CN106713307A - Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) - Google Patents
Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) Download PDFInfo
- Publication number
- CN106713307A CN106713307A CN201611186120.0A CN201611186120A CN106713307A CN 106713307 A CN106713307 A CN 106713307A CN 201611186120 A CN201611186120 A CN 201611186120A CN 106713307 A CN106713307 A CN 106713307A
- Authority
- CN
- China
- Prior art keywords
- aiming field
- flow table
- sdn
- module
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The invention discloses a method and a system for detecting the consistency of flow tables in SDN (Software-defined Networking), which is characterized in that fields required to be detected can be customized according to characteristics of flow table tampering based monitoring attacks, and a detection rate of 100% can be realized as long as monitoring attacks with the flow table tampering type being known are defended; and meanwhile, the method only requires a switch to return counting content of specified fields, so that occupation for the network transmission bandwidth is small, and occupation for the processing time of a controller and a switch terminal is even less. Therefore, the method and the system provided by the invention are higher in pertinence, higher in detection rate and higher in detection efficiency, and detection is performed on the consistency of the flow tables with lower network transmission load and higher detection rate, thereby making up a defect of lacking measures for detecting the flow table rule consistency of an SDN hierarchical structure, being supplement and improvement on the aspect of SDN flow table consistency detection and protection, improving the reliability of SDN network control, and providing security assurance for SDN network data transmission.
Description
Technical field
The present invention relates to SDN security fields.More specifically, the present invention relates to flow table uniformity in a kind of detection SDN
Method and system.
Background technology
Software defined network (Software-defined Networking, SDN), the thought of its core is will be complicated
The network equipment is divided into two.Forwarding capability realized by single hardware, referred to as data surface;And complex control, pipe
Manage, service function is realized by software, referred to as chain of command.
The key-course and data Layer of separation cause that SDN frameworks have the inconsistent hidden danger of forwarding rule.Due to central control
Datum plane forwarding rule is installed to lower layer switch by device, with the forwarding of guide data bag or other operations, once exchange generator terminal
Rule be maliciously tampered, and controller is not discovered, then the real-world operation situation of lower floor's network controls uncontrolled device.
Forwarding rule in SDN is referred to as flow table, by taking the SDN southbound interface OpenFlow agreements v1.3.0 of present main flow as an example, a stream
Table includes following field:(1) Match Fields fields, represent the specific header field of the packet for needing matching, when flowing through
When the numerical value of the packet header specific fields of packet is equal to the numerical value that the flow table item is indicated, then flow table item rule will be made to the packet
Fixed subsequent operation;(2) Priority, represents the priority of the flow table item, and priority flow table item higher is matched at first;(3)
Counters, shows the number of the matched packet of the flow table item;(4) Instructions, is that packet will be entered
Capable operation, such as abandons, forwards;(5) Cookie is to be remotely controlled device for screening Flow Statistics, Flow
The indicated value of Modification or Flow Deletion behaviors.
Because each version of OpenFlow agreements of present main flow is not all processed flow table consistency problem, and some
OpenFlow interchangers are left listening mode, i.e. network manager and can be manipulated on interchanger by unverified tcp port
Flow table data, and then attacker can by spare interface, be interchanger specific data stream addition mirror port so that steal
Listen data flow.
Foreign study personnel Markku et al. exists《Spook in Your Network:Attacking an SDN with
a Compromised OpenFlow Switch》Analyze this kind threat implements details, and points out that it can cause network
Monitor, but do not propose effective safeguard procedures.Kevin et al. exists《Openflow vulnerability assessment》Refer to
Go out the scheme of the detection flow table uniformity of present feasible, it is necessary to derive and detect whether all flow tables of interchanger are altered, the party
Method is computationally intensive, and takes more network transmission bandwidth, and feasibility is low.Whether invaded on detection interchanger and caused its row
To violate the forwarding rule that controller is issued, Chi et al. in article《How to detect a compromised SDN
switch》A kind of periodic sampling Detection method is proposed, some interchangers are selected at random from the whole network, and from each interchanger
On randomly select fraction flow table item, and the packet matched with the flow table item to transmission in network, if interchanger accordingly
Processing data bag is not carried out according to flow table rule, then it is assumed that the interchanger has suffered invasion.
However, above-mentioned existing solution has certain in terms of detection efficiency, detection accuracy, detection coverage
Limitation.
The content of the invention
Regarding to the issue above, the invention provides a kind of method and system of flow table uniformity in detection SDN, with relatively low
Network transmission load, the uniformity of flow table is detected compared with high detection rate, compensate for SDN hierarchies and lack to flow table rule
The deficiency of consistency detection measure, improves the reliability of SDN control, for SDN data transfer provides safety assurance.
To achieve the above object, the present invention is adopted the following technical scheme that:
A kind of method of flow table uniformity in detection SDN, its step includes:
1) user configures the aiming field and enquiry frequency of hydrometer to be checked in controller end;
2) all flow tables and the number of the corresponding aiming field of all flow tables for having been issued in controller end backup;
3) according to step 1) configuration to interchanger initiate inquiry request;
4) real-time statistics of the aiming field of hydrometer to be checked are returned to control by interchanger according to inquiry request is received
Device end processed;
5) by step 4) number and the step 2 of aiming field in the real-time statistics that return) backup aiming field
Number is compared, and completes the detection to flow table uniformity in SDN.
Further, step 1) in user according to detection needs, based on flow table distort monitoring attack feature selecting mesh
Marking-up section.
Further, step 2) in, backed up for each interchanger in controller end.
Further, the inquiry request includes:Message numbering value, when the number of the aiming field that inquiry is needed in secondary inquiry
And the numbered list of the aiming field that need to be inquired about.
Further, the real-time statistics include:Message numbering value, when the aiming field for needing to reply in secondary inquiry
Number, and the aiming field that need to be replied information list.
Further, the information list of the aiming field that need to be replied includes the numbering and the volume of the aiming field that need to be replied
The count value of number corresponding aiming field.
Further, in message numbering value and inquiry request every time in inquiry in the real-time statistics of controller end
Message numbering value is that correspondence is consistent.
Further, step 4) described in interchanger carried out by the aiming field of existing hydrometer to be checked before detection
Count, and when hydrometer to be checked has installation, deletion, modification to act, the number to its aiming field is updated, and is treated
Detect the real-time statistics of the aiming field of flow table.
The system of flow table uniformity in a kind of detection SDN, including:Be deployed with flow table backup module, management configuration module and
The controller of enquiry module, and it is deployed with the interchanger of field count module and information-reply module;
The flow table backup module is used for all flow tables and the corresponding mesh of all flow tables that backup controller had been issued
Mark field number, the management configuration module is used to configure the aiming field and enquiry frequency of hydrometer to be checked, the inquiry
Module is used to send query messages to interchanger according to the configuration of management configuration module, and is examined according to the reply of information-reply module
Hydrometer uniformity;
The field count module is used to count the aiming field of existing hydrometer to be checked before detection, and in real time
The count value of the aiming field of hydrometer to be checked is updated, described information replys module to be used to be treated when extracting and inquire about according to query messages
Detect the current count value of the aiming field of flow table and reply to enquiry module.
Further, the enquiry module includes to the query messages that interchanger sends:Message numbering value, when in secondary inquiry
The numbered list of the number of the aiming field that need to be inquired about and the aiming field that need to be inquired about.
Further, the reply of described information reply module includes:Message numbering value, when the target for needing to reply in secondary inquiry
The number of field, and the aiming field that need to be replied information list.
Further, every time in inquiry, the message numbering value of query messages is that correspondence is consistent with the message numbering value replied
's.
Further, the information list of the aiming field that need to be replied includes the numbering and the volume of the aiming field that need to be replied
The count value of number corresponding aiming field.
Further, the current meter of the aiming field of the hydrometer to be checked that the enquiry module replys information-reply module
The number of the aiming field that numerical value is backed up with the flow table backup module is compared to detect flow table uniformity.
Compared with prior art, the beneficial effects of the invention are as follows:
The present invention based on existing detection SDN flow table uniformity method, it is proposed that a kind of specific aim is stronger, verification and measurement ratio more
High, the faster method and system of detection efficiency.The feature that the method and system can be attacked according to the monitoring distorted based on flow table is determined
System needs the field of detection, as long as the monitoring of the known flow table tampering class type of protection is attacked and can be achieved with absolutely detecting
Rate;Simultaneously as the method only needs to the count content that interchanger returns to specific field, thus occupancy network transmission bandwidth is small,
Take controller, exchange generator terminal process time also less.Thus, in terms of the present invention is to SDN flow table consistency detection protection
Supplement and improvement.
Brief description of the drawings
Fig. 1 is the system module figure of flow table uniformity in present invention detection SDN.
Fig. 2 is the message format schematic diagram that controller is inquired about to interchanger.
Fig. 3 is the message format schematic diagram of interchanger reply controller in the present invention.
Fig. 4 is the structure shown in Fig. 3<ActfieldCount>Structural representation.
Fig. 5 is the Attack Scenarios simulation drawing of flow table field detection method test of the present invention.
Fig. 6 is the message format schematic diagram that controller is inquired about to interchanger in embodiment.
Fig. 7 is that interchanger replys structure in the message of controller in embodiment<ActfieldCount>Schematic diagram.
Fig. 8 is the message format schematic diagram of interchanger reply controller in embodiment.
Specific embodiment
By taking single switch as an example, the system of flow table uniformity is as shown in figure 1, controller end master in present invention detection SDN
It is responsible for flow table backup, management configuration and sends inquiry request, interchanger then records hydrometer aiming field number to be checked and becomes
Change, and reply the inquiry request of controller, controller is realized with the forwarding capability of inter-exchange by data surface.
Message OFFieldQuery forms that controller is inquired about to interchanger as shown in Fig. 2 including:BufferId,
Represent message numbering value in message buffer;FieldNum, is represented in this time inquiry, and the how many count values of field are inquired about altogether;
CheckActFieldList, represents the numbered list of the field to be inquired about.
Interchanger reply controller message OFFieldReply forms as shown in figure 3, including:BufferId, expression disappears
Message numbering value in breath buffering area;FieldNum, is represented in this time inquiry, and the how many count values of field are returned altogether;
FieldCount, is a list, represents the field number to be replied, and the corresponding count value of the numbering is how many.
Wherein,<ActfieldCount>, be a structure, its structure as shown in figure 4, including:ActType, represents certain
The numbering of individual field, actCount represents the count value of the field.
Embodiment
The Attack Scenarios simulation drawing tested using the method for present invention detection flow table uniformity is as shown in Figure 5.
Main frame HUSTC sends packet to main frame HCSTNET, when data flow from interchanger USTC, IIE, CSTNET route
When passing through, main frame HIIE is by distorting the flow table item on interchanger IIE so that data flow flows through HIIE main frames, so as to reach surreptitiously
The purpose listened.
Before attacker attacks, controller is detected to critical field, and polling interval is set first, and such as 3s is inquired about once,
Controller sends query messages to interchanger, and inquiry field is set wherein in the CheckActFieldList lists of query messages
Numbered list, OUTPUT (00) on every interchanger, SET_FIELD (01), PACKET_IN (09), DROP are inquired about in this example
(08) four quantity of field, issues and caches the query messages of numbering to interchanger, query messages comprising inquiry field and message
Form is shown in Fig. 6.Now attacker logs in IIE interchangers, carries out flow table and distorts, that is, add an action field output, its end
Mouth points to the port of connection HIIE main frames, and the Query Result after attack is shown in Fig. 7, Fig. 8 by interchanger, compared with the result of backup
Compared with the quantity of actType=00 fields is actCount=1 in controller backup, and the quantity that interchanger replys the field is
ActCount=2, therefore, the management port of controller shows the inconsistent situation of flow table.It is tampered in exchange generator terminal flow table
After query time interval afterwards, controller end is receiving switch query result, and the flow table backed up with controller end
After being compared, it is found that in numbering is the flow table item of 3 (IIE) interchangers, the quantity many 1 of output illustrate attacker in exchange
A mirror port is added on machine, judgement now receives monitoring and attacks.
Claims (10)
1. in a kind of detection SDN flow table uniformity method, its step includes:
1) user configures the aiming field and enquiry frequency of hydrometer to be checked in controller end;
2) all flow tables and the number of the corresponding aiming field of all flow tables for having been issued in controller end backup;
3) according to step 1) configuration to interchanger initiate inquiry request;
4) real-time statistics of the aiming field of hydrometer to be checked are returned to controller by interchanger according to inquiry request is received
End;
5) by step 4) number and the step 2 of aiming field in the real-time statistics that return) backup aiming field number
Compare, complete the detection to flow table uniformity in SDN.
2. in detection SDN as claimed in claim 1 flow table uniformity method, it is characterised in that step 1) in user according to
Detection needs, based on the feature selecting aiming field that the monitoring that flow table is distorted is attacked;Step 2) in, in controller end for each
Individual interchanger is backed up.
3. the method for detecting flow table uniformity in SDN as claimed in claim 1, it is characterised in that the inquiry request includes:
Message numbering value, when the number and the numbered list of the aiming field that need to be inquired about of the aiming field that inquiry is needed in secondary inquiry;Institute
Stating real-time statistics includes:Message numbering value, when the number of the aiming field for needing to reply in secondary inquiry, and the mesh that need to be replied
The information list of marking-up section.
4. the method for detecting flow table uniformity in SDN as claimed in claim 3, it is characterised in that the aiming field that need to be replied
Information list include the numbering and the count value of the corresponding aiming field of the numbering of aiming field that need to reply.
5. the method for detecting flow table uniformity in SDN as claimed in claim 3, it is characterised in that controller in inquiring about every time
Message numbering value in the real-time statistics at end is that correspondence is consistent with the message numbering value in inquiry request.
6. in detection SDN as claimed in claim 1 flow table uniformity method, it is characterised in that step 4) described in exchange
Machine is counted by the aiming field of existing hydrometer to be checked before detection, and whenever hydrometer to be checked have installation, deletion,
When modification is acted, the number to its aiming field is updated, and obtains the real-time statistics of the aiming field of hydrometer to be checked.
7. in a kind of detection SDN flow table uniformity system, including:It is deployed with flow table backup module, management configuration module and looks into
Ask the controller of module, and the interchanger for being deployed with field count module and information-reply module;
The flow table backup module is used for all flow tables and the corresponding target word of all flow tables that backup controller had been issued
Hop count mesh, the management configuration module is used to configure the aiming field and enquiry frequency of hydrometer to be checked, the enquiry module
Query messages are sent to interchanger for the configuration according to management configuration module, and according to the reply detection stream of information-reply module
Table uniformity;
The field count module is used to count the aiming field of existing hydrometer to be checked before detection, and real-time update
The count value of the aiming field of hydrometer to be checked, described information replys module to be used to extract to be detected when inquiring about according to query messages
The current count value of the aiming field of flow table simultaneously replies to enquiry module.
8. the system for detecting flow table uniformity in SDN as claimed in claim 7, it is characterised in that the enquiry module is to friendship
The query messages of transmission of changing planes include:Message numbering value, when needed in secondary inquiry inquiry aiming field number and need inquiry
Aiming field numbered list;The reply that described information replys module includes:Message numbering value, when needed in secondary inquiry reply
The number of aiming field, and the aiming field that need to be replied information list.
9. the system for detecting flow table uniformity in SDN as claimed in claim 8, it is characterised in that the aiming field that need to be replied
Information list include the numbering and the count value of the corresponding aiming field of the numbering of aiming field that need to reply.
10. the system for detecting flow table uniformity in SDN as claimed in claim 7, it is characterised in that the enquiry module will be believed
Breath replys the target that the current count value of the aiming field of the hydrometer to be checked that module is replied is backed up with the flow table backup module
The number of field is compared to detect flow table uniformity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186120.0A CN106713307B (en) | 2016-12-20 | 2016-12-20 | method and system for detecting flow table consistency in SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186120.0A CN106713307B (en) | 2016-12-20 | 2016-12-20 | method and system for detecting flow table consistency in SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106713307A true CN106713307A (en) | 2017-05-24 |
| CN106713307B CN106713307B (en) | 2019-12-10 |
Family
ID=58938114
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611186120.0A Active CN106713307B (en) | 2016-12-20 | 2016-12-20 | method and system for detecting flow table consistency in SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106713307B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332738A (en) * | 2017-07-26 | 2017-11-07 | 成都科来软件有限公司 | A kind of method and system of quick discovery network probe |
| CN107707482A (en) * | 2017-09-29 | 2018-02-16 | 新华三技术有限公司 | A kind of data smoothing method and apparatus |
| CN109818834A (en) * | 2019-03-25 | 2019-05-28 | 国家计算机网络与信息安全管理中心 | A kind of the SDN flow table rule prospecting tools and detection method of lightweight |
| CN111327485A (en) * | 2018-12-14 | 2020-06-23 | 中兴通讯股份有限公司 | Flow table monitor management method and device, network equipment and network system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946365A (en) * | 2012-11-09 | 2013-02-27 | 清华大学 | Flow table updating consistency maintaining method based on software defined network |
| WO2014101398A1 (en) * | 2012-12-24 | 2014-07-03 | 华为技术有限公司 | Software defined network based data processing method, node and system |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN104935604A (en) * | 2015-06-29 | 2015-09-23 | 南京邮电大学 | Open Flow protocol-based SDN firewall system and method |
| CN105207950A (en) * | 2015-09-16 | 2015-12-30 | 中国科学院信息工程研究所 | Communication data protection method based on SDN technology |
| US20160254995A1 (en) * | 2013-11-07 | 2016-09-01 | Huawei Technologies Co., Ltd. | Control Device and Control Method in SDN Network |
-
2016
- 2016-12-20 CN CN201611186120.0A patent/CN106713307B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946365A (en) * | 2012-11-09 | 2013-02-27 | 清华大学 | Flow table updating consistency maintaining method based on software defined network |
| WO2014101398A1 (en) * | 2012-12-24 | 2014-07-03 | 华为技术有限公司 | Software defined network based data processing method, node and system |
| US20160254995A1 (en) * | 2013-11-07 | 2016-09-01 | Huawei Technologies Co., Ltd. | Control Device and Control Method in SDN Network |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN104104561A (en) * | 2014-08-11 | 2014-10-15 | 武汉大学 | SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol |
| CN104935604A (en) * | 2015-06-29 | 2015-09-23 | 南京邮电大学 | Open Flow protocol-based SDN firewall system and method |
| CN105207950A (en) * | 2015-09-16 | 2015-12-30 | 中国科学院信息工程研究所 | Communication data protection method based on SDN technology |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107332738A (en) * | 2017-07-26 | 2017-11-07 | 成都科来软件有限公司 | A kind of method and system of quick discovery network probe |
| CN107707482A (en) * | 2017-09-29 | 2018-02-16 | 新华三技术有限公司 | A kind of data smoothing method and apparatus |
| CN107707482B (en) * | 2017-09-29 | 2020-06-09 | 新华三技术有限公司 | Data smoothing method and device |
| CN111327485A (en) * | 2018-12-14 | 2020-06-23 | 中兴通讯股份有限公司 | Flow table monitor management method and device, network equipment and network system |
| CN109818834A (en) * | 2019-03-25 | 2019-05-28 | 国家计算机网络与信息安全管理中心 | A kind of the SDN flow table rule prospecting tools and detection method of lightweight |
| CN109818834B (en) * | 2019-03-25 | 2020-09-15 | 国家计算机网络与信息安全管理中心 | Lightweight SDN flow table rule detection tool and detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106713307B (en) | 2019-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107404400B (en) | Network situation awareness implementation method and device | |
| CN106357673B (en) | A kind of multi-tenant cloud computing system ddos attack detection method and system | |
| KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
| CN103442008B (en) | A kind of routing safety detecting system and detection method | |
| US20100262873A1 (en) | Apparatus and method for dividing and displaying ip address | |
| CN106713307A (en) | Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) | |
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| US20150341380A1 (en) | System and method for detecting abnormal behavior of control system | |
| US20060165003A1 (en) | Method and apparatus for monitoring data routing over a network | |
| CN108632224A (en) | A kind of APT attack detection methods and device | |
| CN107683597A (en) | Network behavior data collection and analysis for abnormality detection | |
| CN108282497A (en) | For the ddos attack detection method of SDN control planes | |
| CN106130786A (en) | The detection method of a kind of network failure and device | |
| CN105187437B (en) | A kind of centralized detecting system of SDN network Denial of Service attack | |
| US20060224886A1 (en) | System for finding potential origins of spoofed internet protocol attack traffic | |
| CN106789351A (en) | A kind of online intrusion prevention method and system based on SDN | |
| CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
| CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| CN104270277B (en) | Alarm information processing method and warning information processing device | |
| US20200120119A1 (en) | Detecting and deterring network attacks | |
| CN106899978A (en) | A kind of wireless network attack localization method | |
| JP2012023629A (en) | High packet rate flow detector and high packet rate flow detection method | |
| CN108156019B (en) | SDN-based network derived alarm filtering system and method | |
| CN106302006A (en) | A kind of dynamic source tracing method of IP spoofing packet based on SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |