CN106060015A - IP source address verification method based on SDN - Google Patents
IP source address verification method based on SDN Download PDFInfo
- Publication number
- CN106060015A CN106060015A CN201610332912.8A CN201610332912A CN106060015A CN 106060015 A CN106060015 A CN 106060015A CN 201610332912 A CN201610332912 A CN 201610332912A CN 106060015 A CN106060015 A CN 106060015A
- Authority
- CN
- China
- Prior art keywords
- node
- sdn
- packet
- sdn controller
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IP source address verification method based on an SDN. The method comprises the following steps that: A1, an SDN controller converts a domain network topology into one data packet forwarding view tree using a boundary gateway device as a root node; A2, the SDN controller analyzes each node on the data packet forwarding view tree, finds out disposition nodes and disposes the disposition nodes as SDN nodes, and SDN switches are used to replace conventional switches on the disposition nodes; A3, the SDN controller calculates a forwarding rule, and the forwarding rule is disposed on the DN switches; and A4, according to the forwarding rule, the DN switches carry out matching on the arrived data packets. By adopting the method, a small number of SDN devices are arranged in a domain network, a maximum IP source address verification effect is achieved, the increment disposition of the system is facilitated, and the investment of the early stage is effectively reduced.
Description
Technical field
The present invention relates to the network safety filed of IP source address checking, particularly relate to a kind of based on software defined network
(SDN) method of IP source address checking.
Background technology
Owing to current internet only is carried out forwarding addressing by the destination address of packet, it is not relevant for sending user and transmission
The IP source address of main frame, and internet architecture itself lacks the authentication mechanism to packet IP source address, this results in
The deception of packet IP source address and the generation of correlation attack behavior caused by source address spoofing, and the most only with number
According to bag IP source address for according to being but difficult to seat offence source or tracing to the source by mistake.Many aggressive behaviors (such as Denial of Service attack etc.) are just
Utilize this leak, victim is launched a offensive and without undertaking the responsibility, this causes to the credibility of the Internet and calling to account property
Very big infringement, this opening also becoming the Internet and Internet user are to the contradiction between the Internet credibility demand.Number
It is the believable essential condition in the Internet according to wrapping real IP source address, it is ensured that the reliability of packet IP source address is effectively to reduce
Attack, the increase believable important means of network security.
Study and mainly reseted meter, host protocol stack/router software amendment, packet from source address encryption, agreement
Filter and dispose SDN equipment scheme etc. to launch.Source address encipherment scheme is mainly by using symmetry to the source address of packet
Or asymmetrical AES encrypted, thus realize the purpose in receiving terminal host verification source data packet address legitimacy,
But this mechanism not only can affect the source address application (such as stream classification application) as Rule of judgment, key agreement and sorter simultaneously
System increases overhead to a certain extent;Agreement weight design utilizes the field of less use in IP agreement packet header, inserts
Enter self-defined specific labelling and at these labellings of receiving terminal identification thus judge the true and false of source address, but this mechanism may
Have influence on quality services ensure (QoS) in other interior agreements or service, malicious user can also be reached by counterfeit labelling simultaneously
To the purpose pretending to be other main frames;Host protocol stack/router software modification refers to by amendment main frame ICP/IP protocol
Stack or router operating system realize the purpose of IP source address checking.Such as, host identity protocol (HIP) scheme just at IP layer and
The intermediate layer of one " host identities " is set up, by encryption and mapping mechanism, it is ensured that host identities mark and IP between transport layer
The relatedness of address mapping and reliability.But the shortcoming of this mechanism is that the enforcement of scheme and deployment cost are bigger;Packet
Filtering scheme refers to by setting in advance (such as Layer 2 switch, router, fire wall etc.) on the forward-path equipment of packet
Set pattern then thus reach filter invalid data bag purpose, but this mechanism there is also on filtering accuracy false positive (judging by accident) or
The deficiency of false negative (failing to judge);Finally, general SDN deployment scheme passes through to dispose SDN equipment in whole subnet, as
OpenRouter router, OpenFlow switch etc., utilize controller centralized calculation forward rule and be issued to SDN equipment,
Thus reach the target to the checking of packet IP source address.The method requires height to deployment rate, needs whole subnet to dispose SDN and sets
For the filter effect that can be only achieved 100%.
Summary of the invention
It is an object of the invention to provide a kind of IP source address verification method based on SDN and system, by territory Intranet
Disposing a small amount of SDN equipment in network, it is achieved the maximization of IP source address verification the verifying results, the change to network topology simultaneously also has
Well adapting to property.
The present invention provides a kind of IP source address verification method based on SDN, comprises the following steps:
Network topology in territory is changed into a packet with borde gateway equipment as root node and turns by A1, SDN controller
Send out Views tree;
Packet is forwarded each node on Views tree to be analyzed by A2, SDN controller, finds out deployment node and disposes
SDN node, substitutes the conventional switch disposed on node by SDN switch;
A3, SDN controller calculates and forwards rule and be deployed in SDN switch;
The packet arrived, according to forwarding rule, is mated by A4, SDN switch.
Preferably, in step A1, if only one of which borde gateway equipment in network, then with this equipment as root node;If net
Network has multiple borde gateway equipment, then finds out its common and nearest equipment as root node, equipment room is existed simultaneously
Multilink is considered as a link.
Preferably, step A1 includes: SDN controller is according to intra-area routes table or signal source shortest path algorithm, by territory Intranet
Network topology is converted into a packet with borde gateway equipment as root node and forwards Views tree.
Preferred further, in step A1, signal source shortest path algorithm is dijkstra's algorithm.
Preferably, step A2 includes: SDN controller forwards each node on Views tree according to utility function to packet
Value of utility calculate, and node is ranked up by height order on earth by value of utility;According to node sequencing result, successively
Choose node, find out SDN node according to heuritic approach.
Preferred further, utility function selects formula below (1) that packet forwards each node on Views tree
Value of utility uiCalculate, and node is ranked up by value of utility order from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (include all prefix logarithms in i-node subtree with
And the prefix logarithm of i-node itself);ui: integer, i-node is detectable personation prefix value of utility when being SDN node, i.e. can not
The IP prefix forged is to quantity;Child [i]: integer array, the numbering of all child nodes of i-node.
To arbitrary node, its value of utility the most all prefixes through this node size to set.
According to the descending sort result of node value of utility, select node accumulative node effectiveness successively according to heuritic approach
Value, removes effectiveness simultaneously and repeats, and the prefix i.e. the covered present node prefix to gathering and selected node to be covered is to collection
The common factor part closed is rejected, until having selected accumulative value of utility to meet the filter effect demand that user sets.
So far, the node more than filtered out is disposed SDN node, and the order that node is selected is SDN node
Deployment order, substitutes the conventional switch disposed on node by SDN switch.
Preferred further, in step A2, heuritic approach is:
Wherein, λ: mark, network or user are to can not the Minimum requirements of spoofed IP prefix ratio;N: integer, node total
Number, is equal to | V |;Distinct (): function, when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
Preferably, step A3 includes: the packet that SDN controller is generated according to step A1 forwards Views tree and A2 step
In SDN node location and the subnet prefix set that covered of SDN node, generate perform to forward legal forwarding rule set,
And perform abandon illegally forward rule set, be issued in the lump correspondence SDN node.
Preferably, step A4 includes: after packet arrives SDN switch, and SDN switch is according to turning that A3 step issues
Send out rule packet is mated;The match is successful, then perform forward defined in hit forwarding rule or abandon operation.When turning
Send out Policy Updates and have a delay, or because policybased routing causes mating unsuccessful, then packet is delivered SDN controller, by SDN control
Device is analyzed its legitimacy and issues forwarding rule.
When network topology changes, SDN controller uses precomputation and the mode calculated in real time to re-issue forwarding
Rule, it is achieved the self adaptation of change in topology.Precomputation refers to that system precalculates in the case of single node or single-link lost efficacy,
Forwarding rule corresponding on each SDN node, thus calculating time when saving change in topology;Calculate in real time and refer in change in topology
Calculation setting situation more than expected, then calculate the forwarding rule on SDN node in real time according to topology.
The present invention also provides for a kind of IP source address based on SDN checking system, and this system includes conversion module, disposes SDN
Node module, calculating forward rule module and packet matching module;Wherein, conversion module is used for: SDN controller is by territory Intranet
Network topology changes into a packet with borde gateway equipment as root node and forwards Views tree;Dispose SDN node module to be used for:
Packet is forwarded each node on Views tree to be analyzed by SDN controller, finds out and disposes SDN node, use SDN switch
Substitute the conventional switch disposed on node;Calculate and forward rule module to be used for: SDN controller calculates and forwards rule and be deployed in
In SDN switch;Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.
Beneficial effects of the present invention: network topology is converted by the method for the present invention by step A1, looks in step A2
Go out key node and it is carried out SDN node deployment, then the forwarding by step A3 and A4 is regular and data packet matched, it is achieved portion
Affix one's name to less SDN node, reach maximized filter effect, thus realize the checking target of intra-domain Internet protocol (IP) source address.
Compared with the method and system of other source address validation existing, the present invention not revising host protocol stack and can show
On the premise of having Internet protocol, it is achieved in territory while source data packet address detected, effectively reduce deployment expense, can be real
Existing property is high, and network change adaptivity is good, has reached the optimization disposing cost with source address validation effect, and beneficially increment
Dispose.The present invention can efficiently reduce the Internet sources address imitating and the generation of correlation attack behavior, to building secure and trusted
The Internet there is positive effect.
Accompanying drawing explanation
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices.
Fig. 2 is SDN node selection algorithm flow chart.
Detailed description of the invention
The present invention is described in detail with specific embodiment below in conjunction with the accompanying drawings.
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices.
H1, H2 are legal hosts, and H1' is personation main frame, and A, B, C are conventional switch, and A' is SDN switch, and D is SDN controller.
The IP address of personation main frame H1' personation legal hosts H1 sends personation packet, before SDN deployed with devices, network
Cannot detect and filter and above palm off packet, after domain topology node A disposes SDN equipment, be issued by SDN controller
Stream regulatory control then, network just can detect and filter above palms off packet.
The present invention provides a kind of IP source address verification method based on SDN, specifically includes following steps:
Network has in A1, territory multiple borde gateway equipment, finds out multiple barrier gateway device in this network common and nearest
Equipment as root node, the multilink that equipment room exists is considered as a link simultaneously.
According to network topology connection matrix information G (V, E), (V is all three layers of forward node set in territory, and E is above three
Link metric situation between node layer), SDN controller uses dijkstra's algorithm, and this network topology changes into data
Bag forwards Views tree.
A2, calculate the value of utility u of each node according to formula (1)i, i.e. include all prefix logarithms in i-node subtree
And the prefix logarithm of i-node itself, and node is ranked up by value of utility order from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (include all prefix logarithms in i-node subtree with
And the prefix logarithm of i-node itself);ui: integer, i-node is detectable personation prefix value of utility when being SDN node, i.e. can not
The IP prefix forged is to quantity;Child [i]: integer array, the numbering of all child nodes of i-node.
According to the descending sort result of the value of utility of node, select node successively and according to the accumulative node effectiveness of formula (2)
Value, removes effectiveness simultaneously and repeats, and the prefix i.e. the covered present node prefix to gathering and selected node to be covered is to collection
The common factor part closed is rejected, until having selected accumulative value of utility to meet the filter effect demand that user sets.
Wherein, λ: mark, network or user are to can not the Minimum requirements of spoofed IP prefix ratio;N: integer, node total
Number, is equal to | V |;Distinct (): function, when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
So far, the node more than filtered out is disposed SDN node, and the order that node is selected is SDN node
Deployment order, substitutes the conventional switch on this node by SDN switch.
Shown in SDN node selection algorithm is specific as follows, its flow chart is as shown in Figure 2.
Algorithm 1 SDN node selection algorithm
Input:
AM is N*N topological adjacency matrix;
Output:
α is the ratio that SDN node accounts for all nodes;
A3, manager are revised by SDN controller disposing node or are confirmed.
SDN controller, for each deployment node location, calculates the prefix pair that under this node, all of the port is allowed, the most fair
Permitted the communication between legal prefix pair forward (IP=source, source IP prefix/subnet mask, the IP prefix/subnet mask of purpose IP=mesh,
Output (port)), stop the communication between other illegal prefixes pair simultaneously.
SDN controller is issued to SDN node by after above compatible rule merging.
When A4, packet arrive SDN device port, packet will be mated by SDN equipment according to forwarding rule,
It is made into merit, then performs action command defined in matched rule;Otherwise hand to controller process.Other conventional node functions are not
Become, packet is forwarded according to routing table, not by the control of SDN controller with affect, be also not involved in the filtration of packet.
System based on above-mentioned IP source address verification method, including conversion module, disposes SDN node module, calculating forwarding
Rule module and packet matching module;Wherein, conversion module is used for: network topology in territory is changed into one by SDN controller
Packet with borde gateway equipment as root node forwards Views tree;Dispose SDN node module to be used for: SDN controller is to data
Bag forwards each node on Views tree to be analyzed, and finds out deployment node and disposes SDN node, substituting portion by SDN switch
Conventional switch on administration's node;Calculate and forward rule module to be used for: SDN controller calculates to forward rule and be deployed in SDN and hands over
On changing planes;Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.
Claims (10)
1. an IP source address verification method based on SDN, it is characterised in that comprise the following steps:
Network topology in territory is changed into a packet forwarding with borde gateway equipment as root node and regards by A1, SDN controller
Figure tree;
Packet is forwarded each node on Views tree to be analyzed by A2, SDN controller, finds out deployment node and is deployed as
SDN node, substitutes the conventional switch disposed on node by SDN switch;
A3, SDN controller calculates and forwards rule and be deployed in SDN switch;
The packet arrived, according to forwarding rule, is mated by A4, SDN switch.
2. the method for claim 1, it is characterised in that step A1 includes: if only one of which borde gateway sets in network
Standby, then with this equipment as root node;If network has multiple borde gateway equipment, then find out its common and nearest equipment conduct
Root node, is considered as a link by the multilink that equipment room exists simultaneously.
3. the method for claim 1, it is characterised in that step A1 includes: SDN controller is according to intra-area routes table or list
Source shortest path first, changes into network topology in territory a packet with borde gateway equipment as root node and forwards view
Tree.
4. method as claimed in claim 3, it is characterised in that described signal source shortest path algorithm is dijkstra's algorithm.
5. the method for claim 1, it is characterised in that step A2 includes: SDN controller according to utility function to data
Bag forwards the value of utility of each node on Views tree to calculate, and is arranged by height order on earth by value of utility by node
Sequence;According to node sequencing result, choose node successively, find out SDN node according to heuritic approach.
6. method as claimed in claim 4, it is characterised in that utility function described in step A2 is equation below:
Wherein, pci: the IP number of prefixes that i-node is covered;ui: i-node is detectable personation prefix effectiveness when being SDN node
Value, the IP prefix i.e. can not forged is to quantity;The numbering of all child nodes of Child [i]: i-node.
7. method as claimed in claim 4, it is characterised in that heuritic approach described in step A2 is:
Wherein, λ: network or user are to can not the Minimum requirements of spoofed IP prefix ratio;The total number of N: node;Distinct
(): when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
8. the method for claim 1, it is characterised in that step A3 includes: SDN controller generates and performs the legal of forwarding
What forwarding rule set and execution abandoned illegally forwards rule set.
9. the method for claim 1, it is characterised in that step A4 includes: SDN switch is according to turning that A3 step issues
Send out rule packet is mated;The match is successful, then perform forward defined in hit forwarding rule or abandon operation;Coupling
Unsuccessful, then packet is delivered SDN controller, SDN controller analyzes its legitimacy and issue forwarding rule.
10. the system of the method for claim 1, it is characterised in that this system includes conversion module, disposes SDN node
Module, calculating forward rule module and packet matching module;
Wherein, conversion module is used for: network topology in territory is changed into one with borde gateway equipment as root node by SDN controller
Packet forward Views tree;
Dispose SDN node module to be used for: packet is forwarded each node on Views tree to be analyzed by SDN controller, finds out
Dispose node and dispose SDN node, substituting the conventional switch disposed on node by SDN switch;
Calculate and forward rule module to be used for: SDN controller calculates and forwards rule and be deployed in SDN switch;
Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610332912.8A CN106060015B (en) | 2016-05-18 | 2016-05-18 | A kind of IP source address verification method based on SDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610332912.8A CN106060015B (en) | 2016-05-18 | 2016-05-18 | A kind of IP source address verification method based on SDN |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106060015A true CN106060015A (en) | 2016-10-26 |
CN106060015B CN106060015B (en) | 2019-11-01 |
Family
ID=57177817
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610332912.8A Active CN106060015B (en) | 2016-05-18 | 2016-05-18 | A kind of IP source address verification method based on SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106060015B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534197A (en) * | 2016-12-22 | 2017-03-22 | 国家电网公司 | Method and system for filtering malicious traffic in autonomous domain |
CN108600158A (en) * | 2018-03-08 | 2018-09-28 | 清华大学 | A kind of source address validation system based on software defined network |
CN108881241A (en) * | 2018-06-26 | 2018-11-23 | 华中科技大学 | A kind of software-oriented defines the dynamic source address verification method of network |
CN109150895A (en) * | 2018-09-13 | 2019-01-04 | 清华大学 | A kind of verification method of the intra-domain source addresses of software defined network |
CN111200611A (en) * | 2020-01-06 | 2020-05-26 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
CN111475290A (en) * | 2020-03-27 | 2020-07-31 | 华南理工大学 | SDN network packet classification method and system based on GPU |
WO2020252895A1 (en) * | 2019-06-17 | 2020-12-24 | 平安科技(深圳)有限公司 | Deployment method, apparatus and device for hybrid software self-defined network, and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040111640A1 (en) * | 2002-01-08 | 2004-06-10 | Baum Robert T. | IP based security applications using location, port and/or device identifier information |
US20140177634A1 (en) * | 2012-12-24 | 2014-06-26 | Huawei Technologies Co., Ltd. | Software defined network-based data processing method, node, and system |
CN103929379A (en) * | 2014-04-15 | 2014-07-16 | 浙江工商大学 | SDN resource distribution method based on two-sided market multihoming structure |
CN104243270A (en) * | 2014-09-25 | 2014-12-24 | 杭州华三通信技术有限公司 | Tunnel setup method and tunnel setup device |
CN104348727A (en) * | 2013-08-05 | 2015-02-11 | 杭州华三通信技术有限公司 | Method and equipment for processing flow table item in OpenFlow network |
CN104980355A (en) * | 2015-05-14 | 2015-10-14 | 华中科技大学 | Source controllable multicast data transmission method and system thereof under SDN Environment |
CN105516184A (en) * | 2015-12-31 | 2016-04-20 | 清华大学深圳研究生院 | Increment deployment SDN network-based method for defending link flooding attack |
-
2016
- 2016-05-18 CN CN201610332912.8A patent/CN106060015B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040111640A1 (en) * | 2002-01-08 | 2004-06-10 | Baum Robert T. | IP based security applications using location, port and/or device identifier information |
US20140177634A1 (en) * | 2012-12-24 | 2014-06-26 | Huawei Technologies Co., Ltd. | Software defined network-based data processing method, node, and system |
CN104348727A (en) * | 2013-08-05 | 2015-02-11 | 杭州华三通信技术有限公司 | Method and equipment for processing flow table item in OpenFlow network |
CN103929379A (en) * | 2014-04-15 | 2014-07-16 | 浙江工商大学 | SDN resource distribution method based on two-sided market multihoming structure |
CN104243270A (en) * | 2014-09-25 | 2014-12-24 | 杭州华三通信技术有限公司 | Tunnel setup method and tunnel setup device |
CN104980355A (en) * | 2015-05-14 | 2015-10-14 | 华中科技大学 | Source controllable multicast data transmission method and system thereof under SDN Environment |
CN105516184A (en) * | 2015-12-31 | 2016-04-20 | 清华大学深圳研究生院 | Increment deployment SDN network-based method for defending link flooding attack |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106534197A (en) * | 2016-12-22 | 2017-03-22 | 国家电网公司 | Method and system for filtering malicious traffic in autonomous domain |
CN108600158A (en) * | 2018-03-08 | 2018-09-28 | 清华大学 | A kind of source address validation system based on software defined network |
CN108600158B (en) * | 2018-03-08 | 2020-05-22 | 清华大学 | Source address verification system based on software defined network |
CN108881241A (en) * | 2018-06-26 | 2018-11-23 | 华中科技大学 | A kind of software-oriented defines the dynamic source address verification method of network |
CN109150895A (en) * | 2018-09-13 | 2019-01-04 | 清华大学 | A kind of verification method of the intra-domain source addresses of software defined network |
WO2020252895A1 (en) * | 2019-06-17 | 2020-12-24 | 平安科技(深圳)有限公司 | Deployment method, apparatus and device for hybrid software self-defined network, and storage medium |
CN111200611A (en) * | 2020-01-06 | 2020-05-26 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
CN111200611B (en) * | 2020-01-06 | 2021-02-23 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
CN111475290A (en) * | 2020-03-27 | 2020-07-31 | 华南理工大学 | SDN network packet classification method and system based on GPU |
CN111475290B (en) * | 2020-03-27 | 2023-02-14 | 华南理工大学 | SDN network packet classification method and system based on GPU |
Also Published As
Publication number | Publication date |
---|---|
CN106060015B (en) | 2019-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106060015A (en) | IP source address verification method based on SDN | |
Li et al. | SAVE: Source address validity enforcement protocol | |
CN1640090B (en) | An apparatus and method for secure, automated response to distributed denial of service attacks | |
Subramanian et al. | Listen and whisper: Security mechanisms for BGP | |
CN101095321B (en) | Method of operating a network | |
Liu et al. | Passport: Secure and Adoptable Source Authentication. | |
CN102132532B (en) | Method and apparatus for avoiding unwanted data packets | |
Guangsen et al. | Cooperative defence against DDoS attacks | |
CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
Zhang et al. | Towards a SDN-based integrated architecture for mitigating IP spoofing attack | |
CN101572701A (en) | Security gateway system for resisting DDoS attack for DNS service | |
CN102210126A (en) | Method and apparatus for forwarding data packets using aggregating router keys | |
CN108040057A (en) | Suitable for guaranteeing network security, the SDN systems of network communication quality | |
CN109327426A (en) | A kind of firewall attack defense method | |
CN103701700A (en) | Node discovering method and system in communication network | |
Hubballi et al. | An event based technique for detecting spoofed IP packets | |
Song et al. | Novel attacks in OSPF networks to poison routing table | |
CN114389835A (en) | IPv6 option explicit source address encryption security verification gateway and verification method | |
CN102027726A (en) | Method and apparatus for controlling the routing of data packets | |
Kotenko et al. | Simulation of internet DDoS attacks and defense | |
Zhu et al. | Attribute‐Guard: Attribute‐Based Flow Access Control Framework in Software‐Defined Networking | |
CN108881315A (en) | A kind of method and system of the double LSA attack ospf protocols of detection and recovery based on NFV | |
Li et al. | Learning the valid incoming direction of IP packets | |
CN110601878B (en) | Method for constructing stealth network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |