity 4G, and the detecting system being not less than this configuration can be developed.
Software platform is used to design based on general processor in view of the present invention, rather than the widely used special chip of current convergence-level network routing device and the hardware platform of FPGA design, actual normal form equipment performance is much larger than experimental result, and its detection performance can meet Most current network demand.
It addition, other of Security routing exchange method, exchange system and the optimization determination methods of the embodiment of the present invention constitutes and effect is the most all known, in order to reduce redundancy, do not repeat.
In the description of this specification, the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means that the specific features, structure, material or the feature that combine this embodiment or example description are contained at least one embodiment or the example of the present invention.In this manual, the schematic representation to above-mentioned term is not necessarily referring to identical embodiment or example.And, the specific features of description, structure, material or feature can combine in any one or more embodiments or example in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that: these embodiments can carry out in the case of without departing from the principle of the present invention and objective multiple change, revise, replace and modification, the scope of the present invention is limited by claim and equivalent thereof.

Claims (6)

1. a Security routing exchange method, it is characterised in that comprise the following steps:
A: gathering the fisrt feature tlv triple before packet enters route exchange device, wherein, described fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load;
B: gather the second feature tlv triple sending packet through described route exchange device, wherein, second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load, the fisrt feature tlv triple mated with described second feature tlv triple is searched in described fisrt feature triplet sets
If finding coupling, enter step C;
C: when described route exchange device is not border routing switching equipment, forwards described fisrt feature tlv triple, and wherein, described edge device is and the route exchange device being connected between outer net;
When described route exchange device is border routing switching equipment, described route exchange device is when outer net forwards message, and whether the IP address auditing described second mesh meets the sensing of output interface,
If met, forward described packet,
If do not met, refusal forwards described packet;
If finding coupling, enter step D;
D: when source IP address is not described route exchange device itself in second feature tlv triple, forbids that this packet exports described route exchange device;
When source IP address is described route exchange device itself in second feature tlv triple, audit whether described route exchange device possesses the authority of purpose IP address corresponding device transmission packet in described second feature tlv triple,
If had permission, forward described packet,
Without authority, refusal forwards described packet.
2. a Security routing exchange detecting system, it is characterised in that including:
Information acquisition module, it is arranged at information entry front end and the information outlets rear end of route switching system, described information acquisition module obtains the fisrt feature tlv triple being input to described route exchange device and the second feature tlv triple exported from described route exchange device for bypassing, and all send described fisrt feature tlv triple and described second feature tlv triple to decision-making module, wherein, described fisrt feature tlv triple includes the first source IP address, the IP address of the first mesh and the first load, described second feature tlv triple includes the second source IP address, the IP address of the second mesh and the second load;
Information matches module, for carrying out information matches according to described fisrt feature tlv triple and described second feature tlv triple, and sends matching result to decision-making module;And
Decision-making module, for deciding whether to forward message according to described matching result.
System the most according to claim 2, it is characterized in that, also include border routing switching equipment judge module, for judging whether described route exchange device is border routing switching equipment, wherein, described edge device is the route exchange device being directly connected to outer net, and described decision-making module is for deciding whether to forward message to farther include according to described matching result:
If described matching result is described second source feature tlv triple finds coupling in fisrt feature triplet sets, when described route exchange device is not border routing switching equipment, forward described message;When described route exchange device is border routing switching equipment, described route exchange device is when outer net forwards message, and whether the IP address auditing described second mesh meets the sensing of output interface,
If met, forward described message,
If do not met, refusal forwards described message;
If described matching result is described second source feature tlv triple can not find coupling in fisrt feature triplet sets, when described output grouping source IP address is not route exchange device itself, refusal forwards described message;When described output grouping source IP address is route exchange device itself, audit whether described route exchange device possesses the authority of the described message of purpose IP address corresponding device transmission in described second feature tlv triple,
If had permission, forward described message,
Without authority, refusal forwards described message.
4. the optimization determination methods of a Security routing exchange, it is characterised in that include the Security routing exchange detecting system described in Claims 2 or 3, also includes the first packet input log, said method comprising the steps of:
Under original state, the described first packet input full table of log sets to 0;
Obtain described fisrt feature tlv triple, utilize the first summary presetting the described fisrt feature tlv triple that hash algorithm calculates input, choose described summary the first predeterminated position and the first preset length as first summary result, according to described summary result by described first packet input log in correspondence position put 1;
Obtain described second feature tlv triple, utilize described default hash algorithm to calculate the second summary of the described second feature tlv triple inputted, choose described second described first predeterminated position of summary and described first preset length as the second summary result;
In described first packet input log, search the state of described second summary result correspondence position, if this location status is 1, then find the input source of this output grouping, otherwise judge that this output grouping is passive.
Method the most according to claim 4, it is characterized in that, described first packet input log resets every 2 ρ and restarts, wherein ρ is the update cycle of input log, and ρ is more than described fisrt feature tlv triple and described second feature tlv triple life span in described route exchange device.
Method the most according to claim 5, it is characterized in that, also include the second packet input log, described second grouped record table and described first grouped record table synchronous recording data, described first packet input log and described second packet input log reset at timing node 2i × ρ and (2i+1) × ρ respectively and restart, wherein, i is 0 or positive integer
If described first grouped record table and described second grouped record table relevant position are 0, then judge that described second feature tlv triple can not find coupling in described fisrt feature triplet sets.
CN201610302385.6A 2016-05-09 2016-05-09 Security routing exchanges method, system and optimization judgment method Active CN105827634B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610302385.6A CN105827634B (en) 2016-05-09 2016-05-09 Security routing exchanges method, system and optimization judgment method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610302385.6A CN105827634B (en) 2016-05-09 2016-05-09 Security routing exchanges method, system and optimization judgment method

Publications (2)

Publication Number Publication Date
CN105827634A true CN105827634A (en) 2016-08-03
CN105827634B CN105827634B (en) 2019-06-28

Family

ID=56528520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610302385.6A Active CN105827634B (en) 2016-05-09 2016-05-09 Security routing exchanges method, system and optimization judgment method

Country Status (1)

Country Link
CN (1) CN105827634B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741032A (en) * 2020-08-26 2020-10-02 杭州数列网络科技有限责任公司 Data transmission control method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN103414729A (en) * 2013-08-29 2013-11-27 中国科学院计算技术研究所 Routing attack detecting system and method
CN104735060A (en) * 2015-03-09 2015-06-24 清华大学 Router and verification method and verification device for router data plane information
CN104796291A (en) * 2015-04-27 2015-07-22 清华大学 System and method for detecting transmission standardization of routers in core routing area

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN103414729A (en) * 2013-08-29 2013-11-27 中国科学院计算技术研究所 Routing attack detecting system and method
CN104735060A (en) * 2015-03-09 2015-06-24 清华大学 Router and verification method and verification device for router data plane information
CN104796291A (en) * 2015-04-27 2015-07-22 清华大学 System and method for detecting transmission standardization of routers in core routing area

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐恪等: "基于路由交换范式构建安全可信网络", 《中国计算机学会通讯》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741032A (en) * 2020-08-26 2020-10-02 杭州数列网络科技有限责任公司 Data transmission control method, device and system
CN111741032B (en) * 2020-08-26 2021-02-26 杭州数列网络科技有限责任公司 Data transmission control method

Also Published As

Publication number Publication date
CN105827634B (en) 2019-06-28

Similar Documents

Publication Publication Date Title
CN103905451B (en) System and method for trapping network attack of embedded device of smart power grid
US8893216B2 (en) Security measures for the smart grid
CN108289088A (en) Abnormal traffic detection system and method based on business model
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN111031003A (en) Intelligent evaluation system of cross-network isolation safety system
Albarakati et al. Security monitoring of IEC 61850 substations using IEC 62351-7 network and system management
CN106357641A (en) Method and device for defending interest flooding attacks in information centric network
CN101771702A (en) Method and system for defending distributed denial of service attack in point-to-point network
CN105956473A (en) Malicious code detection method based on SDN (Software Defined Networking)
CN108632267A (en) A kind of topology pollution attack defense method and system
Zhu et al. Intrusion detection against MMS-based measurement attacks at digital substations
Ding et al. Research and implementation on snort-based hybrid intrusion detection system
CN106713293A (en) Cloud platform malicious behavior detecting system and method
CN117040943B (en) Cloud network endophytic security defense method and device based on IPv6 address driving
CN105827634A (en) Safe routing switching method and system, and optimization judgment method of safe routing switching
CN116055220A (en) Internet of things terminal safety protection management and control method and system
CN112468484B (en) Internet of things equipment infection detection method based on abnormity and reputation
Al-Shaer et al. A comprehensive objective network security metric framework for proactive security configuration
CN104734977B (en) Shadow router
CN115550069B (en) Intelligent charging system of electric automobile and safety protection method thereof
Li et al. Research on Typical Model of Network Invasion and Attack in Power Industrial Control System
CN117560230B (en) Network data transmission encryption type data transmission method
Xiang et al. Network Intrusion Detection Method for Secondary System of Intelligent Substation based on Semantic Enhancement
Lu et al. Power monitoring network security situation awareness system based on Knowledge Map
Meng et al. Research on Active Defense Technology Based on Power System Network Security

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant