CN108965252A - A kind of network layer movement target defence method and system based on OpenFlow - Google Patents

A kind of network layer movement target defence method and system based on OpenFlow Download PDF

Info

Publication number
CN108965252A
CN108965252A CN201810588919.5A CN201810588919A CN108965252A CN 108965252 A CN108965252 A CN 108965252A CN 201810588919 A CN201810588919 A CN 201810588919A CN 108965252 A CN108965252 A CN 108965252A
Authority
CN
China
Prior art keywords
jump
header information
packet header
data packet
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810588919.5A
Other languages
Chinese (zh)
Inventor
尚凌辉
陈鑫
叶淑阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Zechk Artificial Intelligence Research And Development Co Ltd
Original Assignee
Zhejiang Zechk Artificial Intelligence Research And Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Zechk Artificial Intelligence Research And Development Co Ltd filed Critical Zhejiang Zechk Artificial Intelligence Research And Development Co Ltd
Priority to CN201810588919.5A priority Critical patent/CN108965252A/en
Publication of CN108965252A publication Critical patent/CN108965252A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of mobile target defence method of the network layer based on OpenFlow, comprising: address obtains, and constructs primary data packet header information, the first IP jump, first port jump, second port jump, the 2nd IP jump, destination node communication.The mobile target defence method of network layer based on OpenFlow of the invention; it does not need third party software and realizes that the opaque protection in upper layer does not need to be modified upper layer application; it realizes in being constantly in and be moved and changed in from the information that node issues, effectively avoids the attack of attacker.

Description

A kind of network layer movement target defence method and system based on OpenFlow
Technical field
The present invention relates to network information defence field more particularly to a kind of mobile target of network layer based on OpenFlow are anti- Imperial method and system.
Background technique
In recent years, the generation (prism door, SSL heart are bled) with a lot of with extensive harmfulness safety accident, net Network receives safely extensive attention again.Traditional network security technology generallys use passive type defence, and (such as firewall enters Invade detection technique etc.).This kind of defense technique will usually protect target exposure outside, and the premise of detection and protection is to attack sending out It is raw.This mode is very unfavorable for Protector, and defender is always at the status of Passive Defence.Initiative type safeguard technology is A kind of mean of defense for allowing Protector to occupy whip hand in attacking and defending game.Mobile target defense technique is then Initiative Defense skill An important research direction in art.Mobile target defence is a kind of novel defense technique, and the main purpose of this technology is Make to be protected during target is constantly in for the external world and is moved and changed in, is difficult to attacker and protection is realized with this.Both at home and abroad Scholar has carried out relevant research to mobile target defense technique, but on going result is mostly based on third party software realization pair The opaque protection in upper layer, upper layer application must carry out related change, then exist without using the scheme of third party software to existing The incompatible problem of network.
Summary of the invention
For overcome the deficiencies in the prior art, one of the objects of the present invention is to provide a kind of networks based on OpenFlow The mobile target defence method of layer can solve on going result and be mostly based on the third party software realization protection opaque to upper layer, Upper layer application must carry out related change, then there is a problem of without using the scheme of third party software incompatible to existing network.
The second object of the present invention is to provide a kind of mobile target system of defense of the network layer based on OpenFlow, energy It solves on going result and is mostly based on the third party software realization protection opaque to upper layer, upper layer application must carry out correlation and change It is dynamic, then there is a problem of without using the scheme of third party software incompatible to existing network.
An object of the present invention is implemented with the following technical solutions:
A kind of mobile target defence method of the network layer based on OpenFlow, including
Address obtains, and obtains the network address information of source node and is contained by the dns server inquiry in the local area network of source The destination address information of the public network address of destination node;
Primary data packet header information is constructed, according at the beginning of the network address information and the destination address information architecture Beginning data packet header information;
The primary data packet header information is sent to the first OpenFlow in the local area network of source and handed over by the first IP jump It changes planes, the primary data packet header information is sent to the first MTD in the local area network of source and controlled by the first OpenFlow interchanger Device processed, the first MTD controller and the first OpenFlow interchanger carry out the first IP to the primary data packet header information and jump Become and handles and obtain the first data packet header information;
The first data packet header information is sent to source local by first port jump, the first OpenFlow interchanger The first gateway switch in net, the first gateway switch and the first MTD controller believe first data packet header Breath carries out first port jump and handles and obtain the second data packet header information;
The second data packet header information is sent to by second port jump, the first gateway switch by internet The second gateway switch in purpose local area network, the 2nd MTD controller in the second gateway switch and source local area network is to described Second data packet header information carries out second port jump and handles and obtain third data packet header information;
2nd IP is jumped, and the 2nd OpenFlow interchanger and the 2nd MTD controller in purpose local area network are to the third Data packet header information carries out the 2nd IP jump and handles and obtain the 4th data packet header information;
The 4th data packet header information is sent to purpose section by destination node communication, the 2nd OpenFlow interchanger Point, destination node parse the communication between the 4th data packet header information completion source node and destination node.
Further, the first IP jump processing specifically: the first MTD controller jumps strategy circulation according to IP and generates Algorithm generates the first IP jump strategy;First IP jump strategy is sent to the first OpenFlow and handed over by the first MTD controller It changes planes, the first OpenFlow interchanger repairs the primary data packet header information according to the first IP jump strategy Change and obtains the first data packet header information.
Further, the first port jump processing specifically: the first MTD controller is according to cross-domain port-hopping strategy It recycles generating algorithm and generates first port jump strategy, first port jump strategy is sent to the first net by the first MTD controller Interchanger is closed, the first gateway switch modifies to the first data packet header information according to first port jump strategy And obtain the second data packet header information.
Further, the second port jump processing specifically: the 2nd TMD controller is according to cross-domain port-hopping strategy It recycles generating algorithm and generates second port jump strategy, second port jump strategy is sent to the by the 2nd TMD controller Two gateway switch, the second gateway switch is according to second port jump strategy to the second data packet header information It modifies and obtains third data packet header information.
Further, the 2nd IP jump processing specifically: the 2nd MTD controller jumps strategy circulation according to IP and generates Algorithm generates the 2nd IP jump strategy;2nd IP jump strategy is sent to the 2nd OpenFlow and handed over by the 2nd MTD controller Change planes, the 2nd OpenFlow interchanger according to the 2nd IP jump strategy to the third data packet header information into Row is modified and obtains the 4th data packet header information.
Further, the primary data packet header information includes the network address information of source node, destination address letter Breath, source port and protocol type.
The second object of the present invention is implemented with the following technical solutions:
A kind of mobile target system of defense of the network layer based on OpenFlow, comprising: source local screen component and purpose office Domain screen component, the source local screen component are communicatively coupled with the purpose local screen component by internet, the source office Domain screen component includes the first OpenFlow interchanger, the first MTD controller, dns server, address acquisition module and the first gateway Interchanger, the purpose local screen component include the 2nd OpenFlow interchanger, the second gateway switch and the 2nd MTD control Device,
The address acquisition module obtains the network address information of source node and by dns server inquiry containing purposeful section The destination address information of the public network address of point;The address acquisition module is according to the network address information and the destination address The primary data packet header information is sent to described by information architecture primary data packet header information, the acquisition module The primary data packet header information is sent to described by the first OpenFlow interchanger, the first OpenFlow interchanger First MTD controller, the first MTD controller and the first OpenFlow interchanger are to the primary data packet header Information carries out the first IP jump and handles and obtain the first data packet header information;The first OpenFlow interchanger will be described First data packet header information is sent to first gateway switch, first gateway switch and described first MTD controller carries out first port jump processing to the first data packet header information and obtains the second data packet header Information;The second data packet header information is sent to second gateway by internet by first gateway switch Interchanger, second gateway switch and the 2nd MTD controller carry out the to the second data packet header information Two-port netwerk jump handles and obtains third data packet header information;The 2nd OpenFlow interchanger and the 2nd MTD control Device carries out the 2nd IP jump processing to the third data packet header information and obtains the 4th data packet header information;It is described The 4th data packet header information is sent to destination node by the 2nd OpenFlow interchanger, destination node parsing described the Four data packet header information complete the communication between source node and destination node.
Further, the first IP jump processing is specially the first MTD controller according to IP jump strategy circulation Generating algorithm generates the first IP jump strategy;First IP jump strategy is sent to first by the first MTD controller OpenFlow interchanger, the first OpenFlow interchanger are grouped the primary data according to the first IP jump strategy Header information modifies and obtains the first data packet header information;The first port jump processing is specially described first MTD controller recycles generating algorithm according to cross-domain port-hopping strategy and generates first port jump strategy, the first MTD control First port jump strategy is sent to first gateway switch by device, and first gateway switch is jumped according to first port Become strategy to modify to the first data packet header information and obtain the second data packet header information;
The first MTD controller includes the first IP jump module, first port jump module, and the first IP jumps mould Block is used to jump strategy circulation generating algorithm according to IP and generates the first IP jump strategy, first port jump module according to across Domain port-hopping strategy recycles generating algorithm and generates first port jump strategy.
Further, the second port jump processing is specially the 2nd MTD controller according to cross-domain port-hopping Strategy circulation generating algorithm generates second port jump strategy, and the second port is jumped strategy by the 2nd MTD controller It is sent to second gateway switch, second gateway switch is according to second port jump strategy to described second Data packet header information modifies and obtains third data packet header information;The 2nd IP jump processing is specially institute It states the 2nd MTD controller and strategy circulation generating algorithm generation the 2nd IP jump strategy is jumped according to IP;The 2nd MTD controller 2nd IP jump strategy is sent to the 2nd OpenFlow interchanger, the 2nd OpenFlow interchanger is according to institute The 2nd IP jump strategy is stated to modify to the third data packet header information and obtain the 4th data packet header information;
The 2nd MTD controller includes the 2nd IP jump module, second port jump module, and the 2nd IP jumps mould Block is used to jump strategy circulation generating algorithm according to IP and generates the 2nd IP jump strategy, second port jump module according to across Domain port-hopping strategy recycles generating algorithm and generates second port jump strategy.
It further, further include sync server, the first MTD controller further includes the first synchronization module, and described Two MTD controllers include the second synchronization module, and the sync server point is synchronous with described second with first synchronization module Module connection, the sync server synchronize the source local area network by first synchronization module and second synchronization module Data information in component and the purpose local screen component.
Compared with prior art, the beneficial effects of the present invention are a kind of of the invention network layer shiftings based on OpenFlow Moving-target defence method, on the basis of software defined network framework, between use between nodes different domain to network address information The tactful logic for realizing network address of jump is mobile, and the strategy realization pair of port-hopping is carried out to the flow of cross-domain different nodes Using the all-around defense of port system, the mobile target defence method of the network layer based on OpenFlow of the invention does not need third The square opaque protection in software realization upper layer does not need to be modified upper layer application, realizes the information issued from node always In being moved and changed in, the attack of attacker is effectively avoided.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, the following is a detailed description of the preferred embodiments of the present invention and the accompanying drawings. A specific embodiment of the invention is shown in detail by following embodiment and its attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of flow chart of the mobile target defence method of network layer based on OpenFlow of the invention;
Fig. 2 is a kind of connection schematic diagram of the mobile target system of defense of network layer based on OpenFlow of the invention.
Specific embodiment
In the following, being described further in conjunction with attached drawing and specific embodiment to the present invention, it should be noted that not Under the premise of conflicting, new implementation can be formed between various embodiments described below or between each technical characteristic in any combination Example.
As shown in Figure 1, the mobile target system of defense of a kind of network layer based on OpenFlow of the invention, specifically include with Lower step:
Address obtains, and obtains the network address information of source node and is contained by the dns server inquiry in the local area network of source The destination address information of the public network address of destination node;
Primary data packet header information is constructed, according to network address information and destination address information architecture primary data point Group header information;
Primary data packet header information is sent to the exchange of the first OpenFlow in the local area network of source by the first IP jump Primary data packet header information is sent to the first MTD controller in the local area network of source by machine, the first OpenFlow interchanger, the One MTD controller and the first OpenFlow interchanger carry out the first IP jump processing to primary data packet header information and obtain First data packet header information;First MTD controller jumps strategy circulation generating algorithm according to IP and generates the first IP jump plan Slightly;First IP jump strategy is sent to the first OpenFlow interchanger, the first OpenFlow interchanger root by the first MTD controller It modifies according to the first IP jump strategy to primary data packet header information and obtains the first data packet header information.
First data packet header information is sent in the local area network of source by first port jump, the first OpenFlow interchanger The first gateway switch, the first gateway switch and the first MTD controller carry out the to the first data packet header information Single port jump handles and obtains the second data packet header information;First port jump processing specifically: the first MTD controller Generating algorithm is recycled according to cross-domain port-hopping strategy and generates first port jump strategy, and the first MTD controller is by first port Jump strategy is sent to the first gateway switch, and the first gateway switch is according to first port jump strategy to the first data grouping Header information modifies and obtains the second data packet header information.
Second data packet header information is sent to purpose by internet by second port jump, the first gateway switch The second gateway switch in local area network, the 2nd MTD controller in the second gateway switch and source local area network is to the second data Packet header information carries out second port jump and handles and obtain third data packet header information;Second port jump processing tool Body are as follows: the 2nd TMD controller is tactful according to the circulation generating algorithm generation second port jump of cross-domain port-hopping strategy, and second Second port jump strategy is sent to the second gateway switch by TMD controller, and the second gateway switch is jumped according to second port Become strategy to modify to the second data packet header information and obtain third data packet header information.
2nd IP is jumped, and the 2nd OpenFlow interchanger and the 2nd MTD controller in purpose local area network are to third data Packet header information carries out the 2nd IP jump and handles and obtain the 4th data packet header information;2nd IP jump processing is specific Are as follows: the 2nd MTD controller jumps strategy circulation generating algorithm according to IP and generates the 2nd IP jump strategy;2nd MTD controller will 2nd IP jump strategy is sent to the 2nd OpenFlow interchanger, and the 2nd OpenFlow interchanger is right according to the 2nd IP jump strategy Third data packet header information modifies and obtains the 4th data packet header information.
4th data packet header information is sent to destination node by destination node communication, the 2nd OpenFlow interchanger, Destination node parses the communication between the 4th data packet header information completion source node and destination node.Primary data packets headers Portion's information includes the network address information of source node, destination address information, source port and protocol type.
In the present embodiment to the mobile target defence method of the network layer based on OpenFlow of foregoing invention, illustrate below Illustrate:
Assuming that source node is A, destination node B, A and B are respectively in source local area network and purpose local area network;Source local Network is connected with purpose local area network by internet, and disposes sync server in the outlet port of that connection of internet; When node A initiates primary connection to node B, node A elder generation node A passes through the inquiry of the dns server in the local area network of source first The public network address information of node B;Posterior nodal point A construct communication data packets, data packet header information include source IP address, source Port, purpose IP address, destination port and protocol type, be expressed as data grouping five-tuple sIP, sPort, dIP, dPort, Protocol }, sIP is source IP address, i.e. the network address information of node A;SPort is source port, i.e. the port node A;DIP is Purpose IP address, the i.e. address information of node B;DPort is purpose port, the i.e. port of node B;Protocol is protocol class Type.The mode of the practical IP jump of data packet header information transmission process in the local area network of source, every time when jump, source local area network OpenFlow interchanger change source IP address and purpose IP address in network;It is handed over when data are transmitted to the gateway in the local area network of source When changing planes, the gateway switch in the local area network of source will be sent to source local area network comprising the forwarding of five-tuple information inquiry grouping Interior MTD controller, the MTD controller in the local area network of source generates port-hopping strategy by algorithm at random, and is issued to source Gateway switch in local area network.Simultaneously by port-hopping policy synchronization to the sync server being located in Internet.Source Interchanger in local area network is according to the public network IP that strategy modification source IP is source local area network is jumped, and source port is in forwarding strategy Random destination port.When gateway switch of the data grouping by the Internet transmission to purpose local area network, purpose local area network Gateway switch the data grouping five-tuple packet header information for receiving data grouping be sent in purpose local area network MTD control Device processed, and inquire forwarding strategy.The port-hopping letter in controller in purpose local area network each domain synchronous with sync server in real time Breath, and the forward rule with restoring data grouping is calculated according to algorithm and using current time, forward rule is issued to later Corresponding interchanger in purpose local area network.When data grouping is transmitted in purpose local area network, strategy equally is jumped not using IP The source and destination address of disconnected modification data grouping.It finally is transmitted to node B, completes entire communication process.
As shown in Fig. 2, of the present inventionization provides a kind of mobile target system of defense of the network layer based on OpenFlow, packet Include: source local screen component and purpose local screen component, source local screen component and purpose local screen component are carried out by internet Communication connection, source local screen component include the first OpenFlow interchanger, the first MTD controller, dns server, address acquisition Module and the first gateway switch, purpose local screen component include the 2nd OpenFlow interchanger, the second gateway switch and 2nd MTD controller,
Address acquisition module obtains the network address information of source node and contains destination node by dns server inquiry The destination address information of public network address;Address acquisition module is according to network address information and destination address information architecture primary data Packet header information obtains module for primary data packet header information and is sent to the first OpenFlow interchanger, and first Primary data packet header information is sent to the first MTD controller, the first MTD controller and first by OpenFlow interchanger OpenFlow interchanger carries out the first IP jump processing to primary data packet header information and obtains the first data packet header Information;First data packet header information is sent to the first gateway switch by the first OpenFlow interchanger, and the first gateway is handed over It changes planes and the first MTD controller carries out first port jump processing to the first data packet header information and obtains the second data Packet header information;Second data packet header information is sent to the exchange of the second gateway by internet by the first gateway switch Machine, the second gateway switch and the 2nd MTD controller carry out second port jump processing simultaneously to the second data packet header information Obtain third data packet header information;2nd OpenFlow interchanger and the 2nd MTD controller are to third data packet header Information carries out the 2nd IP jump and handles and obtain the 4th data packet header information;2nd OpenFlow interchanger is by the 4th data Packet header information is sent to destination node, and destination node parses the 4th data packet header information and completes source node and purpose section Communication between point.
First IP jump processing specially the first MTD controller jumps strategy circulation generating algorithm according to IP and generates the first IP Jump strategy;First IP jump strategy is sent to the first OpenFlow interchanger by the first MTD controller, and the first OpenFlow is handed over It changes planes and is modified according to the first IP jump strategy to primary data packet header information and obtain the first data packet header letter Breath;First port jump processing is specially that the first MTD controller recycles generating algorithm according to cross-domain port-hopping strategy and generates the First port jump strategy is sent to the first gateway switch by Single port jump strategy, the first MTD controller, and the first gateway is handed over It changes planes and is modified according to first port jump strategy to the first data packet header information and obtain the second data packet header Information;
First MTD controller includes the first IP jump module, first port jump module, and the first IP jumps module and is used for root Strategy circulation generating algorithm is jumped according to IP and generates the first IP jump strategy, and first port jumps module according to cross-domain port-hopping plan Slightly circulation generating algorithm generates first port jump strategy.
Second port jump processing is specially that the 2nd MTD controller is raw according to cross-domain port-hopping strategy circulation generating algorithm Strategy is jumped at second port, second port jump strategy is sent to the second gateway switch, the second net by the 2nd MTD controller Interchanger is closed to modify to the second data packet header information according to second port jump strategy and obtain third data grouping Header information;2nd IP jump processing specially the 2nd MTD controller jumps strategy circulation generating algorithm according to IP and generates second IP jump strategy;2nd IP jump strategy is sent to the 2nd OpenFlow interchanger, the 2nd OpenFlow by the 2nd MTD controller Interchanger modifies to third data packet header information according to the 2nd IP jump strategy and obtains the 4th data packet header Information;
2nd MTD controller includes the 2nd IP jump module, second port jump module, and the 2nd IP jumps module and is used for root Strategy circulation generating algorithm is jumped according to IP and generates the 2nd IP jump strategy, and second port jumps module according to cross-domain port-hopping plan Slightly circulation generating algorithm generates second port jump strategy.
It further include sync server, the first MTD controller further includes the first synchronization module, and the 2nd MTD controller includes the Two synchronization modules, sync server point are connect with the first synchronization module with the second synchronization module, and sync server is same by first Walk the data information in module and the second synchronization module synchronisation source local screen component and purpose local screen component.
The mobile target defence method of a kind of network layer based on OpenFlow of the invention, in software defined network framework base On plinth, between realizing that the logic of network address is mobile using jumping strategy to network address information between nodes different domain, to across The strategy that the flows of the different nodes in domain carries out port-hopping realizes the all-around defense to port system is used, it is of the invention based on The mobile target defence method of the network layer of OpenFlow does not need third party software and realizes that the opaque protection in upper layer does not need pair Upper layer application is modified, and is realized in being constantly in and be moved and changed in from the information that node issues, is effectively avoided attack The attack of person.
More than, only presently preferred embodiments of the present invention is not intended to limit the present invention in any form;All current rows The those of ordinary skill of industry can be shown in by specification attached drawing and above and swimmingly implement the present invention;But all to be familiar with sheet special The technical staff of industry without departing from the scope of the present invention, is made a little using disclosed above technology contents The equivalent variations of variation, modification and evolution is equivalent embodiment of the invention;Meanwhile all substantial technologicals according to the present invention The variation, modification and evolution etc. of any equivalent variations to the above embodiments, still fall within technical solution of the present invention Within protection scope.

Claims (10)

1. a kind of mobile target defence method of the network layer based on OpenFlow, characterized by comprising:
Address obtains, and obtains the network address information of source node and by the dns server inquiry in the local area network of source containing purposeful The destination address information of the public network address of node;
Primary data packet header information is constructed, according to the network address information and the destination address information architecture initial number According to packet header information;
The primary data packet header information is sent to the exchange of the first OpenFlow in the local area network of source by the first IP jump The primary data packet header information is sent to the first MTD in the local area network of source and controlled by machine, the first OpenFlow interchanger Device, the first MTD controller and the first OpenFlow interchanger carry out the first IP jump to the primary data packet header information It handles and obtains the first data packet header information;
The first data packet header information is sent in the local area network of source by first port jump, the first OpenFlow interchanger The first gateway switch, the first gateway switch and the first MTD controller to the first data packet header information into The jump of row first port handles and obtains the second data packet header information;
The second data packet header information is sent to purpose by internet by second port jump, the first gateway switch The second gateway switch in local area network, the 2nd MTD controller in the second gateway switch and source local area network is to described second Data packet header information carries out second port jump and handles and obtain third data packet header information;
2nd IP is jumped, and the 2nd OpenFlow interchanger and the 2nd MTD controller in purpose local area network are to the third data Packet header information carries out the 2nd IP jump and handles and obtain the 4th data packet header information;
The 4th data packet header information is sent to destination node by destination node communication, the 2nd OpenFlow interchanger, Destination node parses the communication between the 4th data packet header information completion source node and destination node.
2. the mobile target defence method of a kind of network layer based on OpenFlow as described in claim 1, it is characterised in that: institute State the first IP jump processing specifically: the first MTD controller jumps the first IP of strategy circulation generating algorithm generation according to IP and jumps Strategy;First IP jump strategy is sent to the first OpenFlow interchanger by the first MTD controller, and the first OpenFlow is handed over It changes planes and is modified according to the first IP jump strategy to the primary data packet header information and obtain the first data point Group header information.
3. the mobile target defence method of a kind of network layer based on OpenFlow as described in claim 1, it is characterised in that: institute State first port jump processing specifically: the first MTD controller recycles generating algorithm according to cross-domain port-hopping strategy and generates the First port jump strategy is sent to the first gateway switch by Single port jump strategy, the first MTD controller, and the first gateway is handed over It changes planes and is modified according to first port jump strategy to the first data packet header information and obtain the second data grouping Header information.
4. the mobile target defence method of a kind of network layer based on OpenFlow as described in claim 1, it is characterised in that: institute State second port jump processing specifically: the 2nd TMD controller recycles generating algorithm according to cross-domain port-hopping strategy and generates the Second port jump strategy is sent to the second gateway switch, the second net by Two-port netwerk jump strategy, the 2nd TMD controller Interchanger is closed to modify to the second data packet header information according to second port jump strategy and obtain third Data packet header information.
5. the mobile target defence method of a kind of network layer based on OpenFlow as described in claim 1, it is characterised in that: institute State the 2nd IP jump processing specifically: the 2nd MTD controller jumps the 2nd IP of strategy circulation generating algorithm generation according to IP and jumps Strategy;2nd IP jump strategy is sent to the 2nd OpenFlow interchanger by the 2nd MTD controller, and described second OpenFlow interchanger is modified and is obtained to the third data packet header information according to the 2nd IP jump strategy 4th data packet header information.
6. the mobile target defence method of a kind of network layer based on OpenFlow as described in claim 1, it is characterised in that: institute Stating primary data packet header information includes the network address information of source node, destination address information, source port and protocol class Type.
7. a kind of mobile target system of defense of network layer based on OpenFlow, characterized by comprising: source local screen component with And purpose local screen component, the source local screen component are communicatively coupled with the purpose local screen component by internet, The source local screen component include the first OpenFlow interchanger, the first MTD controller, dns server, address acquisition module and First gateway switch, the purpose local screen component include the 2nd OpenFlow interchanger, the second gateway switch and the Two MTD controllers,
The address acquisition module obtains the network address information of source node and contains destination node by dns server inquiry The destination address information of public network address;The address acquisition module is according to the network address information and the destination address information Primary data packet header information is constructed, the primary data packet header information is sent to described first by the acquisition module The primary data packet header information is sent to described first by OpenFlow interchanger, the first OpenFlow interchanger MTD controller, the first MTD controller and the first OpenFlow interchanger are to the primary data packet header information The first IP jump is carried out to handle and obtain the first data packet header information;The first OpenFlow interchanger is by described first Data packet header information is sent to first gateway switch, first gateway switch and the first MTD control Device processed carries out first port jump processing to the first data packet header information and obtains the second data packet header information; The second data packet header information is sent to second gateway by internet and exchanged by first gateway switch Machine, second gateway switch and the 2nd MTD controller carry out second end to the second data packet header information Mouth jump handles and obtains third data packet header information;The 2nd OpenFlow interchanger and the 2nd MTD controller pair The third data packet header information carries out the 2nd IP jump and handles and obtain the 4th data packet header information;Described second The 4th data packet header information is sent to destination node, destination node parsing the 4th number by OpenFlow interchanger The communication between source node and destination node is completed according to packet header information.
8. a kind of mobile target system of defense of the network layer based on OpenFlow as shown in claim 7, it is characterised in that: institute It states the first IP jump processing specially the first MTD controller and the first IP jump is generated according to IP jump strategy circulation generating algorithm Become strategy;First IP jump strategy is sent to the first OpenFlow interchanger by the first MTD controller, and described first OpenFlow interchanger is modified and is obtained to the primary data packet header information according to the first IP jump strategy First data packet header information;The first port jump processing is specially the first MTD controller according to cross-domain port Jump strategy circulation generating algorithm generates first port jump strategy, and first port is jumped strategy by the first MTD controller It is sent to first gateway switch, first gateway switch is according to first port jump strategy to first data Packet header information modifies and obtains the second data packet header information;
The first MTD controller includes the first IP jump module, first port jump module, and the first IP jump module is used The first IP jump strategy is generated in jumping strategy circulation generating algorithm according to IP, the first port jump module is according to cross-domain end Mouth jump strategy circulation generating algorithm generates first port and jumps strategy.
9. a kind of mobile target system of defense of the network layer based on OpenFlow as shown in claim 7, it is characterised in that: institute Stating second port jump processing is specially that the 2nd MTD controller is generated according to cross-domain port-hopping strategy circulation generating algorithm Second port jump strategy is sent to second gateway and handed over by second port jump strategy, the 2nd MTD controller It changes planes, second gateway switch carries out the second data packet header information according to second port jump strategy It modifies and obtains third data packet header information;2nd IP jump processing be specially the 2nd MTD controller according to IP jump strategy circulation generating algorithm generates the 2nd IP jump strategy;2nd IP is jumped plan by the 2nd MTD controller It is slightly sent to the 2nd OpenFlow interchanger, the 2nd OpenFlow interchanger is right according to the 2nd IP jump strategy The third data packet header information modifies and obtains the 4th data packet header information;
The 2nd MTD controller includes the 2nd IP jump module, second port jump module, and the 2nd IP jump module is used The 2nd IP jump strategy is generated in jumping strategy circulation generating algorithm according to IP, the second port jump module is according to cross-domain end Mouth jump strategy circulation generating algorithm generates second port and jumps strategy.
10. a kind of mobile target system of defense of the network layer based on OpenFlow as shown in claim 7, it is characterised in that: It further include sync server, the first MTD controller further includes the first synchronization module, and the 2nd MTD controller includes the Two synchronization modules, the sync server point are connect with first synchronization module with second synchronization module, the synchronization Server synchronizes the source local screen component and the purpose by first synchronization module and second synchronization module Data information in local screen component.
CN201810588919.5A 2018-06-08 2018-06-08 A kind of network layer movement target defence method and system based on OpenFlow Pending CN108965252A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810588919.5A CN108965252A (en) 2018-06-08 2018-06-08 A kind of network layer movement target defence method and system based on OpenFlow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810588919.5A CN108965252A (en) 2018-06-08 2018-06-08 A kind of network layer movement target defence method and system based on OpenFlow

Publications (1)

Publication Number Publication Date
CN108965252A true CN108965252A (en) 2018-12-07

Family

ID=64493554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810588919.5A Pending CN108965252A (en) 2018-06-08 2018-06-08 A kind of network layer movement target defence method and system based on OpenFlow

Country Status (1)

Country Link
CN (1) CN108965252A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818953A (en) * 2019-01-21 2019-05-28 常州工程职业技术学院 A kind of sensor safe defense technique in mobile Internet of things system
CN110300106A (en) * 2019-06-24 2019-10-01 中国人民解放军战略支援部队信息工程大学 Mobile target based on Markov time game defends decision choosing method, apparatus and system
CN111385228A (en) * 2020-02-26 2020-07-07 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN113660252A (en) * 2021-08-12 2021-11-16 江苏亨通工控安全研究院有限公司 Active defense system and method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818953A (en) * 2019-01-21 2019-05-28 常州工程职业技术学院 A kind of sensor safe defense technique in mobile Internet of things system
CN110300106A (en) * 2019-06-24 2019-10-01 中国人民解放军战略支援部队信息工程大学 Mobile target based on Markov time game defends decision choosing method, apparatus and system
CN110300106B (en) * 2019-06-24 2021-11-23 中国人民解放军战略支援部队信息工程大学 Moving target defense decision selection method, device and system based on Markov time game
CN111385228A (en) * 2020-02-26 2020-07-07 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN111385228B (en) * 2020-02-26 2022-02-18 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN113660252A (en) * 2021-08-12 2021-11-16 江苏亨通工控安全研究院有限公司 Active defense system and method

Similar Documents

Publication Publication Date Title
CN108965252A (en) A kind of network layer movement target defence method and system based on OpenFlow
CN108683682B (en) DDoS attack detection and defense method and system based on software defined network
CN105337857B (en) A kind of multi-path transmission method based on software defined network
CN104901890B (en) A kind of SDN route generation, matching process and system
CN103685009B (en) Data packet processing method and system as well as controller
CN104104561B (en) A kind of SDN firewall states detection method and system based on OpenFlow agreements
CN105357046B (en) A method of the network information for software defined network SDN detects
CN106657066B (en) A kind of random jump method and device of network management plane address
CN104717098B (en) A kind of data processing method and device
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN104253765B (en) A kind of packet-switching method, apparatus and access switch and exchange system
CN103929422B (en) Trusted inter-domain safety certificate protocol based on SDN
CN101764709A (en) Network physical topology discovering method and network management server based on SNMP
CN105207950B (en) A kind of communication data guard method based on SDN technology
Sun et al. Diamond: An Improved Fat-tree Architecture for Large-scale Data Centers.
CN105119911B (en) A kind of safety certifying method and system based on SDN streams
CN104092684B (en) A kind of OpenFlow agreements support VPN method and apparatus
CN105634923B (en) Ethernet based on SDN controllers broadcasts optimized treatment method
CN105763449A (en) Single packet source-tracing method based on storage resource adaptive adjustment
CN104202314B (en) A kind of method and device for preventing DDOS attack
CN110099046A (en) Network hopping method and system of super-convergence server
CN105812372A (en) Single-packet tracing method based on label switching
CN107612937B (en) Detection and defence method under a kind of SDN network to DHCP extensive aggression
CN104753695B (en) The discovery of SDN network topological structure and real-time rendering system and method
CN104506559B (en) DDoS defense system and method based on Android system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20181207

WD01 Invention patent application deemed withdrawn after publication