CN106790111B - Smart power grid threat propagation defense method based on software defined multicast - Google Patents

Smart power grid threat propagation defense method based on software defined multicast Download PDF

Info

Publication number
CN106790111B
CN106790111B CN201611220741.6A CN201611220741A CN106790111B CN 106790111 B CN106790111 B CN 106790111B CN 201611220741 A CN201611220741 A CN 201611220741A CN 106790111 B CN106790111 B CN 106790111B
Authority
CN
China
Prior art keywords
data
controller
naming
intelligent electronic
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611220741.6A
Other languages
Chinese (zh)
Other versions
CN106790111A (en
Inventor
伍军
李高磊
张宇韬
何珊
李建华
叶天鹏
陈璐艺
李高勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Heyou Information Technology Co ltd
Shanghai Pengyue Jinghong Information Technology Development Co ltd
Shanghai Jiaotong University
Original Assignee
Shanghai Heyou Information Technology Co ltd
Shanghai Pengyue Jinghong Information Technology Development Co ltd
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Heyou Information Technology Co ltd, Shanghai Pengyue Jinghong Information Technology Development Co ltd, Shanghai Jiaotong University filed Critical Shanghai Heyou Information Technology Co ltd
Priority to CN201611220741.6A priority Critical patent/CN106790111B/en
Publication of CN106790111A publication Critical patent/CN106790111A/en
Application granted granted Critical
Publication of CN106790111B publication Critical patent/CN106790111B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a software-defined multicast-based smart grid threat propagation defense method, which comprises the following steps of 1: establishing a software defined multicast system, wherein the software defined multicast system comprises: a centralized control layer and a data layer; step 2: naming the data of the advanced intelligent electronic equipment according to a specified naming rule, matching service names, and sensing and extracting characteristics of data contents; the extracted data content is authenticated through a centralized control layer in the software defined multicast system, the data stream corresponding to the data content which successfully passes the authentication can be forwarded, and the data stream corresponding to the data content which does not successfully pass the authentication is limited to be forwarded. The present invention comprises a specific central controller that is capable of monitoring and controlling the state of the intelligent electronic device. Aiming at the defects of the IEC61850 standard, a software defined multicast mechanism enables a switch to execute a content matching module, and the selection time of a forwarding strategy is reduced for each data packet.

Description

Smart power grid threat propagation defense method based on software defined multicast
Technical Field
The invention relates to the technical field of smart power grids, in particular to a smart power grid threat propagation defense method based on software defined multicast.
Background
In substations of smart grids, Intelligent Electronic Devices (IEDs) were originally designed to implement Real-time Protection Control and data Acquisition (RPCDA). In order to improve the effectiveness of mutual communication cooperation between intelligent electronic devices, the industry has established the IEC61850 standard (the only global universal standard in the field of power system automation) which specifies the communication format between the data model and the intelligent network base station. The IEC61850 standard successfully realizes multicast transmission of multiple intelligent electronic devices, so that the communication efficiency between IEDs of intelligent power grid substations is remarkably improved. But this new standard hides significant security issues. Because of the existence of this form of multicast transmission, the loss caused by network security attacks will grow exponentially.
The sources of network security threats of the intelligent substation can be roughly divided into two types: cyberspace security and physical facility security. These two security threats are closely related. For physical facility security, the major security threats include hardware aging, operational errors and natural disasters. In order to reduce the influence caused by the safety of physical facilities, a large number of intelligent electronic devices are deployed in scattered substations so as to effectively detect and control the states of various instruments and meters in the intelligent power grid. In terms of network space security, data confidentiality, integrity and availability depend closely on the real-time performance of the communication system, such as network delay, network congestion, packet loss, etc. The faulty operation may also cause the interruption of the service, and even cause a series of safety accidents to endanger the safety and stability of the operation of the smart grid.
In recent years, along with the rapid increase of the number of Network attacks in a smart grid, people pay more and more attention to security threat defense of the smart grid, multicast transmission can rapidly spread security threats, so that any Network security threat attack in a multicast communication system can be very fatal, although the Virtual local Area Network (V L AN) technology can reduce the propagation domain of the Network security threat to a certain extent, the multicast transmission based on a mac medium Access control address is usually static and independent of data content, and the existing means is difficult to detect and prevent.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a smart grid threat propagation defense method based on software defined multicast.
The smart grid threat propagation defense method based on the software defined multicast provided by the invention comprises the following steps:
step 1: establishing a software defined multicast system, wherein the software defined multicast system comprises: a centralized control layer and a data layer; the centralized control layer is used for executing state monitoring, operation control, naming matching, interest judgment table maintenance and propagation path selection; the data layer is used for executing data forwarding and content caching; and a plurality of data streams are run in the software defined multicast system;
step 2: naming the data of the intelligent electronic equipment according to a specified naming rule, matching service names, and sensing and extracting characteristics of data contents; the extracted data content is authenticated through a centralized control layer in the software defined multicast system, the data stream corresponding to the data content which successfully passes the authentication can be forwarded, and the data stream corresponding to the data content which does not successfully pass the authentication is limited to be forwarded.
Preferably, the intelligent electronic device in step 2 includes at least one data naming agent, and the naming agent includes at least one data naming module for naming data.
Preferably, the centralized control layer in step 2 includes at least one controller, and the data layer includes a plurality of intelligent electronic devices and data transmission devices; the data transmission apparatus includes: a switch;
specifically, a certain intelligent electronic device occasionally shares local monitoring data with other advanced intelligent electronic devices through a data transmission device, the data transmission device is controlled through a controller, and the controller can update real-time state information and network topology information of the data transmission device; and the controller can also limit the data flow passing through each port of the data transmission equipment.
Preferably, the controller comprises a data-named matching agent, an authentication agent and a processing agent; the data naming matching agent is used for matching data according to naming rules; the authentication agent is used for identifying whether security threats exist in the data according to the matched characteristics; the processing agent is used for limiting corresponding data flow according to the threat judgment result.
Preferably, the step 2 includes:
step 2.1: the data is transmitted to the controller after being transmitted to the network for the first time, the controller conducts data content perception and feature extraction according to a specified naming rule, and data packets which are not matched are stored in an unprocessed naming management unit for storage;
step 2.2: the features extracted by the matching agent are sent to an authentication agent, a security service module of the authentication agent identifies the data features, judges whether security threat behaviors exist or not and produces corresponding authentication results;
step 2.3: and the authentication agent sends the authentication result to the processing agent, and the processing limits the data flow corresponding to the data content which is not authenticated.
Preferably, the data exchange process between the agents of the controller at least comprises a data sharing module, and the data sharing module is realized based on a publish/subscribe mode; specifically, each agent publishes the processing result to a public domain space, and all agents subscribing to the processing result can acquire the processing results of other agents from the public domain space.
Compared with the prior art, the invention has the following beneficial effects:
the software-defined multicast-based smart grid threat propagation defense method provided by the invention can effectively inhibit the diffusion rate of threat attacks in the whole network domain through multicast transmission, and in addition, the software-defined multicast-based smart grid threat propagation defense method comprises a specific central controller which can monitor and control the state of the smart electronic equipment. Aiming at the defects of the IEC61850 standard, a software defined multicast mechanism enables a switch to execute a content matching module, and the selection time of a forwarding strategy is reduced for each data packet.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a schematic diagram of a software defined multicast mechanism in the present invention;
FIGS. 2(a) and 2(b) are schematic diagrams of an intelligent electronic device data model and a communication model, respectively;
FIG. 3 is a sequence diagram of the operation of the software defined multicast in the present invention;
FIG. 4 is a schematic diagram of propagation characteristics of different multicast modes;
fig. 5(a) to 5(d) are schematic diagrams illustrating performance comparison of four IEC61850 communication and software defined multicast mechanisms, respectively;
fig. 6(a) to 6(c) are schematic diagrams comparing the transmission delay reduction of three types of software-defined multicast.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
The defense method for spreading the threat of the smart grid based on the software-defined multicast generally centralizes a control layer and a data layer, as shown in fig. 1. The functions of state monitoring, operation control, naming matching, interest judgment table maintenance and propagation path selection are executed in a centralized control layer, and the functions of data forwarding and content caching are executed in a data layer. The centralized control layer comprises at least 1 controller, and each controller comprises 5 parts of an unprocessed interest management unit, a naming matching domain, network resource management, network application and security service. In practical implementation, the logical controllers are respectively represented by C1 and C2 according to different function division, and actually, C1 and C2 can be implemented on one physical controller.
The raw interest management unit is used to gather the NDOs in each IEDs. Names in the NDOs are sent by interest packets. These NDOs will be mapped into a unified table by MAC address for flexible invocation.
The naming matching domain is an important link for correctly transmitting data between a subject and an object. In the matching field, a destination MAC address of the subscribed service data is predetermined. In the matching domain, a publish/subscribe pattern is used.
Routing path selection in network resource management is a fundamental function of each network application. Routing path selection must first establish a network-wide virtual topology. When it accepts the source MAC address set and the destination MAC address set, it will compute the optimal routing path from the source MAC to the destination MAC. The link status requirements may vary from server to server.
The security service is the basis that the intelligent power grid threat propagation defense method based on software-defined multicast can automatically and reasonably divide data to be forwarded and network resources, and the authentication agent calls specific security measures of the security service module to authenticate data characteristics.
The method and the system aim to solve the problem of threat propagation in the smart grid, and further reduce the threat propagation rate in the whole network. The invention enables the realization of the multicast mechanism to be defined by software and managed and configured in a centralized way in the past, and the multicast data with security threats can be flexibly identified and limited. According to simulation, the method effectively reduces the propagation rate of the security threat in the smart grid, thereby enhancing the security of the smart grid.
The smart grid threat propagation defense method based on the software defined multicast provided by the invention comprises the following steps:
step 1: naming ACSI service to be issued by source/destination intelligent electronic equipment;
step 2: the method comprises the steps of issuing an SAP (service access point) package to a controller based on a software-defined multicast mechanism, wherein the SAP package is an interest package issued by source intelligent electronic equipment to the controller of the power grid threat defense method based on the software-defined multicast;
and step 3: deducing server name, Ts/Td and MAC address in SAP and DAS respectively; the DAS is an interest package issued by a target intelligent electronic device to a controller of a power grid threat defense method based on software defined multicast;
and 4, step 4: matching the SAP server name and the DAS server name from the controller C1, and marking the matched SAP and DAS as SAP 'and DAS' if the matching is correct; the controller C1 refers to a first module of the controller in the power grid threat propagation defense method based on software-defined multicast;
and 5: respectively selecting a source MAC address and a destination MAC address from SAP 'and DAS' and respectively re-marking as DMAC 'and SMAC';
step 6: sending the DMAC 'and the SMAC' to a controller C2, wherein the controller C2 refers to a second module of the controller in the power grid threat propagation defense method based on the software-defined multicast;
and 7: the controller C2 informs the source intelligent electronic device to send DMAC 'to SMAC' service data;
and 8: the source intelligent electronic equipment sends the data stream to the network;
and step 9: the network element accepting the data stream from the source intelligent electronic device;
step 10: the network element reports the network state to a controller C2 through a customized OpenFlow;
step 11: the controller C2 selects network type and service name information from the network data stream;
step 12: the controller C2 establishes a logical topology and a virtual topology for the logical service;
step 13: controller C2 detects and controls the status of all network elements;
step 14: controller C2 matches the Ethernet parameters of the SMAC 'and DMAC' tag network types;
step 15: the controller C2 formulates a flow table for data forwarding from the data forwarding rule;
step 16: controller C2 distributes the flow table to each element;
and step 17: the service is forwarded from the source intelligent electronic device to the destination intelligent electronic device.
Aiming at the defects of the IEC61850 standard, a software defined multicast mechanism is arranged, so that the switch executes a content matching module, and the selection time of a forwarding strategy is reduced for each data packet.
The software-defined multicast mechanism is shown in fig. 1, and the content matching module maintains a naming matching field, which is an important link for correctly transmitting data between a subject and an object. In the matching field, a destination MAC address of the subscribed service data is predetermined.
The system applying the method of the invention mainly comprises: the control layer and the data layer execute monitoring, control and matching operation through the control layer and maintain an interest judgment table and a propagation path selection module; each module is independent in the control layer and they can operate in concert in a distributed deployment scenario. The data layer mainly comprises: source/destination intelligent electronic devices, network execution units (switches), and content caches. The source/target intelligent electronic equipment is responsible for real-time protection of power grid infrastructure and is a key node for gathering and processing various data. The IEDs play a very important role in intelligent substations for source/target intelligent electronic devices. A bare intelligent electronic device can possibly become an ideal target of an attacker, and the intelligent power grid threat propagation defense method based on software-defined multicast supports flow control for ACSI service and has an obvious inhibiting effect on threat diffusion. Advanced intelligent electronic devices decide which services need to be named and which named data can be associated to others.
An unprocessed interest management unit for gathering the NDOs in each IEDs. Names in the NDOs are sent by interest packets. These NDOs will be mapped into a unified table by MAC address for flexible invocation.
Content forwarding and caching are the most basic 2 functions that must be included in each network execution unit. Forwarding functions such as routing path selection are abstracted from the distributed complex data layer, and the software-defined multicast mechanism supports centralized management of routing. Unlike the existing transmission structure, a forwarding path is already established before data is transmitted to the network, and data is transmitted only in a link-connected state.
The naming matching domain is an important link for correctly transmitting data between a subject and an object. In the name matching field, the destination MAC address of the subscribed service data is predetermined. In the named matching domain, a publish/subscribe pattern is used.
Routing path selection is the fundamental function of each network application. Routing path selection must first establish a network-wide virtual topology. When it accepts the source MAC address set and the destination MAC address set, it will compute the optimal routing path from the source MAC to the destination MAC. The link status requirements may vary from server to server. The intelligent power grid threat propagation defense method based on software-defined multicast can automatically and reasonably divide data to be forwarded and network resources.
There are at least 10 different data flows in the software-defined multicast-based smart grid threat propagation defense method.
Table 1: data objects and data streams
Figure BDA0001192729560000061
Figure BDA0001192729560000071
Both source and destination NDOs must publish their topics and proxies to the PITM through interest packages. The content of the interest package contains the name of the server. The interest packets are transmitted by multicast communication. The PITM records the MAC addresses of each NDO and sends these MAC addresses to the matching domain for matching by name. When the named server is matched, the MAC address will be sent to the routing path selection unit for path computation. The monitoring and control unit sends network state information to the routing path selection element in real time for reference during path selection. When the selected path receives the status information, an ACK signal is sent to the source NDOs to confirm that the optimal path has been selected. When there is no flow table for data forwarding, the first packet will be sent to the monitoring and control unit. In particular, in this monitoring and control unit, the header of the transmission packet must be kept consistent with the name of the data preprocessing service.
Fig. 3 depicts a workflow of a software-defined multicast-based grid threat defense method. SAPs are interest packages that source NDOs publish to controllers of software-defined multicast-based grid threat defense methods. DAS is an interest package that the destination NDOs publish to controllers of a software-defined multicast-based grid threat defense method. In SAP and DAS, the ACSI services are abstractly named in the source NDOs, respectively. SAP and DAS are location independent and they depend on the communication mode of the publication/signature. The content awareness and service name matching functions are represented by C1, C1 consisting of PITM elements and matching fields. After C1 accepts the SAP and DAS packets, C1 will start extracting the server name, Ts/Td and MAC address. C1 matches the server name from DAS and SAP before sending it to C2, C2 is responsible for monitoring and controlling the network. After C2 knows from S that service data can be sent, the data stream will be passed into the network.
Table 2: symbols and associated interpretations
Figure BDA0001192729560000072
Figure BDA0001192729560000081
The power grid threat defense method based on software defined multicast is based on an OpenFlow protocol. If the data packet arrives at the network node for the first time, it will be sent to the controller of the grid threat defense method based on software defined multicast for authentication and routing. C2 can extract ethernet parameters and server name information from the data stream and each network element will send its status to C2. C2 establishes a logical topology between the logical nodes and a physical network infrastructure virtual fabric. The destination MAC address is selected according to the ACSI server and the forwarding path is calculated by the virtual topology. Forwarding operations are separated by flow tables. In particular, the server name is extracted from EnetPters throughout the process. While the tampered data will be discarded and the smart electronic device sending the tampered data will be isolated in real time.
The invention simulates 20 intelligent electronic devices, each intelligent electronic device having 10 logical nodes. The working performance of the power grid threat defense method based on the software-defined multicast is measured by comparing the attack propagation speeds of different propagation modes. In a point-to-point IEC61850 network, multicast transmission is usually used. The experiment firstly simulates the diffusion speed of the network threat in single-point transmission in a power grid threat defense method based on software defined multicast. The simulation results obtained for different information transmission modes are shown in fig. 4.
In the present invention, 4-way multicast transmission is used to explain the differences between different transmission modes.4-way multicast transmission has the same effect as broadcast in V L AN, and 1-way multicast transmission has the same effect as unicast where the threat will take more time to spread, while less time is spent in broadcast, which may lead to network traffic peaking.
Fig. 5(a) to 5(d) depict the performance differences between IEC61850, which is now commonly used, and the software defined multicast based grid threat propagation method, respectively. The method embodies that the power grid threat propagation of software-defined multicast can reduce the spread speed of the threats in the communication process. The circled marked curve finally tends to be gently saturated due to limited network resources, and the software-defined multicast power grid threat propagation is always under the blue curve, which shows that the software-defined multicast power grid threat propagation can be used for inhibiting the threat propagation better.
Fig. 6(a) to 6(c) describe the performance of the grid threat propagation method based on software defined multicast under different propagation modes. It can be seen from the figure that the software-defined multicast transmission threat prevention structure oriented to content perception has an effective inhibiting effect on threat propagation in various propagation modes.
In conclusion, on the basis of considering information security transmission and access in the smart grid, the invention reduces the spreading speed of threat information and can effectively protect the grid structure.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims (4)

1. A smart grid threat propagation defense method based on a software-defined multicast system is characterized in that the software-defined multicast system comprises the following steps: a centralized control layer and a data layer; the centralized control layer is used for executing state monitoring, operation control, naming matching, interest judgment table maintenance and propagation path selection; the data layer is used for executing data forwarding and content caching; and a plurality of data streams are run in the software defined multicast system;
naming the data of the intelligent electronic equipment according to a specified naming rule, matching service names, and sensing and extracting characteristics of data contents; authenticating the extracted data content through a centralized control layer in the software defined multicast system, wherein data streams corresponding to data contents successfully passing authentication can be forwarded, and data streams corresponding to data contents not successfully passing authentication are restricted from being forwarded;
the centralized control layer comprises at least one controller, and the data layer comprises a plurality of intelligent electronic devices and data transmission devices; the data transmission apparatus includes: a switch;
the method comprises the following steps that a certain intelligent electronic device irregularly shares local monitoring data with other intelligent electronic devices through data transmission equipment, the data transmission equipment is controlled through a controller, and the controller can update real-time state information and network topology structure information of the data transmission equipment; the controller can also limit the data flow passing through each port of the data transmission equipment;
the controller comprises a data naming matching agent, an authentication agent and a processing agent; the data naming matching agent is used for matching data according to naming rules; the authentication agent is used for identifying whether security threats exist in the data according to the matched characteristics; the processing agent is used for limiting corresponding data flow according to the threat judgment result;
the method comprises the following steps:
step A: naming ACSI services to be issued by source and destination intelligent electronic equipment;
and B: the method comprises the steps of issuing an SAP (service Access Point) package to a controller based on a software-defined multicast mechanism, wherein the SAP package is an interest package issued by a source intelligent electronic device to the controller;
and C: deriving server name, Ts and Td and MAC address in SAP and DAS, respectively; the DAS is an interest package issued by the target intelligent electronic equipment to the controller;
step D: matching the SAP server name and the DAS server name from the controller C1, and marking the matched SAP and DAS as SAP 'and DAS' if the matching is correct; controller C1 refers to the first module of the controller;
step E: respectively selecting a source MAC address and a destination MAC address from SAP 'and DAS' and respectively re-marking as DMAC 'and SMAC';
step F: sending the DMAC 'and SMAC' to a controller C2, controller C2 referring to the second module of the controller;
step G: the controller C2 informs the source intelligent electronic device to send DMAC 'to SMAC' service data;
step H: the source intelligent electronic equipment sends the data stream to the network;
step I: the network element accepting the data stream from the source intelligent electronic device;
step J: the network element reports the network state to a controller C2 through a customized OpenFlow;
step K: the controller C2 selects network type and service name information from the network data stream;
step L, the controller C2 establishes a logical topology and a virtual topology for the logical service;
step M: controller C2 detects and controls the status of all network elements;
and step N: controller C2 matches the Ethernet parameters of the SMAC 'and DMAC' tag network types;
step O: the controller C2 formulates a flow table for data forwarding from the data forwarding rule;
step P: controller C2 distributes the flow table to each network element;
step Q: the service is forwarded from the source intelligent electronic device to the destination intelligent electronic device.
2. The smart grid threat propagation defense method based on the software-defined multicast system according to claim 1, wherein the smart electronic device includes at least one data naming agent, and the data naming agent includes at least one data naming module for naming data.
3. The smart grid threat propagation defense method based on the software defined multicast system according to any one of claims 1 to 2, characterized in that the method further comprises: the data is transmitted to the controller after being transmitted to the network for the first time, the controller conducts data content perception and feature extraction according to a specified naming rule, and data packets which are not matched are stored in an unprocessed naming management unit for storage;
the features extracted by the data naming matching agent are sent to an authentication agent, a security service module of the authentication agent identifies the data features, judges whether security threat behaviors exist or not and generates a corresponding authentication result;
and the authentication agent sends the authentication result to the processing agent, and the processing agent limits the data flow corresponding to the data content which is not authenticated.
4. The smart grid threat propagation defense method based on the software-defined multicast system according to claim 1, wherein a data exchange process between the agents of the controller at least comprises a data sharing module, and the data sharing module is implemented based on a publish and subscribe mode; and each agent publishes the processing result to a public domain space, and all agents subscribing the processing result can acquire the processing results of other agents from the public domain space.
CN201611220741.6A 2016-12-26 2016-12-26 Smart power grid threat propagation defense method based on software defined multicast Active CN106790111B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611220741.6A CN106790111B (en) 2016-12-26 2016-12-26 Smart power grid threat propagation defense method based on software defined multicast

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611220741.6A CN106790111B (en) 2016-12-26 2016-12-26 Smart power grid threat propagation defense method based on software defined multicast

Publications (2)

Publication Number Publication Date
CN106790111A CN106790111A (en) 2017-05-31
CN106790111B true CN106790111B (en) 2020-07-28

Family

ID=58924725

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611220741.6A Active CN106790111B (en) 2016-12-26 2016-12-26 Smart power grid threat propagation defense method based on software defined multicast

Country Status (1)

Country Link
CN (1) CN106790111B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104063442A (en) * 2014-06-13 2014-09-24 中国科学院计算技术研究所 Service processing method and system of information center network
CN104601557A (en) * 2014-12-29 2015-05-06 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method and system for defending malicious websites based on software-defined network
CN106211136A (en) * 2016-08-31 2016-12-07 上海交通大学 Secure communication mechanism based on name in a kind of intelligent grid

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104063442A (en) * 2014-06-13 2014-09-24 中国科学院计算技术研究所 Service processing method and system of information center network
CN104601557A (en) * 2014-12-29 2015-05-06 广东顺德中山大学卡内基梅隆大学国际联合研究院 Method and system for defending malicious websites based on software-defined network
CN106211136A (en) * 2016-08-31 2016-12-07 上海交通大学 Secure communication mechanism based on name in a kind of intelligent grid

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于SDN的信息中心网络的技术研究;许世文;《中国优秀硕士学位论文全文数据库信息科技辑》;20150415(第04期);正文第二章第1段至第四章最后一段 *

Also Published As

Publication number Publication date
CN106790111A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
Wang et al. SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking
Liu et al. FL-GUARD: A detection and defense system for DDoS attack in SDN
Dabbagh et al. Software-defined networking security: pros and cons
US20200374127A1 (en) Blockchain-powered cloud management system
CN110971626B (en) Enterprise branch office access request processing method, device and system
CN114422201B (en) Network target range large-scale user remote access method and system
CN102761494B (en) A kind of ike negotiation processing method and device
CN103684922A (en) Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method
CN105051696A (en) An improved streaming method and system for processing network metadata
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
CN105119911B (en) A kind of safety certifying method and system based on SDN streams
CN104852869B (en) A kind of port convergence method and device
CN106412880A (en) Wireless mesh safety hierarchical transmission method based on SDN
CN104869125A (en) SDN-based method for dynamically preventing MAC address spoofing
Luo et al. SDN/NFV-based security service function tree for cloud
Jung et al. Anomaly Detection in Smart Grids based on Software Defined Networks.
Zuo et al. P4Label: packet forwarding control mechanism based on P4 for software-defined networking
Wang et al. Novel architectures and security solutions of programmable software-defined networking: a comprehensive survey
Dorsch et al. Enabling hard service guarantees in Software-Defined Smart Grid infrastructures
CN106657082B (en) A kind of quick HTTP redirection method
CN109150829A (en) Software definition cloud network trust data distribution method, readable storage medium storing program for executing and terminal
Islam et al. SDoT-NFV: Enhancing a distributed SDN-IoT architecture security with NFV implementation for smart city
CN106790111B (en) Smart power grid threat propagation defense method based on software defined multicast
CN109195160B (en) Tamper-proof storage system of network equipment resource detection information and control method thereof
Chaturvedi et al. Comparative Analysis of Traditional Virtual-LAN with Hybrid Software Defined Networking Enabled Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant