CN105871772A - Working method of SDN network architecture aimed at network attack - Google Patents
Working method of SDN network architecture aimed at network attack Download PDFInfo
- Publication number
- CN105871772A CN105871772A CN201510024417.6A CN201510024417A CN105871772A CN 105871772 A CN105871772 A CN 105871772A CN 201510024417 A CN201510024417 A CN 201510024417A CN 105871772 A CN105871772 A CN 105871772A
- Authority
- CN
- China
- Prior art keywords
- message
- sdn
- network
- ids
- sdn controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a working method of an SDN network architecture aimed at network attack. The method comprises: step S100, network initialization; step S200, distributed DDoS threat monitoring and / or SDN link status information collection; and step S300, threat treatment and / or data issuing. When a network is subjected to large-scale DDoS threat, the method can achieve route-optimized flow forwarding according to real-time status of a link, at the same time carry out DDoS threat identification and processing response quickly and accurately, and ensure the quality of network communication comprehensively.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of SDN net for network attack
The method of work of network framework.
Background technology
Currently, the network the most extensively connected has become as the important infrastructure of modern society.But,
Along with the expansion of internet scale, the defect of traditional specifications system presents the most day by day.
Country's computer network emergence technology processes coordination center (CNCERT/CC) up-to-date issue
Report shows: activities of hacker is increased, and back door, website, phishing, Web malice hang horse etc.
Attack is in the trend of increasing substantially, wherein, and distributed denial of service attack (Distributed
Denial of Service, DDoS) remain affect the Internet run safety topmost threat it
One.In the past few years, the number of ddos attack, size, type all sharp rise.
How to pass through the technology difficulty that the realization of SDN framework is this area to the effectively defence of ddos attack
Topic.
Summary of the invention
It is an object of the invention to provide the method for work of a kind of SDN framework, to solve existing network
In the network security problem that caused of a large amount of ddos attacks, to realize quickly, efficiently, know all sidedly
Not and defending DDoS (Distributed Denial of Service) attacks, and will threat process after break down with link after network topology become
Change and distinguish, to provide corresponding message to send path.
In order to solve above-mentioned technical problem, the invention provides the work side of a kind of SDN framework
Method.The method of work of described SDN framework, comprises the steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring and/or
Collect SDN link-state information;And step S300, threat process and/or data distributing.
Preferably, in order to preferably realize network configuration, netinit institute in described step S100
The device related to includes: SDN controller, IDS policy server and IDS equipment;
The step of netinit is as follows:
Step S101, described IDS policy server and IDS equipment set up special SSL channel;
Step S102, described SDN controller builds network equipment information binding table, and by the network equipment
Information binding table real-time update is in IDS equipment;Step S104, described SDN controller issues
The stream table of mirror policy, will OF switch be all drags the port flow mirror image being loaded with main frame to be transmitted to
Described IDS equipment;And step S105, described SDN controller issues DDoS threat identification
Rule gives IDS equipment corresponding in each net territory.
Preferably, in described step S200, distributed DDoS threatens the method for monitoring to include: successively
Link layer and the deceptive practices of internetwork layer address, internetwork layer and transport layer flag bit are arranged abnormal row
For, and the formula that the floods aggressive behavior of application layer and transport layer detects;If said process detects
Judge when message exists respective behavior, then this message is proceeded to step S300;To link layer and net
The method that the deceptive practices of border layer address carry out detecting includes: by deception packet check module to deception
Behavior detects, and first, calls network equipment information binding table by deception packet check module;
Secondly, carried out being encapsulated in the type of message in Packet-In message by deception packet check module
Resolve, to obtain corresponding source, purpose IP address, MAC Address and to upload this Packet-In
The OF switch of message DPID and port numbers, and above-mentioned each information is believed with the network equipment respectively
Corresponding information in breath binding table is compared;If the above-mentioned information matches in message, then message is entered
Next detection of row;If the above-mentioned information in message is not mated, then message is proceeded to step S300;Institute
State internetwork layer and transport layer flag bit arranges the method that Deviant Behavior carries out detecting and includes: reported by destruction
Literary composition detection module arranges Deviant Behavior to flag bit and detects, and i.e. examines each flag bit of message
Survey, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit of message meets,
Then proceed to message carry out next detection;If each flag bit of message does not meets, then message is proceeded to step
Rapid S300;The method that the formula that the floods aggressive behavior of described application layer and transport layer carries out detecting includes:
By exception message detection module, the formula aggressive behavior of flooding is detected, i.e. detect mould at exception message
Block builds the Hash table for identifying the formula attack message that floods, and according to the threshold values set in this Hash table
Judge whether message has the formula aggressive behavior that floods, and will determine that result proceeds to step S300;And
The method collecting SDN link-state information includes: according to each link overhead of SDN topological sum
Calculate the backup path of main path;The flag bit of labelling backup path it is used for for the distribution of each backup path;
According to backup path and respective flag position, each OF switch on this backup path issues stream list item.
In described step S300, the method for threat process and/or data distributing includes: take advantage of if message has
Deceiving behavior, and attack threatens in OpenFlow territory, the most described IDS policy server is suitable to lead to
Cross SDN controller shielding main frame;And threaten not in OpenFlow territory when attacking, then pass through
It is clear that OF switch access interface flow corresponding to this message is redirected to flow by SDN controller
The center of washing is filtered;If message has Deviant Behavior, the most described IDS policy server passes through SDN
The flow of attacker or attack main frame is shielded by controller;If message has the formula that floods attacks row
For, the OF corresponding to this message is exchanged by the most described IDS policy server by SDN controller
Machine access interface flow is redirected to flow cleaning center and filters;And/or according to link load system
Number calculates path optimizing, i.e. detects the link remaining bandwidth of two adjacent nodes, it is thus achieved that bearing of this link
Carry coefficient, on the optimum road obtaining any two points according to this load factor and initialized network topological diagram
Footpath, described SDN controller draws the forwarding flow table of correspondence according to this optimal path and issues each OF
Switch.
Preferably, the shielding of described IDS policy server sends program and/or the method for main frame of message
Including: first, build the corresponding Hash table of counting and set in respective threshold, i.e. unit interval,
Building the first Hash table counting deceptive practices in described IDS policy server, flag bit sets
Put the second Hash table that Deviant Behavior carries out counting, and that the formula aggressive behavior of flooding is counted
Three Hash tables;Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends program and/or the main frame of this message, i.e. for proceeding to IDS policy server
The behavior of message, utilizes corresponding Hash table to count, when count value exceedes respective thresholds, and shielding
Send program and/or the main frame of this message.
Further, in described step S300, the method for data distributing also includes: according to SDN
The reason that topology changes, confirmation message issues path;That is, after SDN controller threat processes,
By message by optimal path downward message, or after judging that main path breaks down, described in message coupling
Stream list item is forwarded by backup path.
Beneficial effects of the present invention: DDoS is threatened filtering technique and routing optimality skill by (1) present invention
Art merges, and when being monitored, shielding DDOS attack, can't cause blocking up of data, and
And by monitoring and threat process being separated, effectively alleviate the burden of control plane, it is ensured that net
Network is safer, the operation of colleges and universities;(2) the invention enables cannot be to address under legacy network architectural framework
Forge ddos attack to be identified fundamentally being resolved with the difficult problem traced to the source;Deposit in a network
In the case of ddos attack or normal big flow business, SDN controller can remain based on to link
The real-time perception of the network parameters such as remaining bandwidth, it is achieved the routing optimality of normal stream amount, is substantially improved use
The experience at family;(3) the process framework of the present invention uses open-ended modularity design, it is achieved that right
The efficient detection of DDoS threat and sweetly disposition;(4) each module obtains packet information employing independently
Interface design, reduce the coupling relatedness of intermodule;(5) each module uses the program number optimized
According to structure, careful segmentation each process sub-process, improve the high cohesion characteristic of module;(6) present invention
The also change to network link is distinguished by treating, i.e. if after SDN controller threat processes,
By message by optimal path downward message, or after judging that main path breaks down, described in message coupling
Stream list item is forwarded by backup path, effectively avoids because during exchange fault, data on flows is lost
Lose.
Accompanying drawing explanation
In order to make present disclosure be more likely to be clearly understood, below according to specific embodiment also
In conjunction with accompanying drawing, the present invention is further detailed explanation, wherein
Fig. 1 shows the structured flowchart of described SDN framework;
Fig. 2 shows the theory diagram of the theory diagram of IDS equipment;
Fig. 3 shows the workflow diagram of deception packet check module;
Fig. 4 shows the workflow diagram destroying packet check module;
Fig. 5 shows the overhaul flow chart of UDP Floodling;
Fig. 6 shows the overhaul flow chart of ICMP Floodling;
Fig. 7 shows that distributed DDoS threatens the FB(flow block) of the method for monitoring;
Fig. 8 shows the concrete topological diagram disposed of experiment scene;
Fig. 9 (a) shows what the Web server of the SDN framework not using the present invention was born
Attack the curve chart of frequency;
Fig. 9 (b) shows and uses what the Web server of SDN framework of the present invention born to attack
Hit the curve chart of frequency;
Figure 10 shows average transmission rate comparison diagram.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention of greater clarity, below in conjunction with concrete real
Executing mode referring to the drawings, the present invention is described in more detail.It should be understood that these describe simply
Exemplary, and it is not intended to limit the scope of the present invention.Additionally, in the following description, it is right to eliminate
Known features and the description of technology, to avoid unnecessarily obscuring idea of the invention.
In software defined network (Software Defined Network, SDN) framework, when
When one message (Packet) arrives OF switch, first to OF switch is carried
Stream table mates.If the match is successful, the action executing just specified according to stream table forwards rule.As
It fails to match for fruit, then this message is encapsulated in Packet In message by OF switch, is sent to SDN
Controller, and this message exists in local cache by OF switch.Wait that SDN controller is made
Go out decision-making, how to process this message.
Have a lot of main frame in network, then needing to set up one for All hosts in network is the Hash of key
Table, referred to as " number of times Hash table group in violation of rules and regulations ", comprising: be suitable to cheating what message counted
First Hash table, is suitable to destroying the second Hash table that message counts, and is suitable to attack the formula that floods
Carry out the 3rd Hash table counted.The violation number of times of record respective hosts, the namely credibility of main frame.
Packet in network is real-time, so needing the threat message setting up in a kind of unit interval
A key in the Hash table of counting, and the corresponding Hash table of each main frame, corresponding key assignments is
The number of the threat data bag that the main frame of corresponding keys sends in the unit interval of record.This type of Hash table exists
Key assignments corresponding for keys all in Hash table must be set to 0 by the unit interval " timeslice " at first;And
The message of every kind of detection has been required for such table, just such as have detected 100 kinds of messages, just
Need 100 this type of Hash tables.
And, each Hash table must have a corresponding threshold value.As long as one has main frame to exist in Hash table
Accumulated counts in analog value.Check after counting whether this value exceedes the threshold value of setting.If it exceeds it is corresponding
Threshold value, then the key assignments in violation number of times Hash table corresponding record counting.
On the basis of foregoing invention principle, the specific implementation process of the present embodiment is as follows.
Embodiment 1
Fig. 1 shows the structured flowchart of the SDN framework of the present invention.
As it is shown in figure 1, the SDN framework of the present invention, including: SDN controller, IDS are certainly
Plan server, IDS equipment (i.e. intrusion detection device) and flow cleaning center;When IDS equipment Inspection
To when there is the message of ddos attack feature, i.e. report to IDS decision service by SSL channel
Device;Described IDS policy server, according to reporting information, is made and has ddos attack feature
Process strategy corresponding to message, then this message is shielded by SDN controller or by this report
OF switch access interface flow corresponding to literary composition is redirected to flow cleaning center and filters;With
Time, collect current SDN link-state information by SDN controller, to provide corresponding message to send out
Send path.
Wherein, ddos attack characterizing definition is: to link layer and the deceptive practices of internetwork layer address,
The Deviant Behavior that internetwork layer and transport layer flag bit are arranged, and formula that application layer and transport layer are flooded
Aggressive behavior.
Fig. 2 shows the theory diagram of the theory diagram of IDS equipment.
As in figure 2 it is shown, further, include in described IDS equipment:
Deception packet check module, the deceptive practices to link layer and internetwork layer address detect;
Destroying packet check module, the Deviant Behavior arranging internetwork layer and transport layer flag bit is examined
Survey;
Exception message detection module, the formula aggressive behavior that floods application layer and transport layer detects;
By described deception packet check module, destroy packet check module, exception message detection module
Successively message is detected;And if detection module detects when message exists above-mentioned respective behavior, then
This message is proceeded to IDS policy server.
Further, described IDS policy server is suitable to when message has deceptive practices, and attacks threat
In OpenFlow territory, then shield main frame by SDN controller;Maybe do not exist when attack threatens
In OpenFlow territory, then by SDN controller, the OF switch corresponding to this message is accessed
Port flow is redirected to flow cleaning center and filters;Described IDS policy server is further adapted for working as
Message has Deviant Behavior, then entered the flow of attacker or attack main frame by SDN controller
Row shielding;And when message has the formula aggressive behavior that floods, and the most described IDS policy server is suitable to lead to
Cross SDN controller and the OF switch access interface flow corresponding to this message is redirected to flow
Cleaning center filters.
The present invention uses from deception packet check module to destroying packet check module, then to exception message
The order that detection module detects successively, wherein, each module obtains packet information and uses independent interface
Design, reduces the coupling relatedness of intermodule;And each module uses the program data structure optimized,
Careful segmentation each process sub-process, improves the high cohesion characteristic of module.This detection ordering improves
Detection efficiency to message data, and reduce loss.
Fig. 3 shows the workflow diagram of deception packet check module.
As it is shown on figure 3, call network equipment information binding table by described deception packet check module,
And packet cheating behavior is carried out by being suitable in the structure unit interval in described IDS policy server
First Hash table of counting, and set the first threshold values in this first Hash table;Described deception message
Detection module, resolves the type of the message being encapsulated in Packet-In message, to obtain phase
The source answered, purpose IP address, MAC Address and upload the OF switch of Packet-In message
No. DPID and port number information, and each information is corresponding to network equipment information binding table respectively
Information is compared;If the above-mentioned information matches in message, then proceed to message destroy packet check mould
Block;If the above-mentioned information in message is not mated, then proceed to described IDS policy server, message is entered
Row abandons, and counts deceptive practices simultaneously, when this count value is more than the first threshold values, and shielding
Send program and/or the main frame of this message.
Concrete, described deception packet check module judges for message carries out first time, i.e. judges
Whether message is IP spoofing attack message, port spoofing attack message or MAC spoofing attack message.
Concrete steps include: parse source, target MAC (Media Access Control) address and OF the most in ethernet frames
Switch entrance, then parses different messages according to different type of messages.When type of message is
When IP, ARP, RARP, then parse corresponding source, purpose IP address then by these information pair
Information in network equipment information binding table carries out coupling of tabling look-up, if matching corresponding information, then
Give destruction packet check resume module.If not mating, then this message is proceeded to IDS policy server
Process;And deceptive practices are carried out accumulated counts simultaneously, and when this count value is more than the first threshold values, screen
Cover program and/or the main frame sending this message.
Floodlight has device manager module DeviceManagerImpl, when one
Equipment is followed the tracks of the when of equipment mobile device in a network, and according to new stream definition equipment.
Equipment manager learns equipment from PacketIn asks, and obtains from PacketIn message
Device network parameter information (information such as source, purpose IP, MAC, VLAN), by entity classification device
Equipment is made a distinction into OF switch or main frame.Under default situations, entity classification device uses MAC
Address and/or vlan table show an equipment, and the two attribute can uniquely identify an equipment.
The important information of another one be equipment mount point (No. DPID of OF switch and port numbers) (,
In an openflow region, an equipment can only have mount point, here an openflow
Region refers to the set of the multiple OF switches being connected with same Floodlight example.Equipment
Manager is also provided with expired time for IP address, mount point, equipment, and last timestamp is made
The foundation the most expired for judging them.)
Therefore only need to call DeviceManagerImpl module inside network equipment information binding table module
The IDeviceService provided, adds the monitoring of IDeviceListener simultaneously to this service
Interface.
The monitoring interface that wherein IDeviceListener provides has:
| Interface name | Function |
| public void deviceAdded(IDevice device) | Main frame adds response |
| public void deviceRemoved(IDevice device) | Main frame removes response |
| public void deviceMoved(IDevice device) | Host mobility responds |
| public void deviceIPV4AddrChanged(IDevice device) | Host IP address changes response |
| public void deviceVlanChanged(IDevice device) | Main frame VLAN changes response |
ISP: IFloodlightProviderService, IDeviceService
Dependence interface: IFloodlightModule, IDeviceListener
According to the low and high level trigger mechanism of OF switch, (triggering Port extracted by netting twine to record in table
The low level of Down, netting twine pulls out the high level into triggering Port Up) binding can be refreshed in real time
Record in table.
Traditional ddos attack cannot touch, revise Switch DPID's and Switch Port
Information, utilizes this advantage, can detect spoofing attack more flexibly.
Fig. 4 shows the workflow diagram destroying packet check module.
As shown in Figure 4, described IDS policy server builds being suitable to message in the unit interval
Flag bit the second Hash table that Deviant Behavior carries out counting is set, and set in this second Hash table
The second threshold values;Each flag bit of message is detected by described destruction packet check module, to judge
Whether each flag bit meets ICP/IP protocol specification;If each flag bit of message meets, then by message
Proceed to exception message detection module;If each flag bit of message does not meets, then proceed to described IDS decision-making
Server, abandons message, and flag bit is arranged Deviant Behavior simultaneously and count, when this
When count value is more than the second threshold values, shielding sends program and/or the main frame of this message.
Concrete, described destruction packet check module, judging for message being carried out second time, i.e. sentencing
Whether disconnected message is the attack message with malice flag bit feature.Wherein, there is malice flag bit special
The attack message levied includes but not limited to IP attack message, TCP attack message.Implement step to include:
IP attack message and TCP/UDP attack message therein are realized the inspection of the flag bit of each message
Survey, i.e. identify whether each flag bit meets ICP/IP protocol specification.If met, the most directly
Transfer to abnormal number packet check resume module.If not meeting, then it is judged as attack message, proceeds to IDS
Policy server processes.
With typical attack such as Tear Drop for row, IP packet header has an offset field and one
Burst mark (MF), if assailant is arranged to incorrect value offset field, IP fragmentation message is just
There will be the situation overlapping or disconnecting, target machine system will be collapsed.
In IP heading, having a protocol fields, this field specifies which kind of this IP message carries
Agreement.The value of this field is less than 100, if assailant is big to the target machine substantial amounts of band of transmission
The IP message of the protocol fields in 100, the protocol stack in target machine system will be destroyed, shape
Become to attack.
Therefore in destroying packet check module, first extract each flag bit of message, then inspection is
No normally.
If normal, then give subsequent module for processing.
If abnormal, then abandon this packet, and to corresponding Hash table rolling counters forward.If it is single
When bit time inside counting device exceedes described second threshold values of setting, then call IDS policy server to phase
The program answered carries out shielding and/or directly shielding corresponding main frame.
After being filtered by the packet of deception packet check module, follow-up destruction packet check module
The handled address in packet is all real.So, effectively avoid target machine have received
Destroying message, may directly result in the protocol stack collapse of target machine, even target machine directly collapses.
The process function destroying packet check module is substantially similar with deception packet check handling process, district
It is not to destroy that packet check module parses is the flag bit of each message, then detects each mark
Will position is the most normal.
If normal, just process directly to follow-up exception message detection module.
If abnormal, then abandon this packet, and Hash corresponding to main frame application reference mechanism
Table inside counting device counts.If it exceeds the threshold values set, then shield corresponding attacker or directly
Main frame is attacked in shielding.
The Hash table for identifying the formula attack message that floods is built at described exception message detection module,
Described IDS policy server builds being suitable in the unit interval formula aggressive behavior of flooding is counted
3rd Hash table of number, and set the 3rd threshold values in the 3rd Hash table;Described exception message is examined
Survey module, be suitable to judge whether described message has attack row according to the threshold values set in described Hash table
For;If without aggressive behavior, then by data distributing;If having aggressive behavior, then proceed to described IDS certainly
Plan server, abandons message, and counts aggressive behavior simultaneously, when count value exceedes
During three threshold values, shielding sends program and/or the main frame of this message.
Concrete, described exception message detection module, judging for message being carried out third time, i.e. sentencing
Whether disconnected message is the formula attack message that floods.
Concrete steps include: utilize to build identification flood formula attack message to the phase in Hash table
Should record and add up, and detect whether to exceed threshold value, to judge whether the being formula attack message that floods.
Through above-mentioned deception packet check module, destroy filtering of two modules of packet check module, after
The packet of continuous resume module substantially belongs to packet under normal circumstances.But, under normal circumstances,
Also have ddos attack produce, in the prior art, normally only carry out cheat packet check module,
Destroy packet check module, and in the technical program, ddos attack can be avoided as far as possible.
Following example are for for carrying out deception packet check module, destroying packet check modular filtration
After, then the detailed description of the invention by exception message detection module shielding ddos attack.This embodiment party
Formula is as a example by UDP Flooding and ICMP Flooding.
Fig. 5 shows the overhaul flow chart of UDP Floodling.
About UDP Floodling, as it is shown in figure 5, utilize udp protocol without setting up connection
Mechanism, sends a large amount of UDP messages to target machine.Target machine can devote a tremendous amount of time process UDP
Message, these UDP attack messages not only can make to deposit the cache overflow of UDP message, and
Can take the substantial amounts of network bandwidth, target machine (or little) cannot receive legal UDP message.
Owing to different main frames sends a large amount of UDP message bags to single main frame, so certainly having
The situation that udp port takies, so the technical program can receive the port of an ICMP not
Up to bag.
So All hosts can be set up a Hash table by the technical program, it is specifically used to deposit unit
The number of times of the unreachable packet of ICMP port is received in time.If it exceeds the threshold values set, the most directly
Connect the corresponding attacker of shielding.
Fig. 6 shows the overhaul flow chart of ICMP Floodling.
About ICMP Floodling, as shown in Figure 6, ICMP Flooding is directly entered
The inside counting of row unit interval.If it exceeds corresponding threshold values, then directly respective host is shielded accordingly
Cover, although the method is simple, but the most effective.
Therefore, exception message detection module, if be detected that type of message be exception message detect class
Type, then carry out corresponding enumerator and detect whether to exceed threshold value, if it does not exceed the threshold, also can be right
This packet is issued by optimum routing policy.Threshold value if more than, then shielding is corresponding attacks
Program, or directly respective host is shielded accordingly.
Described deception packet check module, destruction packet check module and exception message detection module middle mold
Block judges when described message is above-mentioned attack message, then this attack message to be proceeded to IDS decision service
Device, i.e. abandon described message, and shield program and/or the main frame sending this message.
When " deception packet check module ", " destroying packet check module " and " exception message inspection
Survey module " need packet discard or need shielding threaten main frame when.Directly invoke IDS
Policy server threatens process operation accordingly.
The concrete enforcement step of described IDS policy server includes:
The step abandoning described message, i.e. packet discard includes the following:
OF switch (OF switch), can be by these data in the case of not matching corresponding stream table
Encapsulation is in Packet In message, and this packet is existed local delaying by OF exchange opportunity simultaneously
In depositing, packet is deposited in the buffer, has a buffer area ID, and this No. ID also can be encapsulated in
In the buffer_id of Packet In message, by the form of Packet out, Packet simultaneously
Buffer_id in out message fills in buffer area ID (the corresponding Packet of packet to be abandoned
Buffer_id in In message).
The step of shielding main frame includes the following:
OpenFlow protocol streams list structure is as follows:
| Territory, packet header | Enumerator | Action |
The structure in its middle wrapping head territory is:
IDS policy server includes that the step shielding application program includes the following:
In the territory, packet header of stream table, fill in corresponding matching field, and shield by arranging Wildcards
Field, obtains shielding attacker or host information.Wherein, as attacker need to be shielded, then
Following matching field is filled in territory, stream table packet header: IP, MAC, VLAN, Swtich DPID,
Swtich Port, protocol type and port numbers thereof etc..As main frame need to be shielded, then in stream table packet header
Territory is filled in: IP, MAC, VLAN, Swtich DPID, Swtich Port etc. mate word
Section.Stream table action lists is empty, it is achieved the data packet discarding of attacker/main frame.Call each Kazakhstan
Record value in uncommon table, calculates stream table time-out and is automatically deleted the time.Issue stream table mask program or
Main frame.
Therefore, the technical program can effectively identify and filter attack packets.
Optionally, normal message can also issuing by the most optimum routing policy.
The step of optimum routing policy is as follows:
Initially enter and submit, to the topological interface (API) of SDN controller, the request of acquisition to, complete to obtain
Net topology, then go out total network links remaining bandwidth by the total network links state computation obtained.
The calculating of described real-time optimal path, algorithm uses classical dijkstra's algorithm, algorithm
Weights change the inverse of the total network links remaining bandwidth that previous step obtains into, the path calculated with guarantee
It is the most unobstructed, the path that propagation delay time is minimum.The step that is embodied as about optimal path is being implemented
It is discussed in detail in example 2.
Finally, the optimal path calculated is converted into the real-time optimal path plan being made up of stream table
Slightly, issue.
Step S1, uses topology interface, the api interface that described SDN controller carries, makes
Finding link with LLDP (Link Layer Discovery Protocol) and broadcast packet, then SDN controller is counted automatically
Calculate network topology.
Step S2, the topological interface of SDN controller is to " real-time optimal path computation module "
" full mesh topology acquisition module " topology obtains the feedback of request.
In step S3, " total network links state acquisition module " is to " OF switch query interface mould
Block " file a request, obtain total network links state.Wherein, " OF switch query interface module "
" OF switch characteristic enquiry module " and " OF switch status is carried at SDN controller
Enquiry module " on the basis of expand, it is achieved that the calculating of link remaining bandwidth and query function.
Then, " OF switch query module " passes through step S4 all OF switches in network
Send the broadcast packet of OF switch property request.OF in automatic network is received again by step S5
The message of switch characteristic feedback, parses the curr field inside message, obtains each OF exchange
Machine port current bandwidth B.
Exchange it follows that this module sends OF by step S6 all OF switches in network
The broadcast packet of machine status request, sends bag number, port transmission byte number, port reception including port
The message status such as byte number, port receiver packet number.Then, this module by step S7 receive from
In network, the message of OF switch status feedback, parses tx_bytes field, obtains sending byte
Number N1, obtains current time t1.
Exchange it follows that this module sends OF by step S8 all OF switches in network
The broadcast packet of machine status request, then, this module receives OF switch in automatic network by S9
The message of feedback of status, timing stops, and obtains current time t2.Parse tx_bytes field,
Obtain sending byte number N2.
Then can calculate present port remaining bandwidth is: B-(N2-N1)/(t2-t1).
Then, the network topology that recycling obtains carries out the remaining bandwidth of each of the links and calculates:
If the connection between OF switch and OF switch, then obtain the OF of this both link ends
The remaining bandwidth of switch ports themselves, the remaining bandwidth of this link be in two port remaining bandwidths relatively
Little person.
If the connection between main frame and OF switch, then obtain the OF switch connecting main frame
The remaining bandwidth of port, this link remaining bandwidth is the OF switch ports themselves of this main frame of connection and remains
Remaining bandwidth.
Step S4, SDN controller sends to the whole network all OF switch with the form of broadcast
Feature Request message.
Step S5, SDN controller receives OF switch in automatic network and feeds back to SDN controller
Feature Reply message.
Step S6, SDN controller sends to the whole network all OF switch with the form of broadcast
Stats Request message.
Step S7, SDN controller receives OF switch in automatic network and feeds back to SDN controller
Stats Reply message.
Step S8, SDN controller sends to the whole network all OF switch with the form of broadcast
Stats Request message.
Step S9, SDN controller receives OF switch in automatic network and feeds back to SDN controller
Stats Reply message.
Step S10, the link remaining bandwidth information calculated is fed back to by OF switch query interface
" total network links state acquisition module ".
Step S11, routing policy issues the most optimum routing policy that module calculates, will calculate
The stream table gone out is handed down to the OF switch being correlated with by step S12.
Step S12, this interface is the api interface that SDN controller carries, and is used for issuing and calculates
Optimum routing policy.
Crossing described optimal path strategy is while defence DDOS attack, the average transmission of network
Time delay does not increase sharply.
Described SDN controller includes: path backup units, for according to SDN topological sum
Each link overhead calculates the backup path of main path;Flag bit allocation unit, is used for as each backup path
Distribution is for the flag bit of labelling backup path;Stream table issues unit, for according to backup path and right
Flag bit each OF switch on this backup path is answered to issue stream list item;Described SDN controller is fitted
After changing in SDN topology, the reason changed according to SDN topology, confirmation message
Issue path;That is, after SDN controller DDoS threat processes, message is passed through optimal path
Downward message, or after judging that main path breaks down, message mates described stream list item and passes through backup path
Forward.Concrete, port can be obtained whether in the OpenFlow territory of SDN controller
Go wrong, and then realize judging the reason that SDN topology changes.
Embodiment 2
The method of work of a kind of SDN framework on the basis of embodiment 1, with by detection and
Centralized process, effectively alleviates the work load of SDN controller, improves detection efficiency
And data transmission rate, and during by collecting SDN link-state information to avoid link to break down,
Traffic loss.
The method of work of the SDN framework of the present invention, comprises the steps: step S100, net
Network initializes;Step S200, distributed DDoS threatens monitoring and/or collects SDN Link State
Information;And step S300, threat process and/or data distributing.
Further, in described step S100, device involved by netinit includes: SDN controls
Device, IDS policy server and IDS equipment;The step of netinit is as follows: step S101,
Described IDS policy server and IDS equipment set up special SSL channel;Step S102, described
SDN controller builds network equipment information binding table, and by real-time for network equipment information binding table
Update in IDS equipment;Step S104, described SDN controller issues the stream table of mirror policy,
Will OF switch be all drags the port flow mirror image being loaded with main frame to be transmitted to described IDS equipment;With
And step S105, described SDN controller issues DDoS threat identification rule in each net territory
Corresponding IDS equipment.
In described step S200, distributed DDoS threatens the method for monitoring to include: successively to link layer
Deviant Behavior, Yi Jiying are set with the deceptive practices of internetwork layer address, internetwork layer and transport layer flag bit
Detect with the formula that the floods aggressive behavior of layer and transport layer;If message is judged in detection in said process
When there is respective behavior, then this message is proceeded to step S300.
Fig. 9 shows that distributed DDoS threatens the FB(flow block) of the method for monitoring.
As it is shown in figure 9, concrete enforcement step includes:
Step S210, the deceptive practices to link layer and internetwork layer address detect.
Step S220, the Deviant Behavior arranging internetwork layer and transport layer flag bit detects.
Step S230, the formula aggressive behavior that floods application layer and transport layer detects.
Step S240, if passing sequentially through described step S210, step S220, step S230 by message
After, step is judged when message exists deception, exception, aggressive behavior, then described message to proceed to step
Rapid S300.
The method in described step S210, the deceptive practices of link layer and internetwork layer address detected
Comprise the steps: step S211, call network equipment information by deception packet check module and tie up
Determine table;Step S212, will be encapsulated in Packet-In message report by deception packet check module
The type of literary composition resolves, to obtain corresponding source, purpose IP address, MAC Address and to upload
No. DPID and port numbers of the OF switch of this Packet-In message, and above-mentioned each information is divided
Do not compare with the corresponding information in network equipment information binding table;If the above-mentioned information in message
Join, then message is proceeded to step S220;If the above-mentioned information in message is not mated, then message is turned
Enter step S300.
Described step S220 arranges what Deviant Behavior detected to internetwork layer and transport layer flag bit
Method includes: detect each flag bit of message, to judge whether each flag bit meets TCP/IP
Protocol specification;If each flag bit of message meets, then message is proceeded to S230;If each mark of message
Will position does not meets, then message is proceeded to step S300.
The side that the formula aggressive behavior that in described step S230 floods application layer and transport layer detects
Method comprises the steps: step S231, builds at exception message detection module and floods formula for identification
The Hash table of attack message;Step S232, by exception message detection module according to described Hash table
The threshold values of middle setting judges that described message, whether for the formula attack message that floods, and will determine that result proceeds to step
Data even without aggressive behavior, are then normally issued or by above-mentioned optimal path strategy by rapid S300
Issue;If having aggressive behavior, then take corresponding shielding measure.
Wherein, the method collecting SDN link-state information includes: for opening up according to SDN
Flutter and the backup path of each link overhead calculating main path;For being used for labelling for the distribution of each backup path
The flag bit of backup path;For according to backup path and respective flag position on this backup path each
OF switch issues stream list item.
In described step S300, threat process/or the method for data distributing include:
If message has deceptive practices, and attack threatens in OpenFlow territory, the most described IDS
Policy server is suitable to shield main frame by SDN controller;And do not exist when attacking to threaten
In OpenFlow territory, then by SDN controller, the OF switch corresponding to this message is accessed
Port flow is redirected to flow cleaning center and filters;If message has Deviant Behavior, then described
The flow of attacker or attack main frame is shielded by IDS policy server by SDN controller;
Concrete enforcement step includes: for destroying message aggression, due to the message that IDS equipment is currently processed
Pass through deception packet check, so this message address is real.IDS policy server only need to lead to
Cross the northbound interface of SDN controller to issue the stream table that action is Drop and by attacker or attack main
The flow shielding of machine.But this is all the decision-making of coarseness, it is only applicable to the destruction report that attack packets is a small amount of
Literary composition is attacked.
If message has the formula aggressive behavior that floods, the most described IDS policy server is controlled by SDN
OF switch access interface flow corresponding to this message is redirected to flow cleaning center by device to be carried out
Filter;Optionally, the result of protection can also be fed back to SDN by the safety equipment of flow cleaning center
Controller, adjusts network strategy, it is achieved SDN and many in the case of being mixed with legacy network
Dimension protection.
Further, go out path optimizing according to link load coefficient calculations, i.e. detect the chain of two adjacent nodes
Road remaining bandwidth, it is thus achieved that the load factor of this link, according to this load factor and initialized network
Topological diagram obtains the optimal path of any two points, and described SDN controller draws according to this optimal path
Corresponding forwarding flow table also issues each OF switch.
The specific algorithm flow process of path optimizing is as follows:
If rN, (n-1)Be the link remaining bandwidth of two adjacent nodes, then its link load coefficient is:
/ * by SDN controller calculate link load coefficient */
U (a, b) be load factor between any two points and:
If initial network topology figure is G0, calculate the optimal path between any two points,
The method of program and/or main frame that the shielding of described IDS policy server sends message includes:
First, build the corresponding Hash table of counting and set in respective threshold, i.e. unit interval, institute
Stating and build the first Hash table counting deceptive practices in IDS policy server, flag bit is arranged
Deviant Behavior carries out the second Hash table counted, and count the formula aggressive behavior of flooding the 3rd
Hash table;Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends program and/or the main frame of this message, i.e. for proceeding to IDS policy server
The behavior of message, utilizes corresponding Hash table to count, when count value exceedes respective thresholds, and shielding
Send program and/or the main frame of this message.
In described step S300, the method for data distributing also includes: change according to SDN topology
Reason, confirmation message issues path;That is, after SDN controller threat processes, message is led to
Cross optimal path downward message, or after judging that main path breaks down, message mates described stream list item and leads to
Cross backup path to forward.
Embodiment 3
The SDN framework of the present invention can define SDNQA (SDN Communication
Quality Assurance Strategy) i.e. SDN communication quality guarantee strategies.
The test environment of the SDN framework of the present invention and test content are as follows:
Based on OpenFlow 1.3 agreement, test to threaten equipped with DDoS to filter and protect with communication quality
The FloodlightSDN controller of barrier component, OF switch, IDS equipment and IDS decision-making clothes
Communication between business device.
Test IDS equipment whether can abnormal aggression flow in real time monitoring network, and pass through
SSL channel reports IDS policy server.
The information whether test IDS policy server can report according to IDS equipment, makes process
The corresponding strategy attacking threat, and issued by the northbound interface of SDN controller.
Whether test SDN controller can generate according to network real time status and issue real-time optimization
Forward-path.
Fig. 8 shows the concrete topological diagram disposed of experiment scene.
The concrete of experiment scene is disposed as shown in Figure 8., there are two empty nets network area based on centre.
Wherein empty net A deploys this SDNQA system, and empty net B not yet disposes, and in each empty net
All there is some ddos attack puppet's machines.Right side is experiment effect contrast district, including a Web
Server and two subscriber's main stations, wherein run Tomcat and externally provide Web on Web server
Service, subscriber's main station A, B are the main frame accessing void net A, B respectively.Left side is attack simulating district
, there is a ddos attack machine in territory, and attack plane will control in empty net A and empty net B as main control computer
Puppet's machine to Web server initiate hybrid-type ddos attack.
Based on above-mentioned experimental situation, in terms of two, the performance of SDNQA framework is verified: (1)
Contrast the attack frequency that under hybrid-type ddos attack, Web server end is born;(2) contrast
The formula that floods attacks the network average transfer delay caused.
Experimental result and analysis are as shown in Fig. 9 (a) and Fig. 9 (b).
The attack that Fig. 9 (a) is born by not using the Web server of the SDN framework of the present invention
The curve chart of frequency.
The attack frequency that Fig. 9 (b) is born by using the Web server of the SDN framework of the present invention
The curve chart of rate.
First, Web server end flow is flowed into situation to be analyzed.Attack plane controls each empty net
In puppet's machine simultaneously to Web server initiate hybrid-type ddos attack, its highest frequency is
55Hz, during attack a length of 100 seconds.Intercept all of sequence of data packet of Web server, and divide
Separate out the request sequence of each empty net, draw empty net A and the request sequence of empty net the flowed into server of B respectively
Shown in row, attack frequency contrast such as Fig. 9 (a) that Web server is born and Fig. 9 (b).
Figure 10 is average transmission rate comparison diagram.
From fig. 10 it can be seen that the SDN framework of the present invention quickly identified within 0s~the 5s time period
Typical ddos attack, and within the time period of 0s~40s, take filter protection measure.40s it
After, network traffics tend to normal, and test subscriber's main station A can normally obtain web-page requests response always.
And do not dispose and the empty net B of SDNQA system has substantial amounts of attack traffic to flow into always, test user
Host B cannot obtain web-page requests response.
Secondly, from the sequence of data packet intercepted before, extract test subscriber's main station A and test user
The request sequence of host B, the time delay of the average transmission of statistical data packet from each request sequence,
Show that the average transmission time delay of two empty nets is to shown in such as Fig. 9 (a) and Fig. 9 (b).
It can be seen from fig. 10 that through routing optimality, the average transfer delay of empty net A not with
The increase of data volume and increase sharply.As can be seen here, SDNQA framework can be based on shape real-time to network
The perception of condition, convection current forward-path is optimized, thus there is ddos attack or normal in a network
Network data transmission is ensured in the case of big flow business.
Claims (6)
1. a method of work for SDN framework, comprises the steps:
Step S100, netinit;
Step S200, distributed DDoS threatens monitoring and/or collects SDN link-state information;And
Step S300, threat process and/or data distributing.
The method of work of SDN framework the most according to claim 1, it is characterised in that in described step S100, the device involved by netinit includes: SDN controller, IDS policy server and IDS equipment;
The step of netinit is as follows:
Step S101, described IDS policy server and IDS equipment set up special SSL channel;
Step S102, described SDN controller builds network equipment information binding table, and by network equipment information binding table real-time update to IDS equipment;
Step S104, described SDN controller issues the stream table of mirror policy, will OF switch is all drags the port flow mirror image being loaded with main frame to be transmitted to described IDS equipment;And
Step S105, described SDN controller issues DDoS threat identification rule to IDS equipment corresponding in each net territory.
The method of work of SDN framework the most according to claim 2, it is characterised in that in described step S200, distributed DDoS threatens the method for monitoring to include:
Successively link layer and the deceptive practices of internetwork layer address, internetwork layer and transport layer flag bit are arranged Deviant Behavior, and
The formula that the floods aggressive behavior of application layer and transport layer detects;
If detection is judged when message exists respective behavior in said process, then this message is proceeded to step S300;
That is, the described method detecting the deceptive practices of link layer and internetwork layer address includes:
Deceptive practices are detected, i.e. by deception packet check module
First, network equipment information binding table is called by deception packet check module;
Secondly, resolved being encapsulated in the type of message in Packet-In message by deception packet check module, to obtain corresponding source, purpose IP address, MAC Address and to upload OF switch DPID and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above-mentioned information matches in message, then message is carried out next detection;
If the above-mentioned information in message is not mated, then message is proceeded to step S300;
Described internetwork layer and transport layer flag bit arrange the method that Deviant Behavior carries out detecting and include:
By destruction packet check module, flag bit is arranged Deviant Behavior to detect, i.e.
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, then proceed to message carry out next detection;
If each flag bit of message does not meets, then message is proceeded to step S300;
The method that the formula that the floods aggressive behavior of described application layer and transport layer carries out detecting includes:
By exception message detection module, the formula aggressive behavior of flooding is detected, i.e.
Build the Hash table for identifying the formula attack message that floods at exception message detection module, and judge whether message has the formula aggressive behavior that floods according to the threshold values set in this Hash table, and will determine that result proceeds to step S300;And
The method collecting SDN link-state information includes:
The backup path of main path is calculated according to SDN network topology and each link overhead;
The flag bit of labelling backup path it is used for for the distribution of each backup path;And
According to backup path and respective flag position, each OF switch on this backup path issues stream list item.
The method of work of SDN framework the most according to claim 3, it is characterised in that in described step S300, threat process/or the method for data distributing include:
If message has deceptive practices, and attack threatens in OpenFlow territory, and the most described IDS policy server is suitable to shield main frame by SDN controller;And threaten not in OpenFlow territory when attacking, then by SDN controller, the OF switch access interface flow corresponding to this message is redirected to flow cleaning center and filters;
If message has Deviant Behavior, the flow of attacker or attack main frame is shielded by the most described IDS policy server by SDN controller;
If message has the formula aggressive behavior that floods, the OF switch access interface flow corresponding to this message is redirected to flow cleaning center by SDN controller and filters by the most described IDS policy server;And/or
Path optimizing is gone out according to link load coefficient calculations, i.e. detect the link remaining bandwidth of two adjacent nodes, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described SDN controller draws the forwarding flow table of correspondence according to this optimal path and issues each OF switch.
The method of work of SDN framework the most according to claim 4, it is characterised in that the method for program and/or main frame that the shielding of described IDS policy server sends message includes:
First, build the corresponding Hash table of counting and set respective threshold, i.e.
In unit interval, building the first Hash table counting deceptive practices in described IDS policy server, flag bit arranges the second Hash table that Deviant Behavior carries out counting, and the 3rd Hash table counting the formula aggressive behavior of flooding;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends program and/or the main frame of this message, i.e.
For the behavior of the message proceeding to IDS policy server, utilizing corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
The method of work of SDN framework the most according to claim 5, it is characterised in that in described step S300, the method for data distributing also includes:
According to the reason of SDN network topological change, confirmation message issues path;That is, after SDN controller threat processes, by message by optimal path downward message, or after judging that main path breaks down, the message described stream list item of coupling is forwarded by backup path.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510024417.6A CN105871772A (en) | 2015-01-18 | 2015-01-18 | Working method of SDN network architecture aimed at network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510024417.6A CN105871772A (en) | 2015-01-18 | 2015-01-18 | Working method of SDN network architecture aimed at network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105871772A true CN105871772A (en) | 2016-08-17 |
Family
ID=56622800
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510024417.6A Pending CN105871772A (en) | 2015-01-18 | 2015-01-18 | Working method of SDN network architecture aimed at network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105871772A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106411852A (en) * | 2016-08-31 | 2017-02-15 | 浙江宇视科技有限公司 | Distributed terminal access control method, and apparatus |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108833430A (en) * | 2018-06-29 | 2018-11-16 | 华中科技大学 | A kind of topological guard method of software defined network |
| CN109257360A (en) * | 2018-10-08 | 2019-01-22 | 江苏大学 | Hidden information in SDN network based on transmission path is sent and analytic method |
-
2015
- 2015-01-18 CN CN201510024417.6A patent/CN105871772A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106411852A (en) * | 2016-08-31 | 2017-02-15 | 浙江宇视科技有限公司 | Distributed terminal access control method, and apparatus |
| CN106411852B (en) * | 2016-08-31 | 2020-01-14 | 浙江宇视科技有限公司 | Distributed terminal access control method and device |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108289104B (en) * | 2018-02-05 | 2020-07-17 | 重庆邮电大学 | Industrial SDN network DDoS attack detection and mitigation method |
| CN108833430A (en) * | 2018-06-29 | 2018-11-16 | 华中科技大学 | A kind of topological guard method of software defined network |
| CN108833430B (en) * | 2018-06-29 | 2020-05-19 | 华中科技大学 | Topology protection method of software defined network |
| CN109257360A (en) * | 2018-10-08 | 2019-01-22 | 江苏大学 | Hidden information in SDN network based on transmission path is sent and analytic method |
| CN109257360B (en) * | 2018-10-08 | 2020-08-28 | 江苏大学 | Hidden information sending and analyzing method based on transmission path in SDN network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
| CN104539625B (en) | A kind of network security protection system and its method of work based on software definition | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
| CN104468636A (en) | SDN structure for DDoS threatening filtering and link reallocating and working method | |
| CN105871773A (en) | DDoS filtering method based on SDN network architecture | |
| CN104378380A (en) | System and method for identifying and preventing DDoS attacks on basis of SDN framework | |
| US7743415B2 (en) | Denial of service attacks characterization | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| Xing et al. | Ripple: A programmable, decentralized {Link-Flooding} defense against adaptive adversaries | |
| US7124440B2 (en) | Monitoring network traffic denial of service attacks | |
| CN103428224B (en) | A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| Shamsolmoali et al. | Statistical-based filtering system against DDOS attacks in cloud computing | |
| US20020095492A1 (en) | Coordinated thwarting of denial of service attacks | |
| US20020035628A1 (en) | Statistics collection for network traffic | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN102263788A (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| CN106357641A (en) | Method and device for defending interest flooding attacks in information centric network | |
| CN105871772A (en) | Working method of SDN network architecture aimed at network attack | |
| CN105871771A (en) | SDN network architecture aimed at DDoS network attack | |
| Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
| CN108833430A (en) | A kind of topological guard method of software defined network | |
| Jiang et al. | Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160817 |