CN106254338B - Message detecting method and device - Google Patents
Message detecting method and device Download PDFInfo
- Publication number
- CN106254338B CN106254338B CN201610620547.0A CN201610620547A CN106254338B CN 106254338 B CN106254338 B CN 106254338B CN 201610620547 A CN201610620547 A CN 201610620547A CN 106254338 B CN106254338 B CN 106254338B
- Authority
- CN
- China
- Prior art keywords
- message
- hadoop
- mirror image
- switching equipment
- sdn controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of message detecting method and device, wherein this method comprises: receiving the mirror image message that switching equipment is sent;Packet check is executed to the mirror image message, determines corresponding viral response policy;Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment handles the message for matching the flow entry, the present invention is remarkably improved the overall performance of SDN network.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of message detecting methods and device.
Background technique
In the SDN (Software Defined Network, software defined network) application IPS (intrusion prevention system,
Intrusion Prevention System) anti-virus detection function networking in, by IPS equipment to entering and leaving entire SDN network
Message carry out viral diagnosis, and virus is blocked or is monitored according to preconfigured viral response policy.
However, needing the message of entire SDN network to be all drained to IPS equipment enterprising when IPS equipment carries out viral diagnosis
Row viral diagnosis, when the message amount of entire SDN network is larger, IPS equipment can then become the bottle of entire SDN network performance
Neck causes IPS equipment pressure larger, and then influences overall performance.
Summary of the invention
In view of the drawbacks of the prior art, the present invention provides a kind of message detecting method and devices.
The present invention provides a kind of message detecting method, applied to the SDN controller in Hadoop cluster, wherein this method packet
It includes:
Receive the mirror image message that switching equipment is sent;
Packet check is executed to the mirror image message, determines corresponding viral response policy;
Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment pair
The message for matching the flow entry is handled.
The present invention also provides a kind of packet check devices, applied to the SDN controller in Hadoop cluster, the device packet
It includes:
SDN control unit, for receiving the mirror image message of switching equipment transmission;
Detection unit determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit is also used to send corresponding stream to the switching equipment according to the viral response policy
List item, so that the switching equipment handles the message for matching the flow entry.
Message detecting method and device provided by the invention, by SDN controller clustered deploy(ment) Hadoop cluster, and
The viral diagnosis work that script is carried out by IPS equipment is distributed on each SDN controller, by SDN controller to received report
The message characteristic of text is matched with the characteristic in IPS feature database, and in matching according to corresponding viral response policy
Respective handling is carried out, and then the processing pressure of IPS equipment is greatly reduced, significantly improves the overall performance of SDN network.
Detailed description of the invention
Fig. 1 is SDN network schematic diagram applied by a kind of message detecting method in the embodiment of the present invention;
Fig. 2 is a kind of message detecting method flow diagram in the embodiment of the present invention;
Fig. 3 is a kind of message detecting method schematic diagram in the embodiment of the present invention;
Fig. 4 is a kind of logical construction schematic diagram of packet check device in the embodiment of the present invention;
Fig. 5 is the logical construction schematic diagram of detection unit in the embodiment of the present invention;
Fig. 6 is the hardware structure schematic diagram of SDN controller where packet check device in the embodiment of the present invention.
Specific embodiment
For the purpose for making the application, technical solution and advantage are more clearly understood, referring to the drawings to application scheme
It is described in further detail.
In order to solve the problems in the existing technology, the present invention provides a kind of message detecting method and devices.
Fig. 1 is SDN network schematic diagram of a scenario applied by the embodiment of the present invention, which includes being controlled by multiple SDN
The SDN controller cluster 100 of device (such as SDN controller 101,102,103 and 104) composition, gateway 105, multiple exchanges are set
Standby (such as switching equipment 106 and 107), is respectively connected to the multiple main frames (such as host 108 and 109) of multiple switching equipment
And IPS equipment 110.The most popular in SDN technology is OpenFlow (open flows) agreement, based on OpenFlow agreement
In SDN network, switching equipment can be the equipment such as interchanger or router, can be the hardware switching equipment of physical presence
It can be virtual swap device, the host that host can be physical presence is also possible to fictitious host computer.It, can be in present embodiment
Each SDN controller in SDN controller cluster is specified to pass through control between which switching equipment respectively by configuring in advance
Channel runs OpenFlow agreement, and is issued from SDN controller to the specified switching equipment for establishing control channel with it
OpenFlow flow list item, to instruct switching equipment to the data forwarding of data plane between each host.
Hadoop is the software frame that distributed treatment can be carried out to mass data, efficiently, scalable with reliable
Mode carry out data processing.It, can be in SDN controller in present embodiment in order to solve the problems, such as that IPS equipment pressure is larger
Deploy Hadoop cluster in cluster in advance, comprising there are two types of functional modules in Hadoop cluster: Hadoop control module and
Hadoop operational module, wherein operation has Nimbus component in Hadoop control module, and running in Hadoop operational module has
Supervisor component, in addition, in Hadoop cluster can also include other assemblies or service, such as: Zookeeper service
It can be disposed by installing various assemblies or service on each SDN controller of SDN controller cluster Deng, present embodiment
Hadoop cluster.The Nimbus component of Hadoop control module operation is used for after SDN controller receives message, will be to the report
Which Hadoop operational module processing is the task that text carries out viral diagnosis distribute to, and monitors the money of each Hadoop operational module
Source occupancy situation and operating status;Hadoop operational module operation Supervisor component be used for listen to it is assigned
After viral diagnosis task, the task is executed.When disposing Hadoop cluster, one can be affixed one's name in the middle part of SDN controller cluster
Nimbus component, in order to the consideration of networking reliability can also dispose it is multiple, to avoid because of only dispose Nimbus component therefore
Hinder and cause can not work normally, which may be mounted on any one or more SDN controllers, it may be assumed that installation
The SDN controller for having Nimbus component then includes Hadoop control module;In SDN controller cluster on each SDN controller
It is fitted at least one Supervisor component, namely: each SDN controller includes at least one Hadoop Working mould
Block.For example, the component or service for the installation of each SDN controller can be as shown in table 1:
SDN controller identifier | The component of installation or service |
SDN controller 101 | Nimbus、Supervisor |
SDN controller 102 | Supervisor、Zookeeper |
SDN controller 103 | Supervisor、Zookeeper |
SDN controller 104 | Supervisor、Zookeeper |
Table 1
Referring to FIG. 2, being the processing flow schematic diagram of message detecting method provided by the invention, which can
Applied to the SDN controller in Hadoop cluster, method includes the following steps:
Step 201, the mirror image message that switching equipment is sent is received.
In present embodiment, when host is online, the interface for the switching equipment which is connected will be in SDN
The state of " Up (unlatching) " is presented in controller, and SDN controller is when the state for detecting port becomes " Up ", then to the exchange
The port of equipment " Up " state issues detection flow entry, so that Port Mirroring function is realized in the port of " Up " state of being somebody's turn to do.The detection
Flow entry may include two processing movements: one is the guidance report that the routing forwarding information stored according to SDN controller generates
The forwarding information how text forwards;Second it is the realization of Port Mirroring function, it may be assumed that the detection will be hit by controlling the switching equipment
The message of flow entry carries out mirror image (duplication), and the mirror image message obtained after mirror image is sent to the SDN controller.At this two
Reason movement can also be issued to switching equipment by two flow entrys respectively.
Switching equipment matches message with the flow entry prestored, after the message for receiving host transmission when the report
When text hits the detection flow entry, illustrate that the message needs to carry out viral diagnosis, it can be according to the corresponding movement of detection flow entry
After the message is carried out mirror image, one of message is forwarded according to the movement one of detection flow entry, will be obtained after mirror image
Mirror image message according to detection flow entry movement two be sent to SDN controller.
After SDN controller receives the mirror image message of switching equipment transmission, determine to execute the packet check
Hadoop operational module;Wherein, the Hadoop operational module for executing packet check belongs to the SDN for receiving the mirror image message
Controller, alternatively, belonging to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
Determine the Hadoop operational module for executing the packet check, comprising:
The SDN controller for receiving the mirror image message sends report to the SDN controller with the Hadoop control module
The notification message of text detection;
The SDN controller with Hadoop control module is according to the specified finger for executing packet check of load balancing
Determine Hadoop operational module, and to SDN controller returning response message, the sound belonging to the specified Hadoop operational module
Answer the mark comprising the specified Hadoop operational module in message.
Specifically, SDN controller can be equipped with Hadoop into SDN controller cluster after receiving mirror image message
The SDN controller of control module sends the notification message of packet check, so that the SDN controller root with Hadoop control module
According to the Hadoop operational module of specified the carrying out viral diagnosis to the mirror image message of the task of load balancing.
It is noted that when the SDN controller for receiving the mirror image message is the SDN control with Hadoop control module
When device processed, SDN controller can be controlled after receiving mirror image message by the Hadoop that inner passage is installed in this equipment
Module sends the notification message of packet check, specified to this according to load balancing by the Hadoop control module in this equipment
Mirror image message carries out the Hadoop operational module of the task of viral diagnosis.
Distribution principle of the Hadoop control module to viral diagnosis task are as follows:
In order to avoid message striding equipment transmission and influence treatment effeciency, can be on the SDN controller by receiving the message
Hadoop operational module execute to the viral diagnosis task of the message;It is multiple when having on the SDN controller for receiving the message
When Hadoop operational module, selected according to load balancing to the Hadoop operational module for executing viral diagnosis task;When
Hadoop control module detects that the occupation condition of the Hadoop operational module on the SDN controller for receiving the message is
High load operation or operating status be when being " Down (closing) ", the viral diagnosis task to the message can be distributed to
The Hadoop operational module processing that resources occupation rate is low on other SDN controllers.
The Hadoop control module of SDN controller is determined to execute the specified Hadoop operational module of viral diagnosis task
It afterwards, can be specified comprising this in the response message to SDN controller returning response message belonging to specified Hadoop operational module
The mark of Hadoop operational module, to inform the SDN controller for the notification message for sending packet check by the finger with the mark
Determine Hadoop operational module and packet check processing is carried out to the mirror image message.
Step 202, packet check is executed to the mirror image message, determines corresponding viral response policy.
In present embodiment, SDN controller periodically IPS equipment into SDN network can send the acquisition of IPS feature database and ask
It asks, such as per an IPS feature database acquisition request is just sent every other hour, IPS equipment receives the IPS feature database acquisition request
Afterwards, then the IPS feature database of final updating in IPS equipment can be sent to SDN controller, SDN controller, which then saves, to be received
IPS feature database.It is preserved in the IPS feature database to the characteristic obtained after various viruses or Abnormality Analysis, and
Virus response policy corresponding with each characteristic.
With reference to Fig. 3, it is the specific process flow of step 202, includes the following steps 301-302:
Step 301, it executes SDN controller belonging to the Hadoop operational module of packet check and obtains the mirror image message
Message characteristic matches the message characteristic in the intrusion prevention system IPS feature database obtained in advance;
The message characteristic may include source IP address, purpose IP address, type of message, the message protocol number, port of message
Number etc. various message informations, be also possible to the other informations such as domain name, character string in message field, can also be message information
And the combination etc. of any information in other information, it will not enumerate herein.
The specified Hadoop operational module of viral diagnosis task is executed in the message characteristic for getting mirror image message to message
Afterwards, message characteristic can be matched in the IPS feature database that affiliated SDN controller saves, it may be assumed that the message that will acquire is special
Sign is successively matched with each characteristic in IPS feature database.
Step 302, when the message characteristic is matched to the characteristic in the IPS feature database, determine that the IPS is special
Levy viral response policy corresponding with the characteristic in library.
When message characteristic is matched to the characteristic in the IPS feature database, illustrate that the mirror image message is virus-contaminated portions,
Due to being preserved in the IPS feature database to obtained characteristic after various viruses or Abnormality Analysis, and with each spy
Therefore the corresponding viral response policy of sign data when message characteristic is matched to the characteristic in IPS feature database, illustrates this
Mirror image message is virus-contaminated portions, can continue to determine the viral response policy corresponding with this feature data in IPS feature database.
The virus response policy may include by, block or the movements such as notice in one or more combinations.Wherein,
For by movement, then allowing it to pass through without processing the virus-contaminated portions detected;Blocking is acted, then forbids disease
Malicious message passes through, and can also be arranged and the source device for sending the virus-contaminated portions is isolated, should if a source device is isolated
The subsequent all messages of source device cannot all pass through, if being not provided with being isolated, only abandon the virus-contaminated portions detected;For logical
Know movement, then records virus event when detecting virus-contaminated portions, and by the virus event of record by being output to local data
Library notifies administrator by Email (mail), is output to user terminal or the modes such as Syslog (system log) host issue announcement
Alert prompt.In addition to this, viral response policy can also include other movements, will not enumerate herein.
In present embodiment, when specified Hadoop operational module carries out packet check processing to mirror image message, specify
Specifically process flow may include: Hadoop operational module
It is to specify Hadoop work after received mirror image message specifies Hadoop operational module by Hadoop control module
The Supervisor component of module obtains the received mirror image message of affiliated SDN controller, and the mirror image message that will acquire gives Spout
Mirror image message is sent to abnormality detection Bolt by (entrance function), Spout, and abnormality detection Bolt obtains IPS feature from IPS equipment
Library, and the message characteristic of mirror image message is compared with the characteristic in IPS feature database, when message characteristic is matched to IPS
When characteristic in feature database, abnormality detection Bolt obtains virus corresponding with the characteristic being matched in IPS feature database
Response policy.
In one embodiment, after the mirror image message that will acquire gives Spout, the mirror image message that Spout will acquire is sent
While carrying out viral diagnosis processing to abnormality detection Bolt, source IP address, the destination IP of the mirror image message can also be obtained
The information such as the address informations such as location and type of message, and by counting the information preservation that will acquire of Bolt to local disk equipotential
It sets, so that user establishes model according to the data mining that the various information of acquisition are the later period.In another embodiment, in order not to
The viral diagnosis efficiency to message is influenced, after the mirror image message that will acquire gives Spout, Spout can also be by the mirror image message
Two mirror image messages are obtained after being replicated, and one of mirror image message is sent to abnormality detection Bolt and carries out viral diagnosis
Processing, is sent to statistics Bolt for another mirror image message, obtains the source IP address of mirror image message, destination IP by statistics Bolt
The information such as the address informations such as address and type of message, completed parallel to the viral diagnosis of message and acquisition of information etc.
Reason.
In one embodiment, model is established according to the data mining that the various information of acquisition are the later period, such as may include:
Model is established to peak period, low peak period;Model is established to certain website visiting frequency;Mould is established to each website visiting frequency, accounting
Type etc..After establishing model, can according to the various models of foundation carry out data analysis, obtain analysis result after, according to point
Analysis result updates the IPS feature database saved in IPS equipment, so that IPS feature database is more perfect.
Step 203, corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the friendship
Exchange device handles the message for matching the flow entry.
When message characteristic is matched to the characteristic in the IPS feature database, if corresponding with this feature data dynamic
As blocking, is then generated according to the message characteristic of the message and flow entry is blocked to be issued to the friendship for sending the message to SDN controller
Exchange device so that the switching equipment abandons the message for hitting the blocking flow entry, and then blocks to guarantee virus-contaminated portions
Network security, and abandon by SDN controller the mirror image message of currently detected virus;If corresponding with this feature data dynamic
As notice, then the virus event is recorded, and by the virus event by being output to local data base, notifying to manage by Email
Reason person is output to the approach such as user terminal or Syslog host sending alarm prompt;If movement corresponding with this feature data
To block and notifying, then while issuing blocking flow entry to switching equipment, outputting alarm prompt.
It can be seen that message detecting method provided by the invention, by SDN controller clustered deploy(ment) Hadoop cluster,
And the viral diagnosis work that script is carried out by IPS equipment is distributed on each SDN controller and is completed, and then IPS is greatly reduced
The processing pressure of equipment avoids the flow for making message packet loss etc. lead to entire SDN network because of IPS equipment fault cutout situation
Occur, significantly improves the reliability and overall performance of SDN network.
The present invention also provides a kind of packet check device, Fig. 4 is the structural schematic diagram of the packet check device, which can
To be applied to the SDN controller of Hadoop cluster, which may include:
SDN control unit 401, for receiving the mirror image message of switching equipment transmission;
Detection unit 402 determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit 401 is also used to be sent according to the viral response policy to the switching equipment corresponding
Flow entry, so that the switching equipment handles the message for matching the flow entry.
Further, the SDN control unit 401 is also used to:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection stream
List item, which is used to control after the message that the received host is sent is carried out mirror image by the switching equipment, is sent to this equipment.
Further, the SDN control unit 401, is also used to:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the exchange
Equipment abandons the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
Further, each SDN controller in the Hadoop cluster has one or more Hadoop operational module;
At least one SDN controller has a Hadoop control module in the cluster;
Referring to FIG. 5, the detection unit 402 can also include: Hadoop control module 4021 and/or Hadoop work
Module 4022;
The Hadoop control module 4021 executes the packet check for determining according to the mirror image message
Hadoop operational module;
Wherein, the Hadoop operational module 4022 for executing packet check belongs to the SDN control for receiving the mirror image message
Device processed, alternatively, belonging to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
Further, the SDN control unit 401 is also used to mirror image message based on the received and generates the logical of packet check
Know message, and is sent to the Hadoop control module 4021;
The Hadoop control module 4021, is also used to receive the notification message of packet check, according to load balancing
The specified Hadoop operational module 4022 for executing packet check, and disappear to specified 4022 returning response of Hadoop operational module
It ceases, mark comprising the specified Hadoop operational module 4022 in the response message.
Further, the Hadoop operational module 4022, for executing packet check, packet according to the response message
It includes: obtaining the message characteristic of the mirror image message, by the message characteristic in the intrusion prevention system IPS feature database obtained in advance
In matched;When the message characteristic is matched to the characteristic in the IPS feature database, the IPS feature database is determined
In viral response policy corresponding with the characteristic
The packet check device that the present invention is applied to the SDN controller of Hadoop cluster can be in specific process flow
With it is above-mentioned be applied to the process flow of message detecting method of SDN controller of Hadoop cluster it is consistent, details are not described herein.
Above-mentioned apparatus can be by software realization, can also be by hardware realization, friendship where packet check device of the present invention
The hardware structure schematic diagram of exchange device and SDN controller can refer to shown in Fig. 6, and basic hardware environment includes central processing
Device CPU601, forwarding chip 602, memory 603 and other hardware 604 wherein include machine readable finger in memory 603
It enables, CPU601 reads and execute the function that machine readable instructions execute each unit in Fig. 4.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (10)
1. a kind of message detecting method, which is characterized in that applied to the software defined network SDN controller in Hadoop cluster,
The described method includes:
Receive the mirror image message that switching equipment is sent;
Packet check is executed to the mirror image message, determines corresponding viral response policy;
Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment is to matching
The message of the flow entry is handled;
It is described receive switching equipment send mirror image message include:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection flow entry
This equipment, and instruction are sent to for controlling after the message that the received host is sent is carried out mirror image by the switching equipment
The forwarding for instructing message how to forward that the routing forwarding information that the switching equipment is stored according to the SDN controller generates is believed
Breath E-Packets.
2. the method according to claim 1, wherein being sent out according to the viral response policy to the switching equipment
Corresponding flow entry is sent, so that the switching equipment handles the message for matching the flow entry, comprising:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the switching equipment
Abandon the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
3. the method according to claim 1, wherein each SDN controller in the Hadoop cluster has
One or more Hadoop operational modules;At least one SDN controller has a Hadoop control module in the cluster;
After the mirror image message for receiving switching equipment transmission, the method also includes: it determines and executes the packet check
Hadoop operational module;
Wherein, the Hadoop operational module for executing packet check belongs to the SDN controller for receiving the mirror image message, or
Person belongs to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
4. according to the method described in claim 3, it is characterized in that, the determining Hadoop work for executing the packet check
Module, comprising:
The SDN controller for receiving the mirror image message sends message inspection to the SDN controller with the Hadoop control module
The notification message of survey;
The SDN controller with Hadoop control module is according to the specified Hadoop for executing packet check of load balancing
Operational module, and SDN controller returning response message belonging to Hadoop operational module is specified to this, it is wrapped in the response message
The mark of Hadoop operational module is specified containing this.
5. according to the method described in claim 3, it is characterized in that, executing packet check, determining correspondence to the mirror image message
Viral response policy, comprising:
The message characteristic that SDN controller belonging to the Hadoop operational module of packet check obtains the mirror image message is executed, it will
The message characteristic is matched in the intrusion prevention system IPS feature database obtained in advance;
When the message characteristic is matched to the characteristic in the IPS feature database, determine in the IPS feature database with it is described
The corresponding viral response policy of characteristic.
6. a kind of packet check device, which is characterized in that applied to the software defined network SDN controller in Hadoop cluster,
Described device includes:
SDN control unit, for receiving the mirror image message of switching equipment transmission;
Detection unit determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit is also used to send corresponding flow entry to the switching equipment according to the viral response policy,
So that the switching equipment handles the message for matching the flow entry;
The SDN control unit is also used to:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection flow entry
This equipment, and instruction are sent to for controlling after the message that the received host is sent is carried out mirror image by the switching equipment
The forwarding for instructing message how to forward that the routing forwarding information that the switching equipment is stored according to the SDN controller generates is believed
Breath E-Packets.
7. device according to claim 6, which is characterized in that the SDN control unit is also used to:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the switching equipment
Abandon the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
8. device according to claim 6, which is characterized in that each SDN controller in the Hadoop cluster has
One or more Hadoop operational modules;At least one SDN controller has a Hadoop control module in the cluster;
The detection unit includes: Hadoop control module and/or Hadoop operational module;
The Hadoop control module, for determining the Hadoop Working mould for executing the packet check according to the mirror image message
Block;
Wherein, the Hadoop operational module for executing packet check belongs to the SDN controller for receiving the mirror image message, or
Person belongs to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
9. device according to claim 8, which is characterized in that
The SDN control unit is also used to mirror image message based on the received and generates the notification message of packet check, and is sent to institute
State Hadoop control module;
The Hadoop control module, is also used to receive the notification message of packet check, executes according to load balancing is specified
The Hadoop operational module of packet check, and to the specified Hadoop operational module returning response message, the response message
In mark comprising the specified Hadoop operational module.
10. device according to claim 9, which is characterized in that
The Hadoop operational module, for executing packet check according to the response message, comprising:
The message characteristic for obtaining the mirror image message, by the message characteristic in the intrusion prevention system IPS feature obtained in advance
It is matched in library;When the message characteristic is matched to the characteristic in the IPS feature database, the IPS feature is determined
Virus response policy corresponding with the characteristic in library.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610620547.0A CN106254338B (en) | 2016-07-29 | 2016-07-29 | Message detecting method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610620547.0A CN106254338B (en) | 2016-07-29 | 2016-07-29 | Message detecting method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106254338A CN106254338A (en) | 2016-12-21 |
CN106254338B true CN106254338B (en) | 2019-09-06 |
Family
ID=57605805
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610620547.0A Active CN106254338B (en) | 2016-07-29 | 2016-07-29 | Message detecting method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106254338B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108400958A (en) * | 2017-02-08 | 2018-08-14 | 蓝盾信息安全技术有限公司 | A kind of automatic counter-scanning method realized based on SDN technologies |
CN108123939A (en) * | 2017-12-14 | 2018-06-05 | 华中师范大学 | Malicious act real-time detection method and device |
CN110602119A (en) * | 2019-09-19 | 2019-12-20 | 迈普通信技术股份有限公司 | Virus protection method, device and system |
CN112738110A (en) * | 2020-12-30 | 2021-04-30 | 绿盟科技集团股份有限公司 | Bypass blocking method and device, electronic equipment and storage medium |
CN112769849B (en) * | 2021-01-19 | 2023-06-09 | 杭州迪普科技股份有限公司 | Method, system, equipment and storage medium for virus diagnosis and blocking |
CN112995277B (en) * | 2021-02-01 | 2023-02-24 | 长沙市到家悠享网络科技有限公司 | Access processing method and device and proxy server |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103684922A (en) * | 2013-12-23 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method |
CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
CN204669399U (en) * | 2015-04-23 | 2015-09-23 | 广州万方计算机科技有限公司 | Based on internet worm and the threat monitoring system of Hadoop framework |
CN105468720A (en) * | 2015-11-20 | 2016-04-06 | 北京锐安科技有限公司 | Method for integrating distributed data processing systems, corresponding systems and data processing method |
CN103051557B (en) * | 2012-12-27 | 2016-07-06 | 华为技术有限公司 | Data flow processing method and system, controller, switching equipment |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10395031B2 (en) * | 2010-12-30 | 2019-08-27 | Verisign, Inc. | Systems and methods for malware detection and scanning |
-
2016
- 2016-07-29 CN CN201610620547.0A patent/CN106254338B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103051557B (en) * | 2012-12-27 | 2016-07-06 | 华为技术有限公司 | Data flow processing method and system, controller, switching equipment |
CN103684922A (en) * | 2013-12-23 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method |
CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
CN204669399U (en) * | 2015-04-23 | 2015-09-23 | 广州万方计算机科技有限公司 | Based on internet worm and the threat monitoring system of Hadoop framework |
CN105468720A (en) * | 2015-11-20 | 2016-04-06 | 北京锐安科技有限公司 | Method for integrating distributed data processing systems, corresponding systems and data processing method |
Also Published As
Publication number | Publication date |
---|---|
CN106254338A (en) | 2016-12-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106254338B (en) | Message detecting method and device | |
Tan et al. | A new framework for DDoS attack detection and defense in SDN environment | |
CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
KR100800370B1 (en) | Network attack signature generation | |
CN100435513C (en) | Method of linking network equipment and invading detection system | |
CN103491060B (en) | A kind of method, apparatus and system of defence Web attacks | |
US20150154494A1 (en) | Method and system for configuring behavioral network intelligence system using network monitoring programming language | |
JP2012235461A (en) | Network monitoring system, computer readable recording medium, and method of identifying topology of network | |
CN104038466B (en) | Intruding detection system, method and apparatus for cloud computing environment | |
JP2003533941A (en) | Intelligent feedback loop process control system | |
CN103916288B (en) | A kind of Botnet detection methods and system based on gateway with local | |
CN102857388A (en) | Cloud detection safety management auditing system | |
JP2007006054A (en) | Packet repeater and packet repeating system | |
CN106357685A (en) | Method and device for defending distributed denial of service attack | |
CN105827629B (en) | Software definition safe flow guide device and its implementation under cloud computing environment | |
CN107347047A (en) | Attack guarding method and device | |
CN105051696A (en) | An improved streaming method and system for processing network metadata | |
CN108234315A (en) | Image network flow control protocol in a kind of virtualized network environment | |
Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
US11343143B2 (en) | Using a flow database to automatically configure network traffic visibility systems | |
Jiang et al. | BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks | |
CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
CN106572103A (en) | Hidden port detection method based on SDN network architecture | |
KR100733830B1 (en) | DDoS Detection and Packet Filtering Scheme | |
CN114338403A (en) | Method for monitoring network intention, network intention monitoring system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |