CN108712374A - A kind of request control method, controller and electronic equipment - Google Patents
A kind of request control method, controller and electronic equipment Download PDFInfo
- Publication number
- CN108712374A CN108712374A CN201810289664.2A CN201810289664A CN108712374A CN 108712374 A CN108712374 A CN 108712374A CN 201810289664 A CN201810289664 A CN 201810289664A CN 108712374 A CN108712374 A CN 108712374A
- Authority
- CN
- China
- Prior art keywords
- user
- request
- controller
- trust value
- user request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000004044 response Effects 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 10
- 230000000875 corresponding effect Effects 0.000 description 45
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000003247 decreasing effect Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of request control method of offer of the embodiment of the present invention, controller and electronic equipment, by obtaining user's request and status information, user's request includes user identifier, and the status information is for describing whether controller is attacked;When the user identifier belongs to object listing, and the status information is attack, the corresponding trust angle value of the user identifier is reduced;According to the trust angle value, corresponding user's request is responded.In this way, controller can control user according to the trust angle value of user asks response, the high user's request of refusal respond security risk, to ensure network security.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a request control method, a controller, and an electronic device.
Background
In the field of cloud computing, SDN (english: Software Defined Network, chinese: Software Defined Network) is a commonly used Network architecture, and the core of the SDN is that a control plane is separated from a data plane, so as to implement flexible control of a Network. However, while networks have become more intelligent, network security issues have also become increasingly hot spots in SDN networks in cloud computing.
In an SDN network, the services and important configurations of the core are deployed on the controller of the SDN; if the controller is attacked, the safety of the whole network is affected, and in an extreme case, the whole cloud computing data center network is paralyzed. DoS (chinese Denial of Service) attacks, which is the most important technique of hackers, usually intentionally attack the defects of network protocol implementation or directly deplete the resources of the attacked object through a brute force approach (including network bandwidth, file system space capacity, open processes and allowed connections), in order to make the target computer or network unable to provide normal services or resource access and make the target system Service system stop responding or even crash, and such attacks may cause resource shortage, and no matter how fast the processing speed of the computer is, how large the memory capacity is, and how fast the network bandwidth is, the consequences caused by such attacks cannot be avoided. The SDN is used as a basic network of a cloud data center, an openflow protocol is used as a direct communication protocol of a controller and a switch, if the switch receives a new packet instruction, a packet-in request is sent to the controller, after the controller receives the request from the switch, the controller calculates a routing path for the packet, then sends a packet-out request to the switch, and informs the switch to update flow table information, so that a new flow path is established; for a new packet, because the packet has no related information in the flow table, the controller does not match the packet with the existing flow table, calculates the route and issues the flow table; if an attacker masquerades as a switch, a large number of new packets are sent to a controller of the SDN, which causes the controller to be busy with the calculation for processing the routing path, occupy huge resources and bandwidth, have a serious influence on normally used users, and even cause the network to be broken down.
Therefore, how to defend against network attacks and further ensure the security of the target host is a technical problem which is continuously solved by the technical personnel in the field.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, an object of the present invention is to provide a request control method, a controller and an electronic device, which are used to solve the problem of poor network security in the prior art.
To achieve the above and other related objects, according to a first aspect of the present invention, an embodiment of the present invention provides a request control method, including:
acquiring a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not;
when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification;
and responding to a corresponding user request according to the trust value.
Optionally, before responding to the corresponding user request according to the trust value, the method further includes:
and when the user identification belongs to the target list and the state information is normal, increasing the trust value corresponding to the user identification.
Optionally, the method further comprises:
and when the user identifier does not belong to the target list, calculating the trust value of the user identifier according to the hardware performance of a physical host configured with the controller and the network environment of the controller, and adding the user identifier and the corresponding trust value to the target list.
Optionally, the method further comprises:
and when the request time interval of the user identification in the target list is larger than a time threshold, reducing the trust value of the user identification.
Optionally, the responding to the corresponding user request according to the trust value includes:
calculating a user request quantity threshold value according to the trust value;
and refusing to respond to the user request when the number of the user requests is larger than the request number threshold value.
Optionally, the responding to the corresponding user request according to the trust value includes:
and preferentially responding to the user request with high trust value from the plurality of user requests.
Optionally, the responding to the corresponding user request according to the trust value includes:
and when the trust value corresponding to the user identifier in the target list is smaller than the trust threshold, refusing to respond to the user request.
According to a second aspect of the present invention, an embodiment of the present invention provides a controller, including:
the acquisition module is used for acquiring a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether the controller is attacked or not;
the trust module is used for reducing the trust value corresponding to the user identifier when the user identifier belongs to the target list and the state information is attack;
and the response module is used for responding to the corresponding user request according to the trust value.
Optionally, the trust module is further configured to,
when the user identification does not belong to the target list, calculating the trust value of the user identification according to the hardware performance of a physical host configured with a controller and the network environment of the controller, and adding the user identification and the corresponding trust value to the target list
According to a third aspect of the present invention, an embodiment of the present invention provides an electronic device, which includes a processor; and the number of the first and second groups,
a memory communicatively coupled to the processor; wherein,
the memory stores instructions executable by the processor to enable the processor to:
acquiring a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not;
when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification;
and responding to a corresponding user request according to the trust value.
As described above, the request control method, the controller and the electronic device provided in the embodiments of the present invention have the following beneficial effects: the method comprises the steps that a user request and state information are obtained, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not; when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification; and responding to a corresponding user request according to the trust value. Therefore, the controller can control the user request response according to the trust value of the user and refuse to respond the user request with high security risk, thereby ensuring the network security.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a request control method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a user request response method according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating another request control method according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a controller according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a hardware structure of an electronic device that executes a request control method according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Please refer to fig. 1 to 5. It should be noted that the drawings provided in the present embodiment are only for illustrating the basic idea of the present invention, and the drawings only show the components related to the present invention rather than being drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of each component in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
The embodiments of the present application may be applied to a network system with any architecture, and for clarity of description of the present solution, the embodiments of the present application will be described in detail by taking an SDN network as an example. The SDN network is a novel network innovation architecture of the Emulex network and is an implementation mode of network virtualization, and the core technology OpenFlow separates a control plane and a data plane of network equipment, so that flexible control of network flow is achieved, and the network becomes more intelligent as a pipeline. The SDN network generally includes an OpenFlow switch (chinese: OpenFlow switch), a FlowVisor (chinese: network virtualization layer), and a Controller (Controller), and the Controller is capable of discovering a network topology through OpenFlow and an LLDP (english: Link layer discovery Protocol) Protocol and controlling a response of a user request.
Referring to fig. 1, which is a schematic flowchart of a request control method provided in an embodiment of the present invention, as shown in fig. 1, an embodiment of the present invention shows a process of a controller implementing the request control method:
step S101: the method comprises the steps of obtaining a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not.
In an exemplary embodiment, the user request may carry a user identifier, which is used to uniquely identify the user and/or the terminal that issued the user request. Moreover, in the embodiment of the present application, the controller may further monitor whether an attack is suffered and generate state information, or the controller may further receive state information returned by the network state monitoring device, where the state information is used to describe whether an attack behavior exists in the current SDN network.
Step S102: and when the user identification belongs to the target list and the state information is attack, reducing the trust value corresponding to the user identification.
In this embodiment of the application, when the user identifier obtained in step S101 belongs to the target list and it is determined that the current SDN network is under attack through the state information, a user request corresponding to the user identifier may come from an attacking user, so that a trust value corresponding to the user identifier is reduced. In an exemplary embodiment, a first user identifier "a" and a first trust value "5" corresponding to the first user identifier are recorded in the target list, and when the obtained user request includes the first user identifier "a" and it is determined from the status information that the current network is under attack, the first trust value of the first user identifier "a" in the target list may be reduced, for example, the first trust value of the first user identifier "a" may be reduced by 1, and the first trust value of the first user identifier "a" may be updated to "4".
During specific implementation, the trust value corresponding to the user identifier can be dynamically adjusted, so that the flexibility and accuracy of request response are ensured.
Under a first implementation condition, when the user identifier belongs to a target list and the state information is normal, increasing a trust value corresponding to the user identifier. When the acquired user identifier is a second user identifier 'B' and the second user identifier 'B' exists in the target list, and further when state information is acquired to be normal, that is, when an attack behavior does not exist in the current network, a second trust value corresponding to the second user identifier 'B' can be further increased. In an exemplary embodiment, when the second confidence level is 5, the second confidence level may be increased by 1, so that the second confidence level of the second user identifier "B" is updated to be "6" in the target list.
In the second implementation case, when the user sends fewer requests, the trust value of the user can be reduced, so that the resource configuration used subsequently is optimized, and the efficiency is improved. In specific implementation, the request time interval of each user identifier in the target list may be counted, for example, the time for receiving the user request each time may be recorded, and the request time interval is obtained by calculating the time difference between two adjacent records; and when the request time interval of the user identification in the target list is larger than a time threshold, reducing the trust value of the user identification. In an exemplary implementation, when the first confidence value of the first subscriber identity "a" is "4", the request time interval for calculating the first subscriber identity "a" is 20 hr; also, when the preset time threshold is 5hr, such that the request time interval of the first subscriber identity "a" is greater than the time threshold, thus decreasing the first confidence value, in an exemplary embodiment, the first confidence value may be decreased by 1, thereby updating the first confidence value of the first subscriber identity "a" to 3 in the target list.
In addition, it should be noted that the adjustment of the confidence value is only an exemplary embodiment, and the confidence value may be increased or decreased linearly or exponentially according to the determination criterion in a specific adjustment process, which is not described in detail in the embodiment of the present invention.
Step S103: and responding to a corresponding user request according to the trust value.
In order to improve the response efficiency of the user request, the embodiment of the application responds to the corresponding user request according to the trust value.
In the first implementation case, the user request may be responded to by the user request amount. Fig. 2 is a schematic flow chart of a user request response method according to an embodiment of the present invention. As shown in fig. 2, the method comprises the steps of:
step S1031: and calculating a user request quantity threshold according to the trust value.
The user request quantity threshold represents an upper limit to network resources that a user request can request. Further, a mathematical relationship between the confidence level and the threshold of the number of user requests is established, and in an exemplary embodiment, the confidence level and the threshold of the number of user requests may be configured to have a linear or exponential relationship, so that the confidence level and the threshold of the number of user requests are positively correlated. Of course, the mathematical relationship between the confidence value and the user request is not limited to the above linear or exponential relationship, and is not described in detail in the embodiments of the present application.
Step S1032: and refusing to respond to the user request when the number of the user requests is larger than the request number threshold value.
And presetting a request quantity threshold value, and further optimizing the resource configuration of the network through the request quantity threshold value. In an exemplary embodiment, the controller receives a user request, where the user request carries a first user identifier, and indicates that the first user has sent the user request, and a first trust value of the first user identifier in the target list is 6; in this way, the threshold of the number of user requests corresponding to the first user identifier is 300, which indicates that the upper limit of the number of requests requested by the first user is 300. The user request can also carry the user request quantity, and the controller can obtain the user request quantity corresponding to the first user identification by analyzing the user request or extracting the user request from the user request; when the number of the user requests is 200, the user requests of the first user identifier can be responded as the number of the user requests is smaller than the threshold value of the number of the user requests; when the number of user requests is 400, the user requests responding to the first subscriber identity may be rejected because the number of user requests is greater than the threshold number of user requests, which may cause a large stress on the network.
In a second implementation case, among the plurality of user requests, one or more user requests with high confidence values may be responded preferentially. In particular implementations, when a user request arrives, the controller may place the received user request in a queue. In an exemplary embodiment, a first user request, a second user request, and a third user request may be included in the queue, corresponding to the first confidence value, the second confidence value, and the third confidence value, respectively, and having a magnitude relationship of the first confidence value > the second confidence value > the third confidence value, such that the controller may respond to the first user request, the second user request, and the third user request in sequence according to the sequence of confidence values. In addition, because the capacity of the queue may be limited, when the capacity of the queue is 3, and the fourth confidence value of the fourth user request is greater than the third confidence value, the third user request in the queue may be deleted, and the fourth user request is used to replace the third user request, so as to implement the preferential response of the user request with high confidence value.
In a third implementation, the user request may be responded to directly based on the confidence value of the user. In an exemplary embodiment, when the confidence value corresponding to the user identifier in the target list is smaller than the confidence threshold, the user request is refused to be responded. Certainly, in specific implementation, a rejection list can be established, and when the trust value corresponding to the user identifier is smaller than the trust threshold, the corresponding user identifier is added to the rejection list; further, after obtaining the user identifier, if the user identifier belongs to the reject list, the controller may reject to respond to the corresponding user request.
As can be seen from the description of the above embodiment, in the request control method provided in the embodiment of the present invention, by obtaining a user request and state information, the user request includes a user identifier, and the state information is used to describe whether a controller is attacked or not; when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification; and responding to a corresponding user request according to the trust value. Therefore, the controller can control the user request response according to the trust value of the user and refuse to respond the user request with high security risk, thereby ensuring the network security.
Fig. 3 is a schematic flow chart of another request control method according to an embodiment of the present invention. As shown in fig. 3, on the basis of the request control method shown in fig. 1, the embodiment of the present invention shows a process of initializing a target list:
step S201: the method comprises the steps of obtaining a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not.
Step S202: and when the user identifier does not belong to the target list, calculating the trust value of the user identifier according to the hardware performance of a physical host configured with the controller and the network environment of the controller, and adding the user identifier and the corresponding trust value to the target list.
When a user request reaches the controller, the controller can acquire a user identifier in the user request, and when the user identifier is not found in the traversal target list, a new user can be judged, a host comprehensive index Q is obtained according to the hardware performance of a physical host used by the controller, a network stability index R is obtained through the network environment where the controller is located, and the initial trust degree f (V) of the new user is calculated based on the two indexes, wherein the calculation formula is as follows:
F(V)=μ×Q+η×R,
where μ is a weight coefficient of the host composite index Q, and η is a weight coefficient of the network stability index R.
It should be noted that, in an exemplary embodiment, the calculation of Q may be performed by extracting hardware information (a main frequency of a processor, a memory capacity, a hard disk read-write speed) of a host in which the controller is located, and calculating with a hardware evaluation tool to obtain a host composite index, the network stability index R may be calculated by monitoring a network speed and calculating with an index such as an average value of the network speed and a drop frequency, and μ and η may be preset to any values, which is not described in detail in the embodiment of the present invention.
Step S203: and when the user identification belongs to the target list and the state information is attack, reducing the trust value corresponding to the user identification.
Step S204: and responding to a corresponding user request according to the trust value.
As can be seen from the description of the above embodiment, according to another system recovery method provided by the embodiment of the present invention, a new user request is calculated and evaluated according to two dimensions, namely, the controller host performance and the network stability, and the trust value of the user request is determined, so that the method has high accuracy, and further can improve the network security.
Through the above description of the method embodiments, those skilled in the art can clearly understand that the present invention can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media that can store program codes, such as Read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and so on.
Corresponding to the embodiment of the request control method provided by the invention, the invention also provides a controller for request control.
Referring to fig. 4, which is a schematic structural diagram of a controller according to an embodiment of the present invention, as shown in fig. 4, the controller includes:
an obtaining module 11, configured to obtain a user request and state information, where the user request includes a user identifier, and the state information is used to describe whether a controller is attacked;
the trust module 12 is configured to reduce a trust value corresponding to the user identifier when the user identifier belongs to the target list and the state information is an attack;
and the response module 13 is configured to respond to a corresponding user request according to the trust value.
In order to implement dynamic adjustment of the trust value, in a first implementation, the trust module 12 may be configured to, when the user identifier belongs to the target list and the status information is normal, increase the trust value corresponding to the user identifier.
In a second implementation case, the trust module 12 may be further configured to decrease the trust value of the user identifier when the request time interval of the user identifier in the target list is greater than a time threshold.
In order to control the response of the user request, in the first implementation case, the response module 13 may be further configured to calculate a threshold value of the number of user requests according to the confidence value; and refusing to respond to the user request when the number of the user requests is larger than the request number threshold value.
In the second implementation case, the response module 13 may be further configured to preferentially respond to a user request with a high confidence value from among the plurality of user requests.
In a third implementation case, the response module 13 may be further configured to reject to respond to the user request when the confidence value corresponding to the user identifier in the target list is smaller than the confidence threshold.
In addition, when the user identifier does not belong to the target list, the trust module 12 may be further configured to calculate a trust value of the user identifier according to a hardware performance of a physical host configured with the controller and a network environment of the controller, and add the user identifier and a corresponding trust value to the target list.
The embodiment of the invention also provides a nonvolatile computer storage medium, wherein the computer storage medium stores computer executable instructions which can execute the request control method in any method embodiment.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device executing a request control method according to an embodiment of the present invention, and as shown in fig. 5, the electronic device includes:
one or more processors 510 and memory 520, with one processor 510 being an example in fig. 5.
The apparatus for performing the request control may further include: an input device 530 and an output device 540.
The processor 510, the memory 520, the input device 530, and the output device 540 may be connected by a bus or other means, and the bus connection is exemplified in fig. 5.
The memory 520, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules (e.g., the obtaining module 11, the trust module 12, and the response module 13 shown in fig. 4) corresponding to the request control method in the embodiment of the present invention. The processor 510 executes various functional applications of the server and data processing, i.e., implements the request control method of the above-described method embodiment, by executing the nonvolatile software program, instructions, and modules stored in the memory 520.
The memory 520 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the processing device requested to be controlled, and the like. Further, the memory 520 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 520 may optionally include memory located remotely from processor 510, which may be connected to a processing device requesting control over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 530 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processing device requesting control. The output device 540 may include a display device such as a display screen.
The one or more modules are stored in the memory 520 and, when executed by the one or more processors 510, perform the request control method of any of the method embodiments described above.
The product can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided by the embodiment of the present invention.
The electronic device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic devices with data interaction functions.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, they are described in relative terms, as long as they are described in partial descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A request control method, comprising the steps of:
acquiring a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not;
when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification;
and responding to a corresponding user request according to the trust value.
2. The request control method of claim 1, wherein before responding to the corresponding user request according to the confidence value, further comprising:
and when the user identification belongs to the target list and the state information is normal, increasing the trust value corresponding to the user identification.
3. The request control method according to claim 1, further comprising:
and when the user identifier does not belong to the target list, calculating the trust value of the user identifier according to the hardware performance of a physical host configured with the controller and the network environment of the controller, and adding the user identifier and the corresponding trust value to the target list.
4. The request control method according to claim 1, further comprising:
and when the request time interval of the user identification in the target list is larger than a time threshold, reducing the trust value of the user identification.
5. The method of claim 1, wherein responding to a corresponding user request according to the confidence value comprises:
calculating a user request quantity threshold value according to the trust value;
and refusing to respond to the user request when the number of the user requests is larger than the request number threshold value.
6. The method of claim 1, wherein responding to a corresponding user request according to the confidence value comprises:
and preferentially responding to the user request with high trust value from the plurality of user requests.
7. The method of claim 1, wherein responding to a corresponding user request according to the confidence value comprises:
and when the trust value corresponding to the user identifier in the target list is smaller than the trust threshold, refusing to respond to the user request.
8. A controller, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a user request and state information, the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not;
the trust module is used for reducing the trust value corresponding to the user identifier when the user identifier belongs to the target list and the state information is attack;
and the response module is used for responding to the corresponding user request according to the trust value.
9. The controller of claim 8, wherein the trust module is further configured to,
and when the user identifier does not belong to the target list, calculating the trust value of the user identifier according to the hardware performance of a physical host configured with the controller and the network environment of the controller, and adding the user identifier and the corresponding trust value to the target list.
10. An electronic device, characterized in that the electronic device comprises a processor; and the number of the first and second groups,
a memory communicatively coupled to the processor; wherein,
the memory stores instructions executable by the processor to enable the processor to:
acquiring a user request and state information, wherein the user request comprises a user identifier, and the state information is used for describing whether a controller is attacked or not;
when the user identification belongs to a target list and the state information is attack, reducing the trust value corresponding to the user identification;
and responding to a corresponding user request according to the trust value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810289664.2A CN108712374A (en) | 2018-04-03 | 2018-04-03 | A kind of request control method, controller and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810289664.2A CN108712374A (en) | 2018-04-03 | 2018-04-03 | A kind of request control method, controller and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108712374A true CN108712374A (en) | 2018-10-26 |
Family
ID=63867113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810289664.2A Pending CN108712374A (en) | 2018-04-03 | 2018-04-03 | A kind of request control method, controller and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108712374A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656307A (en) * | 2021-08-18 | 2021-11-16 | 北京沃东天骏信息技术有限公司 | System capacity evaluation method, device, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105142130A (en) * | 2015-06-12 | 2015-12-09 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN106657107A (en) * | 2016-12-30 | 2017-05-10 | 南京邮电大学 | Self-adaptively started ddos defense method and system based on trust value in SDN |
| CN107181726A (en) * | 2016-03-11 | 2017-09-19 | 中兴通讯股份有限公司 | Cyberthreat case evaluating method and device |
| CN107689942A (en) * | 2016-08-04 | 2018-02-13 | 中兴通讯股份有限公司 | Method for processing business and device |
-
2018
- 2018-04-03 CN CN201810289664.2A patent/CN108712374A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105142130A (en) * | 2015-06-12 | 2015-12-09 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN107181726A (en) * | 2016-03-11 | 2017-09-19 | 中兴通讯股份有限公司 | Cyberthreat case evaluating method and device |
| CN107689942A (en) * | 2016-08-04 | 2018-02-13 | 中兴通讯股份有限公司 | Method for processing business and device |
| CN106657107A (en) * | 2016-12-30 | 2017-05-10 | 南京邮电大学 | Self-adaptively started ddos defense method and system based on trust value in SDN |
Non-Patent Citations (1)
| Title |
|---|
| 吴鹏: "基于SDN控制器的DoS攻击检测与防御研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656307A (en) * | 2021-08-18 | 2021-11-16 | 北京沃东天骏信息技术有限公司 | System capacity evaluation method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030936B (en) | Current-limiting control method and device for network access and computer-readable storage medium | |
| WO2017185616A1 (en) | File storage method and electronic equipment | |
| US20210144120A1 (en) | Service resource scheduling method and apparatus | |
| CN103986776B (en) | A kind of router and the method for down loading based on router | |
| CN107743118B (en) | Hierarchical network security protection method and device | |
| US10516690B2 (en) | Physical device detection for a mobile application | |
| WO2019075662A1 (en) | Gateway multi-connection method and device | |
| CN112398692B (en) | Consensus process processing method and device and electronic equipment | |
| CN112491789B (en) | OpenStack framework-based virtual firewall construction method and storage medium | |
| CN106506648B (en) | Load balancing service management method and system | |
| CN108965154A (en) | Job flow control method and device in object storage system | |
| CN108183884B (en) | Network attack determination method and device | |
| US20170149821A1 (en) | Method And System For Protection From DDoS Attack For CDN Server Group | |
| CN110035128B (en) | Live broadcast scheduling method and device, live broadcast system and storage medium | |
| CN117014381A (en) | Flow control method, flow control device, computer equipment and computer storage medium | |
| CN118041937A (en) | Data access method and device of storage device | |
| CN108712374A (en) | A kind of request control method, controller and electronic equipment | |
| KR20200110703A (en) | Method and apparatus for providing video streams | |
| CN110855796B (en) | Cloud platform web protection method, system, equipment and computer medium | |
| CN117592685A (en) | Service processing method, device, electronic equipment and storage medium | |
| CN106453663B (en) | Improved storage expansion method and device based on cloud service | |
| CN110020290B (en) | Webpage resource caching method and device, storage medium and electronic device | |
| CN116708170A (en) | Server updating method, service executing method and related equipment | |
| CN115022411A (en) | Media server scheduling system, method and device based on WebRTC | |
| EP2930883B1 (en) | Method for the implementation of network functions virtualization of a telecommunications network providing communication services to subscribers, telecommunications network, program and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181026 |