CN106982207B - A kind of method and system of dynamic dispatching network operating system - Google Patents

A kind of method and system of dynamic dispatching network operating system Download PDF

Info

Publication number
CN106982207B
CN106982207B CN201710146861.4A CN201710146861A CN106982207B CN 106982207 B CN106982207 B CN 106982207B CN 201710146861 A CN201710146861 A CN 201710146861A CN 106982207 B CN106982207 B CN 106982207B
Authority
CN
China
Prior art keywords
nos
scheduler
master
operating system
network operating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710146861.4A
Other languages
Chinese (zh)
Other versions
CN106982207A (en
Inventor
陈福才
卢振平
程国振
扈红超
刘文彦
梁浩
杨超
丁瑞浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201710146861.4A priority Critical patent/CN106982207B/en
Publication of CN106982207A publication Critical patent/CN106982207A/en
Application granted granted Critical
Publication of CN106982207B publication Critical patent/CN106982207B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

It the invention discloses a kind of method and system of dynamic dispatching network operating system, overcomes in the prior art, the problem of Passive Defence technology based on characteristic matching can not resist unknown threat.The invention elder generation system initialization;Perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;Assessment report is sent scheduler by perceptron timing, updates registration information;If currently the NOS assessment result of Master role is normal, judges to dispatch whether timer is zero, otherwise stop scheduler timing.The cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented in the invention, also the safety of network operating system is greatly improved, the passive situation that currently existing network operating system Passive Defence only has " the acquired immunity day after tomorrow " is solved.

Description

A kind of method and system of dynamic dispatching network operating system
Technical field
The invention is related to technical field of network security, a kind of method more particularly to dynamic dispatching network operating system and System.
Background technique
SDN thought is that the control plane for completing decision making function is moved to independent host or business clothes from the network equipment It is engaged in forming SDN controller, referred to as network operating system (Network Operating System, NOS) in device.Along with cloud The development of the new technologies such as data center, it is huge that this kind of building of SDN is flexibly, the framework of a scalable network is that network field change is brought Influence and motive force.But its own existing design loophole also brings severe security risk to its application simultaneously.Especially It is that the attacks such as the false stream injection occurred extensively in service process and controller abduction and threat keep its safety problem more prominent Out.It include: that the control framework of centralization easily becomes preferred target of attack;There is unknown loopholes with after for open network operating system Door;The static characteristic of current network operation system is conducive to attacker and control layer is detected and analyzed.And existing tradition Passive Defence technology based on characteristic matching can not resist unknown threat, therefore, to solve the above problems, must design has master The network operating system framework of dynamic defence characteristic, provides the guarantee of effective safety for it.
Summary of the invention
The present invention overcomes in the prior art, the Passive Defence technology based on characteristic matching can not resist asking for unknown threat Topic provides a kind of security performance height, the method and system of the small dynamic dispatching network operating system of security threat.
The technical solution of the invention is as follows, provides a kind of side of dynamic dispatching network operating system having follow steps Method contains following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, is reported according to assessment It accuses, selects a best Slaver that Master is replaced to become new Master, while updating registration information;If not zero, it jumps To step 2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration Information.
The step 1 includes:
Step 101: open dynamic mode, dispatch layer from configuration file read isomery NOS registration information, or dynamic from Isomery NOS receives registration information, completes registration;
Step 102: one NOS of random selection writes into registration as Master, and by NOS Role Information from registration chained list Chained list, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module;
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all Slavers;
Step 105:Master executes body and responds to bottom data request.
Registration is divided into automatic registration and static configuration in the step 101;Automatic registration: NOS executes body set from trend Scheduler registers the identification information of NOS, and increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that phase occur The variation answered;Static configuration: user by hand configures the identification information of NOS into scheduler kernel as administrator, these are matched Confidence breath includes port and IP address.
Scheduling strategy in the step 5 specifically: active scheduling strategy and reactive schedule strategy;It is wherein active Scheduling strategy, the scheduling interval of scheduler on a timeline is consistent, and no matter how bottom-layer network topology changes, and scheduler timing is certainly Hair ground switches over NOS;Wherein reactive schedule strategy, perceptron module is by the safe condition of sensing network and some realities When information if found the abnormal situation start scheduling strategy immediately.
A kind of system of method for realizing dynamic dispatching network operating system is provided, containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides;
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had And only one, it is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, and Slaver is called into For Master;
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
The scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through This is distributed to NOS and executes body set, and the management control data of controller is also handed down to bottom-layer network and other dispatch layers through time Module;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is a countdown function, and one Denier timer is reset, and scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
Compared with prior art, the method and system of dynamic dispatching network operating system of the present invention have the advantage that this Framework has the function of perceiving dynamic dispatching isomery NOS, and then avoids and infused using the false flow table of NOS loophole and back door initiation Enter and the attack such as kidnap with NOS and threaten, attacker is also avoided to be based on a successful attack and sustainable utilization same loophole control NOS.Dynamic, isomerism are introduced into network operating system by the security architecture of the application, are dispatched NOS by dynamic realtime and are held Row body realizes dynamic, the cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented, also greatly Ground improves the safety of network operating system, solves currently existing network operating system Passive Defence and there was only " the acquisition day after tomorrow Property it is immune " passive situation.
Detailed description of the invention
Fig. 1 is the flow diagram of method in the method and system of dynamic dispatching network operating system of the present invention;
Fig. 2 is the flow diagram that initializes in the method and system method of dynamic dispatching network operating system of the present invention;
Fig. 3 is the simulation drawing of the method and system of dynamic dispatching network operating system of the present invention.
Specific embodiment
The method and system of dynamic dispatching network operating system of the present invention are made with reference to the accompanying drawings and detailed description It further illustrates:
Embodiment one, as shown in Fig. 1, a kind of method of dynamic dispatching network operating system contains following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for assessing the working condition of all NOS, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, is reported according to assessment It accuses, selects a best Slaver that Master is replaced to become new Master, while updating registration information;If not zero, it jumps To step 2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration Information.
The step 1 includes: step 101: opening dynamic mode, dispatch layer reads the registration of isomery NOS from configuration file Information, or dynamic receive registration information from isomery NOS, complete registration;
Step 102: one NOS of random selection writes into registration as Master, and by NOS Role Information from registration chained list Chained list, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module.
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all Slavers;
Step 105:Master executes body and responds to bottom data request.
Registration is divided into automatic registration and static configuration in the step 101;Automatic registration: NOS executes body set from trend Scheduler registers the identification information of NOS, and increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that phase occur The variation answered;Static configuration: user by hand configures the identification information of NOS into scheduler kernel as administrator, these are matched Confidence breath includes port and IP address.
Scheduling strategy in the step 5 specifically: active scheduling strategy and reactive schedule strategy;It is wherein active Scheduling strategy, the scheduling interval of scheduler on a timeline is consistent, and no matter how bottom-layer network topology changes, and scheduler timing is certainly Hair ground switches over NOS;Wherein reactive schedule strategy, perceptron module is by the safe condition of sensing network and some realities When information if found the abnormal situation start scheduling strategy immediately.
Embodiment two, a kind of system of method that realizing dynamic dispatching network operating system, containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides.
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had And only one, it is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, and Slaver is called into For Master.
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
The scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through This is distributed to NOS and executes body set, and the management control data of controller is also handed down to bottom-layer network and other dispatch layers through time Module;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is a countdown function, and one Denier timer is reset, and scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
Data Layer: consistent with the data plane functions in existing SDN framework.
It can be seen that the application from above-mentioned architectural schemes and disclose the network operating system roll-over protective structure based on dynamic dispatching Structure establishes isomery NOS example collection, comprehensive respective security advantages, and combine by utilizing diversified open source isomery NOS Dynamic dispatching method based on perception can preferably guarantee that network attack is reproducible, bullet so that when network faces security threat Property and survival ability, to promote the security performance of network operating system.
Dynamic dispatching network operating system framework disclosed in the embodiment of the present application has the function of perception dynamic dispatching isomery NOS Can, and then avoid the attacks such as NOS single point failure, false flow table injection and NOS abduction and threaten, but also attacker once attacks Hit successfully after the identical loophole of sustainable use or privilege achieve the purpose that once and for all control NOS become can not.The application's Dynamic, isomerism are introduced into network operating system by framework, are dispatched NOS by dynamic realtime and are executed the dynamic that body realizes NOS Property, the cooperative scheduling of traditionally Internet resources and computing resource, storage resource not only may be implemented, also greatly improve network The safety of operating system.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.To the upper of the disclosed embodiments It states bright, can be realized professional and technical personnel in the field or using the application.Various modifications to these embodiments are to ability It will be apparent for the professional technician in domain, the general principles defined herein can not depart from the application's In the case where spirit or scope, realize in other embodiments.Therefore, the application be not intended to be limited to it is shown in this article these Embodiment, and it is to fit to the widest scope consistent with the principles and novel features disclosed herein.

Claims (6)

1. a kind of method of dynamic dispatching network operating system, which is characterized in that contain following steps:
Step 1: system initialization;
Step 2: perceptron is responsible for the working condition of the different N number of NOS of evaluation function equivalent construction, and provides assessment report;
Step 3: assessment report is sent scheduler by perceptron timing, updates registration information;
Step 4: no to then follow the steps 6 if the NOS assessment result of current Master role is normal, execution step 5;
Step 5: judging to dispatch whether timer is zero, if zero, then scheduler is based on scheduling strategy, according to assessment report, choosing Selecting a best Slaver becomes new Master instead of Master, while updating registration information;If not zero, jump to step 2;
Step 6: if the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and reset, by scheduler from Selection one is healthy in Slaver set, optimal NOS replaces current Master to become new Master, while more new registration Information.
2. the method for dynamic dispatching network operating system according to claim 1, which is characterized in that the step 1 includes:
Step 101: opening dynamic mode, dispatch layer reads the registration information of isomery NOS from configuration file, or dynamically from isomery NOS receives registration information, completes registration;
Step 102: one NOS of random selection writes into registration chain as Master, and by NOS Role Information from registration chained list Table, the enforcement of regulations for NOS role definition based on OpenFlow agreement;
Step 103: scheduler countdown is opened, the starting of perceptron module;
Step 104: bottom-layer network request of data is distributed to each execution body through agent data comprising Master and all Slavers;
Step 105:Master executes body and responds to bottom data request.
3. the method for dynamic dispatching network operating system according to claim 2, which is characterized in that in the step 101 Registration is divided into automatic registration and static configuration;Automatic registration: NOS executes body set from the mark letter of trend scheduler registration NOS Breath, increasing or decreasing NOS all can make the registration information of NOS in scheduler kernel that corresponding variation occur;Static configuration: user As administrator the identification information of NOS configured into scheduler kernel by hand, these configuration informations include port and IP Location.
4. the method for dynamic dispatching network operating system according to claim 1, which is characterized in that in the step 5 Scheduling strategy specifically: active scheduling strategy and reactive schedule strategy;Wherein active scheduling strategy, scheduler is in the time Scheduling interval on axis is consistent, and no matter how bottom-layer network topology changes, and scheduler timing spontaneously switches over NOS;Its Middle reactive schedule strategy, perceptron module is by the safe condition of sensing network and some real time information, if noting abnormalities feelings Condition starts scheduling strategy immediately.
5. a kind of system for the method for realizing dynamic dispatching network operating system, which is characterized in that containing with lower unit:
Using layer unit: types of functionality APP is programmed underlying device by the programming interface that control layer provides;
It controls layer unit: executing body set comprising the different N number of NOS of function equivalence structure, one kind is Master NOS, is had and only There is one, is the NOS for actually managing network;One kind is Slaver NOS, is alternative NOS, judges whether dispatch timer Be zero, if zero, then scheduler is based on scheduling strategy, according to assessment report, select a best Slaver instead of Master at For new Master, while updating registration information;If the NOS of monitoring discovery Master role is abnormal, stop scheduler timing, and It resets, by scheduler, selection one is healthy from Slaver set, optimal NOS replaces current Master to become new Master, while updating registration information;
Dispatch layer unit: the network operating system of network and upper layer to bottom is transparent.
6. the system of the method according to claim 5 for realizing dynamic dispatching network operating system, which is characterized in that described Scheduling layer unit contains agent data module, perceptron module, Scheduler module, wherein
Agent data module: being the intermediate point for controlling plane and data plane data interaction, and the network request of bottom passes through this point It is sent to NOS and executes body set, the management control data of controller is also handed down to bottom-layer network and other dispatch layer modules through time;
Perceptron module: the safe condition of perceptron sensing network, and by information exchange to scheduler;
Scheduler module: the registration information comprising all NOS receives the information of agent data, inside there is countdown function, once meter When device reset, scheduler selects a Slaver NOS as Master NOS according to scheduling strategy.
CN201710146861.4A 2017-03-13 2017-03-13 A kind of method and system of dynamic dispatching network operating system Active CN106982207B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710146861.4A CN106982207B (en) 2017-03-13 2017-03-13 A kind of method and system of dynamic dispatching network operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710146861.4A CN106982207B (en) 2017-03-13 2017-03-13 A kind of method and system of dynamic dispatching network operating system

Publications (2)

Publication Number Publication Date
CN106982207A CN106982207A (en) 2017-07-25
CN106982207B true CN106982207B (en) 2019-06-28

Family

ID=59339502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710146861.4A Active CN106982207B (en) 2017-03-13 2017-03-13 A kind of method and system of dynamic dispatching network operating system

Country Status (1)

Country Link
CN (1) CN106982207B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110048868B (en) * 2018-01-16 2022-03-01 北京中科晶上超媒体信息技术有限公司 Scheduling method of operating system executive
CN109144746B (en) * 2018-07-19 2022-04-01 中国航空工业集团公司沈阳飞机设计研究所 Message asynchronous distribution system and method of GFT training system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178666A (en) * 2007-12-13 2008-05-14 中兴通讯股份有限公司 Coordinating and scheduling method between heterogeneous multi-core
CN103176780A (en) * 2011-12-22 2013-06-26 中国科学院声学研究所 Binding system and method of multiple network interfaces
CN103514043A (en) * 2012-06-29 2014-01-15 华为技术有限公司 Multi-processor system and data processing method thereof
CN104410730A (en) * 2014-12-10 2015-03-11 上海斐讯数据通信技术有限公司 Seamless handover method of SDN (software defined network) main backup controller based on NAT (network address translation) technique
CN105791279A (en) * 2016-02-29 2016-07-20 中国人民解放军信息工程大学 Mimic SDN controller construction method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178666A (en) * 2007-12-13 2008-05-14 中兴通讯股份有限公司 Coordinating and scheduling method between heterogeneous multi-core
CN103176780A (en) * 2011-12-22 2013-06-26 中国科学院声学研究所 Binding system and method of multiple network interfaces
CN103514043A (en) * 2012-06-29 2014-01-15 华为技术有限公司 Multi-processor system and data processing method thereof
CN104410730A (en) * 2014-12-10 2015-03-11 上海斐讯数据通信技术有限公司 Seamless handover method of SDN (software defined network) main backup controller based on NAT (network address translation) technique
CN105791279A (en) * 2016-02-29 2016-07-20 中国人民解放军信息工程大学 Mimic SDN controller construction method

Also Published As

Publication number Publication date
CN106982207A (en) 2017-07-25

Similar Documents

Publication Publication Date Title
CN109587168A (en) Network function dispositions method based on mimicry defence in software defined network
Zarca et al. Security management architecture for NFV/SDN-aware IoT systems
US11533341B2 (en) Technologies for scalable security architecture of virtualized networks
CN101309180B (en) Security network invasion detection system suitable for virtual machine environment
Wahab et al. Resource-aware detection and defense system against multi-type attacks in the cloud: Repeated bayesian stackelberg game
US10817606B1 (en) Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic
Seresht et al. MAIS-IDS: A distributed intrusion detection system using multi-agent AIS approach
US10706149B1 (en) Detecting delayed activation malware using a primary controller and plural time controllers
Bellman et al. Interwoven systems: Self-improving systems integration
US20180212995A1 (en) Decoy and deceptive data object technology
CN107370756A (en) A kind of sweet net means of defence and system
CN110768987A (en) SDN-based dynamic deployment method and system for virtual honey network
US20150199532A1 (en) Micro-virtualization architecture for threat-aware microvisor deployment in a node of a network environment
CN107360135B (en) Mimicry network operating system, construction device and method
CN110928662B (en) Distributed timing task scheduler facing micro-service architecture
CN109491668B (en) Mimicry defense framework and method for SDN/NFV service deployment
CN106982207B (en) A kind of method and system of dynamic dispatching network operating system
CN109617873A (en) A kind of flow attacking system of defense based on SDN cloud security function services tree-model
CN106992982B (en) SDN-based dynamic routing protocol executor implementation device and method
CN109831447A (en) A kind of intelligent honeynet system based on NFV
CN106597866A (en) Intelligent home system and timed task conflict resolving method applied by same
Al Haddad et al. A collaborative framework for intrusion detection (C-NIDS) in Cloud computing
Wailly et al. Vespa: Multi-layered self-protection for cloud resources
Shatnawi et al. Cloudhealth: a model-driven approach to watch the health of cloud services
Zakaria et al. A review of dynamic and intelligent honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant