CN106982207B - A kind of method and system of dynamic dispatching network operating system - Google Patents
A kind of method and system of dynamic dispatching network operating system Download PDFInfo
- Publication number
- CN106982207B CN106982207B CN201710146861.4A CN201710146861A CN106982207B CN 106982207 B CN106982207 B CN 106982207B CN 201710146861 A CN201710146861 A CN 201710146861A CN 106982207 B CN106982207 B CN 106982207B
- Authority
- CN
- China
- Prior art keywords
- nos
- scheduler
- master
- operating system
- network operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
It the invention discloses a kind of method and system of dynamic dispatching network operating system, overcomes in the prior art, the problem of Passive Defence technology based on characteristic matching can not resist unknown threat.The invention elder generation system initialization;Perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;Assessment report is sent scheduler by perceptron timing, updates registration information;If currently the NOS assessment result of Master role is normal, judges to dispatch whether timer is zero, otherwise stop scheduler timing.The cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented in the invention, also the safety of network operating system is greatly improved, the passive situation that currently existing network operating system Passive Defence only has " the acquired immunity day after tomorrow " is solved.
Description
Technical field
The invention is related to technical field of network security, a kind of method more particularly to dynamic dispatching network operating system and
System.
Background technique
SDN thought is that the control plane for completing decision making function is moved to independent host or business clothes from the network equipment
It is engaged in forming SDN controller, referred to as network operating system (Network Operating System, NOS) in device.Along with cloud
The development of the new technologies such as data center, it is huge that this kind of building of SDN is flexibly, the framework of a scalable network is that network field change is brought
Influence and motive force.But its own existing design loophole also brings severe security risk to its application simultaneously.Especially
It is that the attacks such as the false stream injection occurred extensively in service process and controller abduction and threat keep its safety problem more prominent
Out.It include: that the control framework of centralization easily becomes preferred target of attack;There is unknown loopholes with after for open network operating system
Door;The static characteristic of current network operation system is conducive to attacker and control layer is detected and analyzed.And existing tradition
Passive Defence technology based on characteristic matching can not resist unknown threat, therefore, to solve the above problems, must design has master
The network operating system framework of dynamic defence characteristic, provides the guarantee of effective safety for it.
Summary of the invention
The present invention overcomes in the prior art, the Passive Defence technology based on characteristic matching can not resist asking for unknown threat
Topic provides a kind of security performance height, the method and system of the small dynamic dispatching network operating system of security threat.
The technical solution of the invention is as follows, provides a kind of side of dynamic dispatching network operating system having follow steps
Method contains following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, is reported according to assessment
It accuses, selects a best Slaver that Master is replaced to become new Master, while updating registration information;If not zero, it jumps
To step 2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from
Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration
Information.
The step 1 includes:
Step 101: open dynamic mode, dispatch layer from configuration file read isomery NOS registration information, or dynamic from
Isomery NOS receives registration information, completes registration;
Step 102: one NOS of random selection writes into registration as Master, and by NOS Role Information from registration chained list
Chained list, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module;
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all
Slavers;
Step 105:Master executes body and responds to bottom data request.
Registration is divided into automatic registration and static configuration in the step 101;Automatic registration: NOS executes body set from trend
Scheduler registers the identification information of NOS, and increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that phase occur
The variation answered;Static configuration: user by hand configures the identification information of NOS into scheduler kernel as administrator, these are matched
Confidence breath includes port and IP address.
Scheduling strategy in the step 5 specifically: active scheduling strategy and reactive schedule strategy;It is wherein active
Scheduling strategy, the scheduling interval of scheduler on a timeline is consistent, and no matter how bottom-layer network topology changes, and scheduler timing is certainly
Hair ground switches over NOS;Wherein reactive schedule strategy, perceptron module is by the safe condition of sensing network and some realities
When information if found the abnormal situation start scheduling strategy immediately.
A kind of system of method for realizing dynamic dispatching network operating system is provided, containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides;
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had
And only one, it is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, and Slaver is called into
For Master;
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
The scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through
This is distributed to NOS and executes body set, and the management control data of controller is also handed down to bottom-layer network and other dispatch layers through time
Module;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is a countdown function, and one
Denier timer is reset, and scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
Compared with prior art, the method and system of dynamic dispatching network operating system of the present invention have the advantage that this
Framework has the function of perceiving dynamic dispatching isomery NOS, and then avoids and infused using the false flow table of NOS loophole and back door initiation
Enter and the attack such as kidnap with NOS and threaten, attacker is also avoided to be based on a successful attack and sustainable utilization same loophole control
NOS.Dynamic, isomerism are introduced into network operating system by the security architecture of the application, are dispatched NOS by dynamic realtime and are held
Row body realizes dynamic, the cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented, also greatly
Ground improves the safety of network operating system, solves currently existing network operating system Passive Defence and there was only " the acquisition day after tomorrow
Property it is immune " passive situation.
Detailed description of the invention
Fig. 1 is the flow diagram of method in the method and system of dynamic dispatching network operating system of the present invention;
Fig. 2 is the flow diagram that initializes in the method and system method of dynamic dispatching network operating system of the present invention;
Fig. 3 is the simulation drawing of the method and system of dynamic dispatching network operating system of the present invention.
Specific embodiment
The method and system of dynamic dispatching network operating system of the present invention are made with reference to the accompanying drawings and detailed description
It further illustrates:
Embodiment one, as shown in Fig. 1, a kind of method of dynamic dispatching network operating system contains following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, is reported according to assessment
It accuses, selects a best Slaver that Master is replaced to become new Master, while updating registration information;If not zero, it jumps
To step 2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from
Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration
Information.
The step 1 includes: step 101: opening dynamic mode, dispatch layer reads the registration of isomery NOS from configuration file
Information, or dynamic receive registration information from isomery NOS, complete registration;
Step 102: one NOS of random selection writes into registration as Master, and by NOS Role Information from registration chained list
Chained list, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module.
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all
Slavers;
Step 105:Master executes body and responds to bottom data request.
Registration is divided into automatic registration and static configuration in the step 101;Automatic registration: NOS executes body set from trend
Scheduler registers the identification information of NOS, and increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that phase occur
The variation answered;Static configuration: user by hand configures the identification information of NOS into scheduler kernel as administrator, these are matched
Confidence breath includes port and IP address.
Scheduling strategy in the step 5 specifically: active scheduling strategy and reactive schedule strategy;It is wherein active
Scheduling strategy, the scheduling interval of scheduler on a timeline is consistent, and no matter how bottom-layer network topology changes, and scheduler timing is certainly
Hair ground switches over NOS;Wherein reactive schedule strategy, perceptron module is by the safe condition of sensing network and some realities
When information if found the abnormal situation start scheduling strategy immediately.
Embodiment two, a kind of system of method that realizing dynamic dispatching network operating system, containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides.
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had
And only one, it is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, and Slaver is called into
For Master.
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
The scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through
This is distributed to NOS and executes body set, and the management control data of controller is also handed down to bottom-layer network and other dispatch layers through time
Module;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is a countdown function, and one
Denier timer is reset, and scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
Data Layer: consistent with the data plane functions in existing SDN framework.
It can be seen that the application from above-mentioned architectural schemes and disclose the network operating system roll-over protective structure based on dynamic dispatching
Structure establishes isomery NOS example collection, comprehensive respective security advantages, and combine by utilizing diversified open source isomery NOS
Dynamic dispatching method based on perception can preferably guarantee that network attack is reproducible, bullet so that when network faces security threat
Property and survival ability, to promote the security performance of network operating system.
Dynamic dispatching network operating system framework disclosed in the embodiment of the present application has the function of perception dynamic dispatching isomery NOS
Can, and then avoid the attacks such as NOS single point failure, false flow table injection and NOS abduction and threaten, but also attacker once attacks
Hit successfully after the identical loophole of sustainable use or privilege achieve the purpose that once and for all control NOS become can not.The application's
Dynamic, isomerism are introduced into network operating system by framework, are dispatched NOS by dynamic realtime and are executed the dynamic that body realizes NOS
Property, the cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented, also greatly improve network
The safety of operating system.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.To the upper of the disclosed embodiments
It states bright, can be realized professional and technical personnel in the field or using the application.Various modifications to these embodiments are to ability
It will be apparent for the professional technician in domain, the general principles defined herein can not depart from the application's
In the case where spirit or scope, realize in other embodiments.Therefore, the application be not intended to be limited to it is shown in this article these
Embodiment, and it is to fit to the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. a kind of method of dynamic dispatching network operating system, which is characterized in that contain following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for the working condition of the different N number of NOS of evaluation function equivalent construction, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, according to assessment report, choosing
Selecting a best Slaver becomes new Master instead of Master, while updating registration information;If not zero, jump to step
2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from
Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration
Information.
2. the method for dynamic dispatching network operating system according to claim 1, which is characterized in that the step 1 includes:
Step 101: opening dynamic mode, dispatch layer reads the registration information of isomery NOS from configuration file, or dynamically from isomery
NOS receives registration information, completes registration;
Step 102: one NOS of random selection writes into registration chain as Master, and by NOS Role Information from registration chained list
Table, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module;
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all
Slavers;
Step 105:Master executes body and responds to bottom data request.
3. the method for dynamic dispatching network operating system according to claim 2, which is characterized in that in the step 101
Registration is divided into automatic registration and static configuration;Automatic registration: NOS executes body set from the mark letter of trend scheduler registration NOS
Breath, increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that corresponding variation occur;Static configuration: user
As administrator the identification information of NOS configured into scheduler kernel by hand, these configuration informations include port and IP
Location.
4. the method for dynamic dispatching network operating system according to claim 1, which is characterized in that in the step 5
Scheduling strategy specifically: active scheduling strategy and reactive schedule strategy;Wherein active scheduling strategy, scheduler is in the time
Scheduling interval on axis is consistent, and no matter how bottom-layer network topology changes, and scheduler timing spontaneously switches over NOS;Its
Middle reactive schedule strategy, perceptron module is by the safe condition of sensing network and some real time information, if noting abnormalities feelings
Condition starts scheduling strategy immediately.
5. a kind of system for the method for realizing dynamic dispatching network operating system, which is characterized in that containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides;
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had and only
There is one, is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, judges whether dispatch timer
Be zero, if zero, then scheduler is based on scheduling strategy, according to assessment report, select a best Slaver instead of Master at
For new Master, while updating registration information;If the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and
It resets, by scheduler, selection one is healthy from Slaver set, optimal NOS replaces current Master to become new
Master, while updating registration information;
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
6. the system of the method according to claim 5 for realizing dynamic dispatching network operating system, which is characterized in that described
Scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through this point
It is sent to NOS and executes body set, the management control data of controller is also handed down to bottom-layer network and other dispatch layer modules through time;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is countdown function, once meter
When device reset, scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710146861.4A CN106982207B (en) | 2017-03-13 | 2017-03-13 | A kind of method and system of dynamic dispatching network operating system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710146861.4A CN106982207B (en) | 2017-03-13 | 2017-03-13 | A kind of method and system of dynamic dispatching network operating system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106982207A CN106982207A (en) | 2017-07-25 |
CN106982207B true CN106982207B (en) | 2019-06-28 |
Family
ID=59339502
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710146861.4A Active CN106982207B (en) | 2017-03-13 | 2017-03-13 | A kind of method and system of dynamic dispatching network operating system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106982207B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110048868B (en) * | 2018-01-16 | 2022-03-01 | 北京中科晶上超媒体信息技术有限公司 | Scheduling method of operating system executive |
CN109144746B (en) * | 2018-07-19 | 2022-04-01 | 中国航空工业集团公司沈阳飞机设计研究所 | Message asynchronous distribution system and method of GFT training system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178666A (en) * | 2007-12-13 | 2008-05-14 | 中兴通讯股份有限公司 | Coordinating and scheduling method between heterogeneous multi-core |
CN103176780A (en) * | 2011-12-22 | 2013-06-26 | 中国科学院声学研究所 | Binding system and method of multiple network interfaces |
CN103514043A (en) * | 2012-06-29 | 2014-01-15 | 华为技术有限公司 | Multi-processor system and data processing method thereof |
CN104410730A (en) * | 2014-12-10 | 2015-03-11 | 上海斐讯数据通信技术有限公司 | Seamless handover method of SDN (software defined network) main backup controller based on NAT (network address translation) technique |
CN105791279A (en) * | 2016-02-29 | 2016-07-20 | 中国人民解放军信息工程大学 | Mimic SDN controller construction method |
-
2017
- 2017-03-13 CN CN201710146861.4A patent/CN106982207B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178666A (en) * | 2007-12-13 | 2008-05-14 | 中兴通讯股份有限公司 | Coordinating and scheduling method between heterogeneous multi-core |
CN103176780A (en) * | 2011-12-22 | 2013-06-26 | 中国科学院声学研究所 | Binding system and method of multiple network interfaces |
CN103514043A (en) * | 2012-06-29 | 2014-01-15 | 华为技术有限公司 | Multi-processor system and data processing method thereof |
CN104410730A (en) * | 2014-12-10 | 2015-03-11 | 上海斐讯数据通信技术有限公司 | Seamless handover method of SDN (software defined network) main backup controller based on NAT (network address translation) technique |
CN105791279A (en) * | 2016-02-29 | 2016-07-20 | 中国人民解放军信息工程大学 | Mimic SDN controller construction method |
Also Published As
Publication number | Publication date |
---|---|
CN106982207A (en) | 2017-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109587168A (en) | Network function dispositions method based on mimicry defence in software defined network | |
Zarca et al. | Security management architecture for NFV/SDN-aware IoT systems | |
US11533341B2 (en) | Technologies for scalable security architecture of virtualized networks | |
CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
Wahab et al. | Resource-aware detection and defense system against multi-type attacks in the cloud: Repeated bayesian stackelberg game | |
US10817606B1 (en) | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic | |
Seresht et al. | MAIS-IDS: A distributed intrusion detection system using multi-agent AIS approach | |
US10706149B1 (en) | Detecting delayed activation malware using a primary controller and plural time controllers | |
Bellman et al. | Interwoven systems: Self-improving systems integration | |
US20180212995A1 (en) | Decoy and deceptive data object technology | |
CN107370756A (en) | A kind of sweet net means of defence and system | |
CN110768987A (en) | SDN-based dynamic deployment method and system for virtual honey network | |
US20150199532A1 (en) | Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment | |
CN107360135B (en) | Mimicry network operating system, construction device and method | |
CN110928662B (en) | Distributed timing task scheduler facing micro-service architecture | |
CN109491668B (en) | Mimicry defense framework and method for SDN/NFV service deployment | |
CN106982207B (en) | A kind of method and system of dynamic dispatching network operating system | |
CN109617873A (en) | A kind of flow attacking system of defense based on SDN cloud security function services tree-model | |
CN106992982B (en) | SDN-based dynamic routing protocol executor implementation device and method | |
CN109831447A (en) | A kind of intelligent honeynet system based on NFV | |
CN106597866A (en) | Intelligent home system and timed task conflict resolving method applied by same | |
Al Haddad et al. | A collaborative framework for intrusion detection (C-NIDS) in Cloud computing | |
Wailly et al. | Vespa: Multi-layered self-protection for cloud resources | |
Shatnawi et al. | Cloudhealth: a model-driven approach to watch the health of cloud services | |
Zakaria et al. | A review of dynamic and intelligent honeypots |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |