CN106790111A - Intelligent grid threat propagation defence method based on software definition multicast - Google Patents
Intelligent grid threat propagation defence method based on software definition multicast Download PDFInfo
- Publication number
- CN106790111A CN106790111A CN201611220741.6A CN201611220741A CN106790111A CN 106790111 A CN106790111 A CN 106790111A CN 201611220741 A CN201611220741 A CN 201611220741A CN 106790111 A CN106790111 A CN 106790111A
- Authority
- CN
- China
- Prior art keywords
- data
- software definition
- multicast
- controller
- definition multicast
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of intelligent grid threat propagation defence method based on software definition multicast, including step 1:Software definition multicast system is set up, the software definition multicast system includes:Centralization key-course and data Layer;Step 2:Naming rule according to regulation is matched after being named to the data of high-grade intelligent electronic equipment to service name, and data content is perceived and feature extraction;The data content for extracting is authenticated by the centralization key-course in the system of software definition multicast, successfully passing the data flow corresponding to the data content of certification can be forwarded, and the data flow corresponding to the data content of bad authentication is by limitation forwarding.The present invention includes a specific master controller, and it can be monitored and controlled the state of intelligent electronic device.For the defect of IEC61850 standards, software definition multicast mechanism makes interchanger perform content matching module, is the selection time that each packet reduces forwarding strategy.
Description
Technical field
The present invention relates to intelligent power grid technology field, in particular it relates to the intelligent grid for being based on software definition multicast is threatened
Propagate defence method.
Background technology
In the transformer station of intelligent grid, intelligent electronic device (Intelligent Electronic Devices,
IEDs) initial design is used for realizing real-time guard control and data acquisition (Real-time Protection Control and
Data Acquisition, RPCDA).In order to improve the validity for being in communication with each other cooperation between intelligent electronic device, industry is formulated
IEC61850 standards (the unique universal standard of power system automatic field), the standard criterion data model and intelligence
Communication format between energy network stations.IEC61850 standards are successfully realized the multicast transmission of many intelligent electronic devices so that intelligence
Communication efficiency between energy electricity grid substation IEDs is significantly improved.But this novel standard under cover significant safety problem.By
In the presence of this form of multicast transmission, the loss caused by network security attacks exponentially type will increase.
The network security threats source of intelligent substation can be roughly divided into two kinds:Cyberspace safety and physical facility are pacified
Entirely.And both security threats are closely related.For physical facility safety, its major security threat includes that hardware is old
Change, operational error and natural calamity.In order to reduce the influence that physical facility is brought safely, substantial amounts of intelligent electronic device is by portion
In affixing one's name to scattered transformer station, with the state of all kinds of instrument and meters in effective detection and control intelligent grid.In cyberspace
Secure context, data confidentiality, integrality and availability are intimately tied to the real-time of communication system, such as network delay, network
Congestion, packet loss etc..The operation of error is likely to cause the interruption of service, or even triggers a series of security incident harm intelligence electricity
The safety and stablization of network operation.
Research before is often absorbed in how to ensure the real-time of data transfer between intelligent electronic device, to being dispersed in biography
The design of the aspects such as the data on sensor is very in short supply.In recent years, with the rapid increasing of network attack quantity in intelligent grid
Long, people are to the attention degree of smart grid security intimidation defense also more and more higher.Multicast transmission can make security threat rapid
Diffusion, therefore any network security threats attack can all become very fatal in multi-casting communication system.Although VLAN
(Virtual Local Area Network, VLAN) technology can to a certain extent reduce the propagation of network security threats
Domain, but the multicast transmission based on MAC (Medium Access Control) address is typically static state, and independence and data
Content, existing means are difficult to detect and take precautions against.
The content of the invention
For defect of the prior art, it is an object of the invention to provide a kind of intelligent grid based on software definition multicast
Threat propagation defence method.
According to the intelligent grid threat propagation defence method based on software definition multicast that the present invention is provided, including following step
Suddenly:
Step 1:Software definition multicast system is set up, the software definition multicast system includes:Centralization key-course and
Data Layer;The centralization key-course be used for perform status monitoring, operational control, name matching, interest judgement table safeguard and
Propagation path is selected;The data Layer is used to perform data forwarding and content caching;And in the software definition multicast system
Operation has various data flows;
Step 2:Naming rule according to regulation is carried out after being named to the data of intelligent electronic device to service name
Matching, and data content is perceived and feature extraction;By the centralization key-course pair in the system of software definition multicast
The data content for extracting is authenticated, and successfully passing the data flow corresponding to the data content of certification can be forwarded, not
Data flow corresponding to the data content of success identity is by limitation forwarding.
Preferably, acted on behalf of comprising at least one numerical nomenclature in the intelligent electronic device in the step 2, the name generation
Include at least one numerical nomenclature module in reason, for being named to data.
Preferably, at least one controller is included in the centralization key-course in the step 2, is included in the data Layer
There are multiple intelligent electronic devices and data transmission set;Data transmission set includes:Interchanger;
Specifically, local Monitoring Data is aperiodically shared with it by a certain intelligent electronic device by data transmission set
Reinforcement level intelligent electronic device, the data transmission set can be passed by controller control, the controller to the data
Transfer device carries out real time status information and updates and network topology information renewal;And the controller can also be limited and flow through institute
State the data traffic size of each port of data transmission set.
Preferably, matching agency, authentication proxy and the treatment agency of numerical nomenclature are included in the controller;It is described
Numerical nomenclature matching agency to data according to naming rule for matching;The authentication proxy is used for according to the spy for being matched
Authentication data is levied with the presence or absence of security threat;The treatment agency is for according to Threat verdict result limitation corresponding data flow.
Preferably, the step 2 includes:
Step 2.1:In it will be forwarded to controller after first time is sent in network, the controller is according to rule for data
Fixed naming rule carries out data content perception and feature extraction, and the packet that will be matched is stored in untreated name pipe
Reason unit is stored;
Step 2.2:The extracted feature of agency will be matched to send to authentication proxy, by the security service module of authentication proxy
Data characteristics is differentiated, and judges whether security threat behavior, produce corresponding authentication result;
Step 2.3:Authentication result is sent to treatment and acted on behalf of by authentication proxy, and the treatment is in not authenticated data
Hold corresponding data flow to be limited.
Preferably, being comprised at least during the data exchange between each agency of the controller has a data sharing
Module, the data sharing module is realized based on publish/subscribe pattern;Specifically, result is published to one by each agency
In publicly-owned domain space, all agencies that have subscribed the result can obtain other generations from the publicly-owned domain space
The result of reason.
Compared with prior art, the present invention has following beneficial effect:
The intelligent grid threat propagation defence method based on software definition multicast that the present invention is provided can effectively suppress prestige
The side of body is attacked by diffusion rate of the multicast transmission in whole network domain, in addition the intelligent grid threat based on software definition multicast
Propagate defence method and include a specific master controller, it can be monitored and controlled the state of intelligent electronic device.For
The defect of IEC61850 standards, software definition multicast mechanism makes interchanger perform content matching module, is that each packet is reduced
The selection time of forwarding strategy.
Brief description of the drawings
The detailed description made to non-limiting example with reference to the following drawings by reading, further feature of the invention,
Objects and advantages will become more apparent upon:
Fig. 1 is the software definition multicast mechanism schematic diagram in the present invention;
Fig. 2 (a) and Fig. 2 (b) are respectively the schematic diagram of intelligent electronic device data model and traffic model;
Fig. 3 is the work sequence figure of the software definition multicast in the present invention;
Fig. 4 is the propagation characteristic schematic diagram of different multicast patterns;
Fig. 5 (a) to Fig. 5 (d) is respectively four kinds of IEC61850 communications and illustrates with the performance comparison of software definition multicast mechanism
Figure;
Fig. 6 (a) to Fig. 6 (c) is respectively the comparison schematic diagram that three kinds of software definition multicasts are reduced to transmission delay.
Specific embodiment
With reference to specific embodiment, the present invention is described in detail.Following examples will be helpful to the technology of this area
Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that to the ordinary skill of this area
For personnel, without departing from the inventive concept of the premise, some changes and improvements can also be made.These belong to the present invention
Protection domain.
Intelligent grid threat propagation generally concentrating of defence method key-course and data Layer based on software definition multicast, such as
Shown in Fig. 1.Status monitoring, operational control are performed in centralization key-course, name is matched, interest judges that road is safeguarded and propagated to table
Footpath selection function, data forwarding and content caching function are performed in data Layer.The key-course of centralization includes at least one control
Device, each controller includes untreated interest management unit, name matching domain, network resource management, network application and safety
Service totally 5 parts.When implementing, logic controller is represented with C1 and C2 respectively according to function allocation difference, actually
C1 and C2 can be realized on a physical controller.
Untreated interest management unit is used to collect the NDOs in each IEDs.Title in NDOs is sent by interest bag.
These NDOs will be mapped in a unified table flexibly to call by MAC Address.
Name matching domain is the correct important step for carrying out data transmission between a subject and object.In the matching domain,
The target MAC (Media Access Control) address of subscribed service data is determined in advance.In matching domain, publish/subscribe pattern is used.
The basic function that Path selection is each network application is route in network resource management.Routed path selection must be first
Set up a virtual topological structure for whole network.After it receives source MAC collection and destination-mac address collection, will calculate from
The optimal routed path of source MAC to purpose MAC.Requirement of the different servers to Link State may be not quite similar.
Security service is that the intelligent grid threat propagation defence method based on software definition multicast will automatically can be forwarded
Data and Internet resources carry out the basis of classifying rationally, the specific safety measure logarithm of security service module calls in authentication proxy
It is authenticated according to feature.
The present invention wishes to solve the problems, such as the threat propagation in intelligent grid, further, is threatened in reduction whole network
The speed of propagation.The present invention makes the realization of multicast mechanism by software definition and manages concentratedly and configuration in conventional, with safety
The multi-case data of threat flexibly can be recognized and limited.According to emulation as can be seen that the present invention effectively reduces safety
The propagation rate in intelligent grid is threatened, so as to enhance the security of intelligent grid.
According to the intelligent grid threat propagation defence method based on software definition multicast that the present invention is provided, including following step
Suddenly:
Step 1:The ACSI services to be issued to source/destination intelligent electronic device are named;
Step 2:SAP bags are issued to the controller based on software definition multicast mechanism, the SAP bags refer to source smart electronicses
The interest bag that equipment is issued to the controller of the power network intimidation defense method based on software definition multicast;
Step 3:Derive server name, Ts/Td and MAC Address respectively in SAP and DAS;The DAS refers to purpose
The interest bag that intelligent electronic device is issued to the controller of the power network intimidation defense method based on software definition multicast;
Step 4:The server name of SAP and the server name of DAS are matched from controller C1, if matching is correct,
The SAP and DAS that will be matched are labeled as SAP ' and DAS ';Controller C1 refers to that the power network threat propagation based on software definition multicast is prevented
First module of controller in imperial method;
Step 5:Selected respectively from SAP ' and DAS ' source MAC and target MAC (Media Access Control) address and re-flag respectively for
DMAC ' and SMAC ';
Step 6:DMAC ' and SMAC ' are sent to controller C2, controller C2 refers to the power network based on software definition multicast
Second module of controller in threat propagation defence method;
Step 7:Controller C2 notifies that source intelligent electronic device sends the service data of DMAC ' to SMAC ';
Step 8:Be sent to data flow in network by source intelligent electronic device;
Step 9:Network element receives data flow from source intelligent electronic device;
Step 10:Network element is by the OpenFlow of customization to controller C2 report network states;
Step 11:Controller C2 chooses network type and service name information from network data flow;
Step 12:Controller C2 sets up logical topology and virtual topology for logical services;
Step 13:Controller C2 is detected and is controlled the state of all-network element;
Step 14:Controller C2 matches the ether network parameters of the token network type of SMAC ' and DMAC ';
Step 15:Controller C2 formulates the flow table of data forwarding from data forwarding rule;
Step 16:Controller C2 distributes flow table to each element;
Step 17:Service is forwarded from source intelligent electronic device to purpose intelligent electronic device.
For the defect of IEC61850 standards, software definition multicast mechanism is set, interchanger is performed content matching module,
The selection time of forwarding strategy is reduced for each packet.
The software definition multicast mechanism is as shown in figure 1, content matching module safeguards a name matching domain, name matching
Domain is the correct important step for carrying out data transmission between a subject and object.In the matching domain, subscribed service data
Target MAC (Media Access Control) address be determined in advance.
System using the inventive method mainly includes:Key-course and data Layer, by key-course perform monitoring, control with
And matching operation, and safeguard interest judges table and propagation path selecting module;Each module is independent in key-course, and
And they can in the case of distributed deployment cooperating.Data Layer mainly includes:Source/Intelligent target electronic equipment, net
Network execution unit (interchanger) and context buffer.Source therein/Intelligent target electronic equipment is responsible for power network infrastructure
Real-time guard, is the key node of Various types of data convergence and treatment.Source/Intelligent target electronic equipment IEDs in intelligent substation
Play highly important role.One exposed intelligent electronic device will be likely to turn into the dreamboat of attacker, base
The flow control towards ACSI services is supported in the intelligent grid threat propagation defence method of software definition multicast, is spread to threatening
With obvious inhibitory action.High-grade intelligent electronic equipment determines which service needs to be named, the data energy which is named
Enough it is associated with other people.
Untreated interest management unit, for collecting the NDOs in each IEDs.Title in NDOs is sent by interest bag.
These NDOs will be mapped in a unified table flexibly to call by MAC Address.
It is the 2 most basic functions that must include in each network execution unit that content is forwarded with caching.Forwarding capability,
Such as routed path selection is to pull out what is come from the complicated data Layer of dispersion, and software definition multicast mechanism supports Route Selection
Centralized management.It is different with existing transmission structure, forward-path has been formulated before data is activation to network, and data
Only can be just transmitted under link connection state.
Name matching domain is the correct important step for carrying out data transmission between a subject and object.In name matching domain
In, the target MAC (Media Access Control) address of subscribed service data is determined in advance.In matching domain is named, publish/subscribe pattern is made
With.
Routed path selection is the basic function of each network application.Routed path selection must first set up a whole network
Virtual topological structure.After it receives source MAC collection and destination-mac address collection, will calculate from source MAC to purpose MAC
Optimal routed path.Requirement of the different servers to Link State may be not quite similar.Intelligence based on software definition multicast
The data and Internet resources that energy power network threat propagation defence method will automatically can be forwarded carry out classifying rationally.
There are at least 10 kinds different data flows in intelligent grid threat propagation defence method based on software definition multicast.
Table 1:Data object and data flow
Source NDOs and purpose NDOs must issue their topic and agency to PITM by interest bag.Interest bag it is interior
Hold the title comprising server.Interest bag is transmitted by multi-casting communication mode.PITM have recorded the MAC Address of each NDO,
And send these MAC Address and matched by name to matching domain.When the server of name is matched, MAC Address will be sent out
Routed path select unit is sent to carry out path computing.Unit is monitored and controlled and sends network in real time to routed path selection unit
Made reference when status information is for Path selection.After selected path receives these status informations, an ack signal will be sent out
Source NDOs is sent to be chosen to confirm optimal path.When no flow table supplies data forwarding, first packet will be sent
To monitoring and control unit.Especially, this monitoring and with control unit in, the header and data prediction of transmission packet
The title of service must be consistent.
Fig. 3 describes the workflow of the power network intimidation defense method based on software definition multicast.SAP is source NDOs to base
In the interest bag of the controller issue of the power network intimidation defense method of software definition multicast.DAS is purpose NDOs to based on software
Define the interest bag of the controller issue of the power network intimidation defense method of multicast.In SAP and DAS, the ACSI clothes in the NDOs of source
Business is by abstract name respectively.SAP and DAS and position independence, they depend on the communication pattern of issue/signature.Performance is gone with C1
Perception of content and service name-matches function, C1 are made up of PITM units and matching domain.After C1 receives SAP and DAS bags, C1 will be opened
Begin to extract server name, Ts/Td and MAC Address.C1 sends it to C2 afterwards from DAS and SAP match server titles,
C2 is then responsible for monitoring and control to network.After C2 knows that service data can be sent from S, data flow will be introduced to net
In network.
Table 2:Symbol and relevant explanation
Power network intimidation defense method based on software definition multicast is based on OpenFlow agreements.If packet is for the first time
Reach network node, it will be sent in the controller of the power network intimidation defense method based on software definition multicast with certification and
Path selection.C2 can extract ether network parameters and service device name information from data flow, and each network element will send
Its state is to C2.C2 sets up a logical topology chart between logical node and a physical network facility virtual architecture.Purpose
MAC Address is selected according to ACSI servers and calculates forward-path by virtual topological structure.Forwarding operation is by flow table
Separate.Especially, in whole process, server name is extracted from EnetPters.And the data distorted will be dropped and send out
Send and be tampered data intelligence electronic equipment and will be isolated in real time.
The present invention has 10 logical nodes by simulating 20 intelligent electronic devices, each intelligent electronic device.Pass through
Compare the attack spread speed of different circulation ways to measure the work of the power network intimidation defense method based on software definition multicast
Performance.Multicast transmission mode would generally be used in a point-to-point IEC61850 network.Experiment is simulated based on soft first
Part is defined in the power network intimidation defense method of multicast, diffusion velocity of the Cyberthreat in unicast.Different information transfer sides
The analog result that formula is drawn is as shown in Figure 4.
In the present invention with 4 to multicast transmission go explain different transmission mode between difference.4 in multicast transmission and VLAN
Broadcast effect is identical, and 1 identical with unicast to multicast transmission.In unicast, threatening will need more times to spread.
And then the consuming time is less in the broadcast, this perhaps causes network traffics to reach peak value.In fact, 3 to multicast transmission and 2 to many
It is two kinds of most common communication modes to broadcast transmission.However, in VLAN the intelligent electronic device of fixed qty and without can expand
Malleability and flexibility are adapting to more intelligent transformer station.Power network intimidation defense method based on software definition multicast is provided in addition
Three kinds of feasible communication modes.The similitude of these curves demonstrates the feasibility of this structure.
Fig. 5 (a) to Fig. 5 (d) respectively describes the IEC61850 and the electricity based on software definition multicast for commonly using now
Performance difference between net threat propagation method.It embody software definition multicast power network threat propagation can slow down threat exist
Diffusion velocity in communication process.Zone circle marks curve due to limited Internet resources, and finally tend towards stability saturation, and software definition
The power network threat propagation of multicast then all the time in blue curve lower section, illustrates true with the power network threat propagation of software definition multicast
Can preferably suppress threat propagation in fact.
Fig. 6 (a) to Fig. 6 (c) describes the power network threat propagation side based on software definition multicast under different circulation ways
The performance of method.As can be seen from the figure the software definition multicast transmission that content oriented is perceived threatens preventing structure in various propagation sides
There is effective inhibitory action under formula to threat propagation.
To sum up, the present invention reduces threat letter in the safe information transmission in considering intelligent grid, on the basis of access
Breath diffusion velocity, can effectively protect electric network composition.
Specific embodiment of the invention is described above.It is to be appreciated that the invention is not limited in above-mentioned
Particular implementation, those skilled in the art can within the scope of the claims make a variety of changes or change, this not shadow
Sound substance of the invention.In the case where not conflicting, feature in embodiments herein and embodiment can any phase
Mutually combination.
Claims (6)
1. a kind of intelligent grid threat propagation defence method based on software definition multicast, it is characterised in that comprise the following steps:
Step 1:Software definition multicast system is set up, the software definition multicast system includes:Centralization key-course and data
Layer;The centralization key-course is used to perform status monitoring, operational control, name matching, the maintenance of interest judgement table and propagates
Path selection;The data Layer is used to perform data forwarding and content caching;And run in the software definition multicast system
There are various data flows;
Step 2:Naming rule according to regulation is matched after being named to the data of intelligent electronic device to service name,
And data content is perceived and feature extraction;By the centralization key-course in the system of software definition multicast to extracting
Data content be authenticated, successfully passing the data flow corresponding to the data content of certification can be forwarded, and be recognized not successfully
Data flow corresponding to the data content of card is by limitation forwarding.
2. the intelligent grid threat propagation defence method based on software definition multicast according to claim 1, its feature exists
In, in the intelligent electronic device in the step 2 comprising at least one numerical nomenclature act on behalf of, it is described name agency in include to
A few numerical nomenclature module, for being named to data.
3. the intelligent grid threat propagation defence method based on software definition multicast according to claim 1, its feature exists
In, at least one controller is included in the centralization key-course in the step 2, multiple intelligence electricity are included in the data Layer
Sub- equipment and data transmission set;Data transmission set includes:Interchanger;
Specifically, local Monitoring Data is aperiodically shared with its reinforcement by a certain intelligent electronic device by data transmission set
Level intelligent electronic device, the data transmission set can be set by controller control, the controller to the data transfer
The standby real time status information that carries out updates and network topology information renewal;And the controller can also be limited and flow through the number
According to the data traffic size of each port of transmission equipment.
4. the intelligent grid threat propagation defence method based on software definition multicast according to claim 3, its feature exists
In matching agency, authentication proxy and the treatment for including numerical nomenclature in the controller are acted on behalf of;The numerical nomenclature matching
Act on behalf of for being matched to data according to naming rule;The authentication proxy is used for
It is no to there is security threat;The treatment agency is for according to Threat verdict result limitation corresponding data flow.
5. the intelligent grid threat propagation defender based on software definition multicast according to any one of claim 1 to 4
Method, it is characterised in that the step 2 includes:
Step 2.1:In it will be forwarded to controller after first time is sent in network, the controller is according to regulation for data
Naming rule carries out data content perception and feature extraction, and the packet that will be matched is stored in untreated name management list
Unit is stored;
Step 2.2:The extracted feature of agency will be matched to send to authentication proxy, by the security service module logarithm of authentication proxy
Differentiated according to feature, and judged whether security threat behavior, produced corresponding authentication result;
Step 2.3:Authentication result is sent to treatment and acted on behalf of by authentication proxy, and the treatment is to not authenticated data content pair
The data flow answered is limited.
6. the intelligent grid threat propagation defence method based on software definition multicast according to claim 4, its feature exists
In being comprised at least during the data exchange between each agency of the controller has a data sharing module, the number
Realized based on publish/subscribe pattern according to sharing module;Specifically, result is published to a publicly-owned domain space by each agency
In, all agencies that have subscribed the result can obtain the treatment knot of other agencies from the publicly-owned domain space
Really.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611220741.6A CN106790111B (en) | 2016-12-26 | 2016-12-26 | Smart power grid threat propagation defense method based on software defined multicast |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611220741.6A CN106790111B (en) | 2016-12-26 | 2016-12-26 | Smart power grid threat propagation defense method based on software defined multicast |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106790111A true CN106790111A (en) | 2017-05-31 |
CN106790111B CN106790111B (en) | 2020-07-28 |
Family
ID=58924725
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611220741.6A Active CN106790111B (en) | 2016-12-26 | 2016-12-26 | Smart power grid threat propagation defense method based on software defined multicast |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790111B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104063442A (en) * | 2014-06-13 | 2014-09-24 | 中国科学院计算技术研究所 | Service processing method and system of information center network |
CN104601557A (en) * | 2014-12-29 | 2015-05-06 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method and system for defending malicious websites based on software-defined network |
CN106211136A (en) * | 2016-08-31 | 2016-12-07 | 上海交通大学 | Secure communication mechanism based on name in a kind of intelligent grid |
-
2016
- 2016-12-26 CN CN201611220741.6A patent/CN106790111B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104063442A (en) * | 2014-06-13 | 2014-09-24 | 中国科学院计算技术研究所 | Service processing method and system of information center network |
CN104601557A (en) * | 2014-12-29 | 2015-05-06 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method and system for defending malicious websites based on software-defined network |
CN106211136A (en) * | 2016-08-31 | 2016-12-07 | 上海交通大学 | Secure communication mechanism based on name in a kind of intelligent grid |
Non-Patent Citations (1)
Title |
---|
许世文: "基于SDN的信息中心网络的技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Also Published As
Publication number | Publication date |
---|---|
CN106790111B (en) | 2020-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Yu et al. | An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks | |
Nguyen et al. | Search: A collaborative and intelligent nids architecture for sdn-based cloud iot networks | |
Tan et al. | A new framework for DDoS attack detection and defense in SDN environment | |
Qureshi et al. | Anomaly detection and trust authority in artificial intelligence and cloud computing | |
Liu et al. | FL-GUARD: A detection and defense system for DDoS attack in SDN | |
CN110224990A (en) | A kind of intruding detection system based on software definition security architecture | |
CN104618377B (en) | Botnet detecting system and detection method based on NetFlow | |
CN105791047B (en) | A kind of control method of security video private network Network Management System | |
CN107659543A (en) | The means of defence of facing cloud platform APT attacks | |
Alimohammadifar et al. | Stealthy probing-based verification (SPV): An active approach to defending software defined networks against topology poisoning attacks | |
CN104580222A (en) | DDoS attack distributed detection and response system and method based on information entropy | |
Bohara et al. | Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations | |
CN107623663A (en) | Handle the method and device of network traffics | |
Kuo et al. | SFaaS: Keeping an eye on IoT fusion environment with security fusion as a service | |
CN104144166B (en) | Towards the security management and control method for establishing model of restructural service load bearing network | |
Kanade et al. | Analysis of wireless network security in internet of things and its applications | |
Geng et al. | A software defined networking-oriented security scheme for vehicle networks | |
Arya et al. | Detection of malicious node in vanets using digital twin | |
CN111476656B (en) | Transaction safety identification method based on block chain | |
CN106790111A (en) | Intelligent grid threat propagation defence method based on software definition multicast | |
Jeet et al. | A survey on interest packet flooding attacks and its countermeasures in named data networking | |
Rathee et al. | Handoff security using artificial neural networks in cognitive radio networks | |
Zhan et al. | Adaptive detection method for Packet-In message injection attack in SDN | |
CN109195160A (en) | Network equipment resource detects the anti-tamper storage system and its control method of information | |
Olakanmi et al. | Throttle: An efficient approach to mitigate distributed denial of service attacks on software‐defined networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |