CN107070895B - SDN-based data flow tracing method - Google Patents

SDN-based data flow tracing method Download PDF

Info

Publication number
CN107070895B
CN107070895B CN201710160267.0A CN201710160267A CN107070895B CN 107070895 B CN107070895 B CN 107070895B CN 201710160267 A CN201710160267 A CN 201710160267A CN 107070895 B CN107070895 B CN 107070895B
Authority
CN
China
Prior art keywords
switch
data
path
sdn
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710160267.0A
Other languages
Chinese (zh)
Other versions
CN107070895A (en
Inventor
宋晨
王利明
史淼
杨倩
谢德俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710160267.0A priority Critical patent/CN107070895B/en
Publication of CN107070895A publication Critical patent/CN107070895A/en
Application granted granted Critical
Publication of CN107070895B publication Critical patent/CN107070895B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data flow tracing method based on an SDN (software defined network), which comprises the following steps of: 1) the SDN Switch carries out periodic sampling on the appointed field to obtain data packet information Flow _ ID and Switch information, wherein the Switch information comprises Switch identification Switch _ ID and data packet inputA port input port; 2) grouping the data packet information Flow _ ID and the switch information by taking the Flow _ ID as a Key to obtain a data set SA of each groupiWhere subscript i denotes the data set of the different groupings; 3) data set SA for each of the above packets according to network topology G of SDNiPerforming path analysis; 4) and determining a path starting point according to the path analysis result, and reconstructing the path to obtain the path of the data packet or the data stream. The method realizes the reconstruction of the data packet or the data flow path, thereby being capable of tracing the source of the attack source.

Description

SDN-based data flow tracing method
Technical Field
The invention relates to the field of computer networks, in particular to a data flow tracing method based on an SDN.
Background
Generally, to effectively prevent increasingly serious denial-of-service attacks, the basic method is to find an attack source and suppress the attack from the source, and the method is the most effective and most economical method. If the attack source can not be located and punished when the attack is received, the attacker can be caused to be more indiscriminate. Therefore, the tracing technology occupies a very important position in the network defense system. With the increasing application range of the internet and the sharp increase of network crimes and days, the source tracing technology can trace the attack source, and provides a basis for researching the legal responsibility of an attacker. In the existing tracing technical theory, a method based on data packet identification needs to use a limited packet header space to record identification information of a router or a switch which walks through each hop, authentication information is added to prevent counterfeiting of the identification information, which results in more required storage information in a data packet, thus path information must be stored in a plurality of data packets, and then the required convergence number of the data packets is more. For the source tracing method based on the log, the summary of the identification information of each data packet needs to be recorded on the router for responding to the query, and obviously, the storage space of the router is limited in a high-speed network environment. Also, the link test-based approach relies on the ISP and network topology, which is not easily implemented in conventional networks.
The patent related to source tracing is CN200810103996.3, and the method for tracing the source of the patent is to set a source tracing log, correspond a terminal unique identifier to an IP address of the terminal, and record the corresponding relationship in the source tracing log, when a query module receives a source tracing request, initiate a source tracing operation, and correspond the terminal unique identifier recorded in the log to the IP address of the terminal. In the traditional network, it is difficult to ensure that information of all terminals and networks can be accurately acquired, so that the method cannot be well applied to tracing sources and finding attack sources.
Disclosure of Invention
The invention aims to provide a data flow tracing method based on an SDN (software defined network), which can realize the reconstruction of a data packet or a data flow path, so that an attack source can be traced.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a data flow tracing method based on an SDN comprises the following steps:
1) the SDN Switch periodically samples the appointed field to obtain data packet information Flow _ ID and Switch information, wherein the Switch information comprises a Switch identification Switch _ ID and a data packet input port;
2) grouping the data packet information Flow _ ID and the switch information by taking the Flow _ ID as a Key to obtain a data set SA of each groupiWhere subscript i denotes the data set of the different groupings;
3) data set SA for each of the above packets according to network topology G of SDNiPerforming path analysis;
4) and determining a path starting point according to the path analysis result, and reconstructing the path to obtain the path of the data packet or the data stream.
Further, the step 1) of periodically sampling the designated field means that the controller receives a sampling rule issued by an upper application, and the SDN switch analyzes the sampling rule and periodically samples according to the analyzed field parameter to be sampled.
Further, the sampling rule refers to the displacement and length of the field in the data packet to be sampled.
Further, the packet information Flow _ ID in step 1) refers to an identifier for distinguishing different packets or data flows; the switch information refers to information for recording each hop of the SDN switch of the path.
Further, Flow _ ID of TCP packet is IP, fragment offset, TCP sequence number field; the Flow _ ID of the UDP data stream is a source IP, destination IP, source port, destination port, and protocol quintuple.
Further, grouping is performed in step 2) according to the characteristics of the traced data packet or data stream.
Further, the network Topology G in step 3) is obtained by a Topology Service (Topology Service) module of the SDN.
Further, the data set SA for each group in step 3) isiPerforming a path analysis comprising the steps of:
a) extraction of SAiAcquiring a Port set SPn of each SDN switch SSi in the SS, namely { input Port, Other Port } n, by using the network topology G, and storing the SSi and the corresponding SPn in a Port Table (SDN switch Port list); wherein i in the SSi is a variable to mark different SDN switches, an input Port is a data packet input Port and is marked by a sampling result, and an Other Port is the rest ports;
b) forming an existing Hop set (Current Hop) CH (SSi, input Port) by each SDN switch and a corresponding data packet input Port in a Port Table, wherein i in the SSi is a variable to mark different SDN switches, and SSi belongs to SS, and input Port belongs to SPn;
c) taking each item in CHiThe Other end of the connection is found as CH from each port of Other Ports in turniCorresponding all possible next hops(Next Hop)NHiIn which CHiThe index i in (1) marks the current position, NH, of the packetiSubscript i in (a) marks the next location to which the packet is to be transmitted;
d) will CHiAnd NHiRecords the corresponding relationship of (1) into Path Fragment Table, and then records NHiRemoving the duplication of the elements and integrating the elements into a next hop set NH ═ { SSi, input port }, wherein SSi, input port ∈ G;
e) taking the union of CH and NH as SAiAll paths may have node set AH, i.e. AH CH ∪ NH with n nodes and | AH | n, to construct an n-th order square matrix A with AH and CH in Path Fragment TablepIs line, NHqAssign a value of 0 to an element of a column; CH (CH)pIs a column, NHqThe value of the element of the row is 1, and the row number of the Path Fragment Table is n, where CHpSubscripts p and NH ofqThe subscript q of (a) indicates p rows and q columns and q rows and p columns.
Further, in step c), if the other end is an exchanger, NHiDenoted by Switch _ ID and InputPort; if the other end is the host, the MAC is the Switch _ ID and the Input Port is null.
Further, the step 4) of determining a path starting point according to the path analysis result includes the following steps:
f) in the square matrix a, when aij is equal to (r, c) is equal to 0, the transmission process of the data packet from r to c is represented; when aij is 1, representing the transmission process of the data packet from c to r; all values in a row are 0, indicating that all elements will go from r to a different next hop, and all values in a row are 1, indicating that all elements will go from a different previous hop together to r; that is, when only 0 does not have 1 in a row element, only the next hop is represented, and no previous hop exists; at this time r is SAiThe starting point of the medium data packet is marked as a reference point s;
g) when the value of the reference point s is 0, searching an element x with the value of 1 in the column where s is located; when the value of the reference point s is 1, searching an element x with the value of 0 in the row where s is located; and if x meeting the condition exists, taking the x as a new reference point s, and then circularly executing the step f) until x meeting the condition cannot be found, namely the tracing is finished.
The invention has the beneficial effects that: the invention provides a data flow tracing method based on an SDN (software defined network), which comprises the steps of sampling a data packet or a data flow passing through an SDN switch, and then carrying out path reconstruction analysis on the collected sampling data so as to determine an attack source, overcome the problems that a data packet header or a router has limited storage space and is difficult to expand, and jointly construct a path of the data packet or the data flow by utilizing the data packet or the data flow sampling and combining the visibility of the SDN to a network, thereby more objectively and efficiently realizing the attack tracing.
Drawings
Fig. 1 is a schematic operation flow diagram of a data flow tracing method based on SDN according to the present invention;
fig. 2 is a specific flowchart of a data flow tracing method based on SDN according to the present invention.
Fig. 3 is a partial network topology diagram in an attack scenario R according to an embodiment of the present invention.
Wherein S1, S2, S3 and V are hosts and SSB, SSC, SSD, SSE and SSF are SDN switches.
Fig. 4 is a SDN switch port list in an attack scenario R according to an embodiment of the present invention.
Fig. 5 is a path branch list in an attack scenario R according to an embodiment of the present invention.
Fig. 6 is a square matrix a constructed in an attack scenario R according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned and other features and advantages of the invention more comprehensible, embodiments accompanied with figures are described in detail below.
The invention provides a data flow tracing method based on an SDN (software defined network). As shown in an operation flow chart of the data flow tracing method, an SDN switch carries out periodic sampling on a specified field at first, and a sampling result is input to a specified server and waits for processing. The regular sampling of the designated field means that the controller receives a sampling rule issued by an upper application, and the SDN switch analyzes the sampling rule and carries out regular sampling according to the analyzed field parameter needing to be sampled. The adoption rule refers to the displacement and length of some fields in the data packet to be sampled; for example, the length of field a is 8 at the start position of the packet, which is 16. The sampling result comprises data packet information and switch information, wherein the data packet information Flow _ ID refers to an identifier for distinguishing different data packets or data flows, and the Flow _ IDs under different purposes are different, for example, the Flow _ ID for distinguishing each data packet of the TCP protocol is IP, fragment offset, TCP sequence number fields; identifiers for distinguishing UDP data streams are source IP, destination IP, source port, destination port and protocol quintuple. The Switch information is information for recording each hop of the SDN Switch of the path, and includes a Switch identifier Switch ID and a packet input port. Taking sampling of UDP data streams as an example, the sampling results are shown in table 1.
Table 1: UDP data stream sampling results
SrcIP DstIP SrcPort DstPort Protocol SwID InPort
Then, the sampling results are grouped by taking the Flow _ ID as Key to obtain a data set SA of each groupiWherein the subscript i denotesRecording data sets of different groups, wherein the groups are grouped according to the characteristics of data packets or data streams needing to be traced; for example, a data flow with a source IP of a needs to be traced, or a DNS-like data packet needs to be traced, and the data flow or the data packet needs to be traced is taken as a grouping basis according to the characteristics of the data flow or the data packet.
Finally, the data set SA of each group is determined according to the network topology GiAnd performing path analysis, determining a path starting point according to the path analysis result, and performing path reconstruction to obtain a path of the data packet or the data stream. The network topology structure G is obtained through a topology service module of the SDN.
The process according to the invention is illustrated below in a specific example.
Please refer to fig. 2, which is a specific flowchart of a data flow tracing method based on SDN according to the present invention, including the steps of:
1) the SDN switch carries out periodic sampling on the appointed fields to obtain sampling results, namely data packet information Flow _ ID and switch information; and grouping the sampling results by taking the Flow _ ID as Key to obtain a data set SA of each groupiWhere the subscript i marks the data set for the different groupings.
2) Obtaining a network topology structure G through a topology service module of the SDN, and arranging SA of each group according to the network topology structure GiTo SAiAll the Switch identifications Switch _ ID in the network are arranged into a set SS, meanwhile, the information of the network topology structure G is combined to arrange the Port of each SDN Switch SSi, and a packet input Port is marked according to the sampling result and stored in a Port Table, wherein i in the SSi is a variable to mark different SDN switches. For example, the sampling results are grouped according to Flow _ ID, and the data set of each group of sampling results is recorded as SAiWhere the subscript i marks the data sets of different packets, as shown in fig. 3, in the attack scenario R, the sampling set of the data stream (right solid line, where S3 and V are hosts) sent from S3 to V after the sampling result packet is an SA. And for each group of SAs in the sampling resultiThe following operations are performed:
a) extraction of SAiAcquiring a Port set SPn of each SDN switch SSi in the SS by using a network topology structure G, wherein the Port set SPn is { input Port, Other Ports } n, and storing the SSi and the corresponding SPn in a Port Table; wherein i in the SSi is a variable to mark different SDN switches, the SSi belongs to SS, an input port is a packet input port and is marked by a sampling result, and Other Ports are Other Ports. For example, the SDN switch port list in the attack scenario R is shown in fig. 4.
b) And forming an existing hop set CH ({ SSi, input Port } by each SDN switch and a corresponding data packet input Port in the Port Table, wherein i in the SSi is a variable to mark different SDN switches, and the input Port belongs to SPn. For example, in the attack scenario R, CH ═ SSF2, SSC3, SSE2, SSD2, where SSF2 indicates that the SDN switch is SSF (where variable i in SSi is F) and the packet ingress Port is Port 2.
c) Taking each item in CHiThe Other end of the connection is found as CH from each port of Other Ports in turniCorresponding to all possible next hops NHiIn which CHiThe index i in (1) marks the current position, NH, of the packetiThe index i in (a) marks the next location to which the packet is to be transmitted. If the other end is a switch, NHiRepresented by Switch _ ID and Input Port; if the other end is the host, the MAC is used as the Switch _ ID, and the Input Port is null. For example, in an attack scenario R, CH2SSC3, the next hop of which may all be NH3={SSD2,SSE2}。
d) Will CHiAnd NHiThe corresponding relationship of (2) is recorded in the Path Fragment Table, as shown in FIG. 5. Then NH is introducediThe elements are deduplicated and integrated into a set of next hops NH ═ { SSi, input port }, where SSi, input port ∈ G. For example, NH ═ SSC3, SSE2, SSD2, V in attack scenario R.
e) Taking the union of CH and NH as SAiAll paths may have a set of nodes AH, i.e., AH CH ∪ NH, where the number of nodes is n and AH is n, for example, in an attack scenario R, AH is { SSF2, SSC3, SSE2, SSD2, V }. an n-th order square matrix a is constructed with AH, where the Path Fragment Table is used with CH in the CH Fragment TablepIs line, NHqAssign a value of 0 to an element of a column; with CHpIs a column, NHqThe value of the element of the row is 1, i.e. formula (1), where the row number of the Path Fragment Table is n, and CHpSubscripts p and NH ofqThe subscript q merely indicates the relationship between the two items p rows and q columns, e.g. CH in an attack scenario R2Is SSC3, NH3For SSD2, (SSC3, SSD2) is 0, while (SSD2, SSC3) is 1. The square matrix a constructed in the attack scenario R is shown in fig. 6.
Figure BDA0001248313300000051
f) In the square matrix a, when aij is equal to (r, c) is equal to 0, the transmission process of the data packet from r to c is represented; when aij is 1, it represents the transmission process of the data packet from c to r. Thus, when all values in a row are 0, it means that all elements will go from r to the different next hop, and when all values in a row are 1, it means that all elements will go from the different previous hop together to r. Therefore, when a row element has only 0 and no 1, it represents only the next hop and no previous hop, and r is SAiThe start of the data stream and is marked as reference point s. As shown in fig. 3, the starting point of the path in the attack scenario R is SSF2, i.e., s — SSF 2.
g) When the value of the reference point s is 0, searching an element x with the value of 1 in the column where s is located; when the value of the reference point s is 1, the element x with the value of 0 is searched for in the row where s is located. If x is present, which satisfies the condition, it is taken as a new reference point s. And then, circularly executing the step f) until x cannot be found, namely, tracing is finished. As shown in fig. 6, starting from SSF2, that is, a41 ═ 0 (SSF2, SSC3) indicates that SSC3 is reached from SSF 2; then, an element with a value of 1 is found in the SSC3 column, that is, a31 ═ (SSE2, SSC3) and a21 ═ (SSD2, SSC3), which indicates that the path has two branches, branch 1 leads to SSE2 and branch 2 leads to SSD2, and a31 ═ (SSE2, SSC3) ═ 1, which indicates that the data packet reaches SSE2 from SSC3, for example, branch 1; then, finding an element with a value of 0 in the row of the SSE2, that is, a35 is (SSE2, V), which indicates that, starting from the SSE2, the destination reached is V, and finally, there is no element with a value of 1 in the column where V is located, the tracing process of branch 1 ends, and the reconstructed path is SSF2- > SSC3- > SSE2- > V; in the same way, the final path of branch 2 can be SSF2- > SSC3- > SSD2- > V.
In summary, the data flow tracing method based on the SDN provided by the present invention achieves the purpose of path reconstruction by a method of sampling to a server to analyze a path through visibility of the SDN to a network. The method overcomes the problems that the storage space of the data packet header or the router is limited and is not easy to expand.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and a person skilled in the art can make modifications or equivalent substitutions to the technical solution of the present invention without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (8)

1. A data flow tracing method based on an SDN comprises the following steps:
1) the SDN Switch periodically samples the appointed field to obtain data packet information Flow _ ID and Switch information, wherein the Switch information comprises a Switch identification Switch _ ID and a data packet input port;
2) grouping the data packet information Flow _ ID and the switch information by taking the Flow _ ID as a Key to obtain a data set SA of each groupiWhere subscript i denotes the data set of the different groupings;
3) data set SA for each of the above packets according to network topology G of SDNiPerforming a path analysis comprising the steps of:
a) extraction of SAiAcquiring a Port set SPn of each SDN switch SSi in the SS, namely { input Port, Other Port } n, by using the network topology G, and storing the SSi and the corresponding SPn in a Port Table; wherein i in the SSi is a variable to mark different SDN switches, an input Port is a data packet input Port and is marked by a sampling result, and an Other Port is the rest ports;
b) forming an existing hop set CH ({ SSi, input Port } by each SDN switch and a corresponding data packet input Port in a Port Table, wherein i in the SSi is a variable to mark different SDN switches, and SSi belongs to SS, and input Port belongs to SPn;
c) taking each item in CHiThe Other end of the connection is found as CH from each port of Other Ports in turniCorresponding to all possible next hops NHiIn which CHiThe index i in (1) marks the current position, NH, of the packetiSubscript i in (a) marks the next location to which the packet is to be transmitted;
d) will CHiAnd NHiRecords the corresponding relationship of (2) into Path Fragment Table, and then records NHiRemoving the duplication of the elements and integrating the elements into a next hop set NH ═ { SSi, input port }, wherein SSi, input port ∈ G;
e) taking the union of CH and NH as SAiAll paths may have node set AH, i.e. AH CH ∪ NH with n nodes and | AH | n, to construct an n-th order square matrix A with AH and CH in Path Fragment TablepIs line, NHqAssign a value of 0 to an element of a column; CH (CH)pIs a column, NHqThe value of the element of the row is 1, and the row number of the Path Fragment Table is n, where CHpSubscripts p and NH ofqSubscript q indicates p rows and q columns;
4) determining a path starting point according to the path analysis result, and performing path reconstruction to obtain a path of a data packet or a data stream, wherein the determining the path starting point according to the path analysis result comprises the following steps:
in the square matrix a, when aij is equal to (r, c) is equal to 0, the transmission process of the data packet from r to c is represented; when aij is 1, representing the transmission process of the data packet from c to r; when all values in a row are 0, it means that all elements will go from r to a different next hop, and when all values in a row are 1, it means that all elements will go from a different previous hop together to r; that is, when only 0 does not have 1 in a row element, only the next hop is represented, and no previous hop exists; at this time r is SAiThe starting point of the medium data packet is marked as a reference point s;
when the value of the reference point s is 0, searching an element x with the value of 1 in the column where s is located; when the value of the reference point s is 1, searching an element x with the value of 0 in the row where s is located; and if x meeting the condition exists, taking the x as a new reference point s, and then circularly executing the step f) until x meeting the condition cannot be found, namely the tracing is finished.
2. The method of claim 1, wherein the periodic sampling of the designated field in step 1) is that the controller receives a sampling rule issued by an upper layer application, and the SDN switch parses the sampling rule and performs periodic sampling according to the parsed field parameter requiring sampling.
3. The method of claim 2, wherein the sampling rule refers to a displacement and a length of a field in the packet that needs to be sampled.
4. The method according to claim 1, wherein the packet information Flow _ ID in step 1) refers to an identifier for distinguishing different packets or data flows; the switch information refers to information for recording each hop of the SDN switch of the path.
5. The method according to claim 4, wherein the Flow _ ID of the TCP packet is an IP, fragment offset, TCP sequence number field; the Flow _ ID of the UDP data Flow is a source IP, destination IP, source port, destination port and protocol quintuple.
6. The method of claim 4, wherein the grouping in step 2) is based on characteristics of the traced data packets or data streams.
7. The method of claim 1, wherein the network topology G in step 3) is obtained by a topology service module of SDN.
8. The method of claim 1, wherein the other end in step c) is NH if it is a switchiRepresented by Switch _ ID and Input Port; if the other end is the host, the MAC is the Switch _ ID and the Input Port is null.
CN201710160267.0A 2017-03-17 2017-03-17 SDN-based data flow tracing method Active CN107070895B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710160267.0A CN107070895B (en) 2017-03-17 2017-03-17 SDN-based data flow tracing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710160267.0A CN107070895B (en) 2017-03-17 2017-03-17 SDN-based data flow tracing method

Publications (2)

Publication Number Publication Date
CN107070895A CN107070895A (en) 2017-08-18
CN107070895B true CN107070895B (en) 2020-05-22

Family

ID=59621235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710160267.0A Active CN107070895B (en) 2017-03-17 2017-03-17 SDN-based data flow tracing method

Country Status (1)

Country Link
CN (1) CN107070895B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962879B (en) * 2017-12-22 2021-12-03 中国电信股份有限公司 Security defense method and controller for distributed reflective denial of service (DRDoS)
CN108540383A (en) * 2018-03-20 2018-09-14 大连理工大学 A kind of data packet transmission locus detection method based on software defined network
CN109150920A (en) * 2018-11-05 2019-01-04 南京邮电大学 A kind of attack detecting source tracing method based on software defined network
CN109977680A (en) * 2019-03-13 2019-07-05 北京国舜科技股份有限公司 A kind of business datum security risk recognition methods and system
CN110113328B (en) * 2019-04-28 2021-01-15 武汉理工大学 Software defined opportunistic network DDoS defense method based on block chain
CN113556309A (en) * 2020-04-23 2021-10-26 中国电信股份有限公司 Method for predicting attack scale
CN111586026B (en) * 2020-04-30 2021-01-29 广州市品高软件股份有限公司 Software defined boundary implementation method and system based on SDN
CN111565125B (en) * 2020-07-15 2020-10-09 成都数维通信技术有限公司 Method for acquiring message passing through network traffic path

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2441217A1 (en) * 2009-06-09 2012-04-18 Telefonaktiebolaget LM Ericsson (publ) Packet routing in a network
CN104852887B (en) * 2014-02-17 2019-03-15 上海宽带技术及应用工程研究中心 Network flow traceability system and method based on OpenFlow technology
CN105282169B (en) * 2015-11-04 2018-08-24 中国电子科技集团公司第四十一研究所 Ddos attack method for early warning based on SDN controller threshold values and its system
CN106027497A (en) * 2016-05-04 2016-10-12 山东大学 DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM
CN106302006B (en) * 2016-08-05 2019-06-25 南京理工大学 A kind of dynamic source tracing method of the IP spoofing data packet based on SDN

Also Published As

Publication number Publication date
CN107070895A (en) 2017-08-18

Similar Documents

Publication Publication Date Title
CN107070895B (en) SDN-based data flow tracing method
US10432484B2 (en) Aggregating select network traffic statistics
TWI683587B (en) Apparatus and method for uniquely enumerating paths in a parse tree
EP3905622A1 (en) Botnet detection method and system, and storage medium
US8510830B2 (en) Method and apparatus for efficient netflow data analysis
Grimaudo et al. Select: Self-learning classifier for internet traffic
US20120182891A1 (en) Packet analysis system and method using hadoop based parallel computation
CN104244035B (en) Network video stream sorting technique based on multi-level clustering
CN105072196B (en) The storage of distributed data packet, retrogressive method and system
WO2015165296A1 (en) Method and device for identifying protocol type
GB2549635A (en) Data retention probes and related methods
CN103714134A (en) Network flow data index method and system
US10148596B2 (en) Data flow statistics collection method, system, and apparatus
WO2017185912A1 (en) Method and apparatus for collecting statistics about terminal device information based on hash node
Yang et al. Adaptive measurements using one elastic sketch
CN102307250A (en) Method and device for searching IP (Internet Protocol) address
CN107483341B (en) Method and device for rapidly forwarding firewall-crossing messages
US20140101751A1 (en) Hardware engine for high-capacity packet processing of network based data loss prevention appliance
Rohrer et al. Empirical study of router IPv6 interface address distributions
Kardes et al. Graph based induction of unresponsive routers in internet topologies
Haghighat et al. Payload attribution via character dependent multi-bloom filters
CN111953552B (en) Data flow classification method and message forwarding equipment
CN111163077A (en) System and method for realizing multidimensional continuous mask based on network processor
CN111106980B (en) Bandwidth binding detection method and device
He et al. PeerSorter: classifying generic P2P traffic in real-time

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant