CN109547478A - A kind of anti-network scanning method and system based on SDN - Google Patents
A kind of anti-network scanning method and system based on SDN Download PDFInfo
- Publication number
- CN109547478A CN109547478A CN201811612433.7A CN201811612433A CN109547478A CN 109547478 A CN109547478 A CN 109547478A CN 201811612433 A CN201811612433 A CN 201811612433A CN 109547478 A CN109547478 A CN 109547478A
- Authority
- CN
- China
- Prior art keywords
- network
- sdn
- user
- data packet
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to field of information security technology, and specifically disclose a kind of anti-network scanning method and system based on SDN, and it further includes that invalid data flow resistance is disconnected and/or scanning response is forged that this method, which includes legitimate user's authentication and legitimate traffic Path Setup,.It may be implemented in by these stages under the premise of not influencing regular traffic; attacker is prevented to obtain the terminal system characteristic information in protected SDN network; or it is drawn on " honey jar " node being deployed in SDN network; " network sweep " behavior invalidation for this attacker being implemented, to reach anti-network sweep effect.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of anti-network scanning methods and system based on SDN.
Background technique
Anti- Port Scan Techniques are for a kind of essential active safety defence investigating link and creating of attack chain
Technology, so that attacker can not obtain by being in scanning tools (such as nmap, zmap and masscan) acquisition protected network
The characteristic information of system, such as the online situation of system, OS Type, open port, operation service characteristic information, thus
Achieve the effect that anti-network sweep.
What " software defined network " (SDN) technique functions proposed in OpenFlow technical foundation derived from Stanford Univ USA
A kind of emerging software-based network architecture and technology, it is the system structure mode of a kind of optimization and simplified network operation,
Flexibly and effectively information interactive interface is provided for network and using between the application of network, network is made to have " open, network
The technical characterstics such as programmable, network virtualization ", to assign network stronger dynamic agile ability.
By software defined network (SDN) technology, it can be achieved that the transport plane of network is mutually separated with control plane, so that net
Network can logically by centralized control, so that the network control planes management that can transfer to SDN is established in the connection of regular traffic,
Be conducive to screen out and be hidden in the network reconnaissance detection packet that regular traffic connection is shaken hands in flow, to be distinguished for more accurately detection
Regular traffic flow and Network Attack provide support, for the Prevention-Security technology creation condition of anti-network sweep.
Anti- Port Scan Techniques research based on SDN is concentrated mainly on following two o'clock: first is that in SDN environment, realizing
In the case where not influencing regular traffic, mainstream network scanning software is prevented to obtain protected network characteristic information;Second is that in SDN
It in environment, realizes in the case where not influencing regular traffic, intentionally induces mainstream network scanning software and obtain deceptive information, from
And form anti-network sweep ability.
Currently, not yet finding technology compatible with the anti-Port Scan Techniques based on SDN, the technology is as a kind of novel
Active safety defense technique, the probability that the terminal system that can be effectively reduced in protected SDN network is found by malicious attacker,
Avoid the exposure of system features information.Alternatively, attack can be drawn to " honey jar " section being deployed in SDN network
On point, " network sweep " behavior invalidation for this attacker being implemented, to form effective anti-network sweep ability.
Summary of the invention
The technical problems to be solved by the present invention are: in view of the problems of the existing technology, the present invention proposes that one kind is based on
The anti-Port Scan Techniques of SDN prevent attacker from obtaining protected SDN net, it can be achieved that under the premise of not influencing regular traffic
Terminal system characteristic information in network, to reach anti-network sweep effect.
A kind of anti-network scanning method based on SDN provided by the invention, including legitimate user's authentication and legal number
It is established according to circulation road, further includes that invalid data flow resistance is disconnected and/or scanning response is forged;
Legitimate user's authentication includes: to work as a user to need to access in SDN network, communicates it with other terminals
Before, SDN switch of the user into network sends a special data package to implement authentication, the SDN network be by
The network of protection;
The legitimate traffic Path Setup includes: that the data flow that SDN controller is legitimate user establishes several transmission
Channel, to ensure the normal transmission of data flow, the legitimate user is the user by authentication;
It includes: that call network security policy appropriate in application layer all illegal to block that the invalid data flow resistance is disconnected
Data flow enters network, and the invalid data stream is generated when being user's intention access SDN network not by authentication
Data flow;
It includes: that flow entry is arranged in SDN switch that the scanning response, which is forged, flows into the illegal of SDN network for all
Data flow is drawn to " honey jar " equipment being previously deployed in network and gets on.
A kind of anti-network scanning system based on SDN that another aspect of the present invention provides, including infrastructure layer, control layer
And application layer, the infrastructure layer are SDN network, i.e., shielded network, SDN network includes several connecting with user terminal
SDN switch;SDN controller is provided in the control layer, SDN controller includes nucleus module, data packet transmission channel
Module and routing calculation module;Application layer includes user authentication module and network security policy scheduler module;
The nucleus module is for analyzing whether the business data packet that SDN switch sends over is transmitted by legitimate user
Data packet configure in SDN network institute in the transmission path and according to the calculated data packet transmission path of routing calculation module
There is the flow table in SDN switch, makes its forwarding that there is the data packet of specific characteristic;
The data packet transmission channel module is for submitting to identification authentication data packet transmitted by user in application layer
User authentication module;
The routing calculation module is used for the business datum to nucleus module analysis for data packet transmitted by legitimate user
Packet is handled, and according to the source of the business data packet, destination address, calculates a source node from SDN network to purpose section
The data packet transmission path of point;
The user authentication module is used to test the identity of user according to the identification authentication data packet received
Card, and final verification result is fed back into SDN controller;
The network security policy scheduler module is used to assign security strategy to SDN controller, enables it block all illegal
Data flow enters SDN network;And/or by SDN controller configuration command, all invalid data streams for flowing into SDN network are led
It guides to " honey jar " equipment being previously deployed in network to get on, the invalid data stream is not to be intended to by the user of authentication
Access generated data flow when SDN network.
The present invention utilizes software defined network (SDN) technology, devises the technical method and system of a kind of anti-network sweep,
It realizes under the premise of not influencing normal communications traffic, mainstream network scanning software is prevented to obtain the spy of protected SDN network
Reference breath, or be drawn on " honey jar " node being deployed in SDN network, " the net for this attacker being implemented
Network scanning " behavior invalidation, to form effective anti-network sweep ability.
Detailed description of the invention
Examples of the present invention will be described by way of reference to the accompanying drawings, in which:
Fig. 1 is legitimate user's authentication flow chart of the embodiment of the present invention;
Fig. 2 is the legitimate traffic Path Setup flow chart of the embodiment of the present invention;
Fig. 3 is the disconnected flow chart of invalid data flow resistance of the embodiment of the present invention;
Fig. 4 is that flow chart is forged in the scanning response of the embodiment of the present invention.
Specific embodiment
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive
Feature and/or step other than, can combine in any way.
Any feature disclosed in this specification unless specifically stated can be equivalent or with similar purpose by other
Alternative features are replaced.That is, unless specifically stated, each feature is an example in a series of equivalent or similar characteristics
?.
Anti- Port Scan Techniques provided by the invention based on SDN mainly consider the following:
1, legitimate user's identity validation technology problem based on SDN: if user is intended to access it in shielded SDN network
Before, then the legitimacy that demand proves itself to the SDN network (i.e. shielded network) after being verified, can be accessed and be protected
In the SDN network of shield.Accordingly, it is desirable to provide it is a kind of for SDN network, high-level safe authentication techniques, that is, it is not easy to be disliked
Meaning attack, which intercepts, to be utilized, and otherwise will cause the serious problems such as network information deception.
2, it the legitimate traffic transmission channel establishing techniques problem based on SDN: in order to not influence normal traffic communication, needs
Establish dedicated data stream transmitting channel for legitimate user, i.e., by the legitimate user after certification can in protected SDN network
Other terminals carry out regular traffic, otherwise will cause normal traffic communication and the serious problems such as be obstructed.
3, the invalid data flow resistance based on SDN break technical problem: attacker usually utilize network sweep tool (such as nmap,
Zmap, masscan etc.) SDN network characteristic information can be obtained, such as online situation, the operating system of terminal system in SDN network
Type, operation service, open port etc., and penetration attack is carried out using the key message got.Accordingly, it is desirable to provide a kind of
Invalid data stream interrupter technique based on SDN, so that " network sweep behavior " invalidation of network attack person, i.e. attacker can not
Any characteristic information of protected SDN network is obtained by scanning means, to achieve the effect that anti-network sweep, otherwise can be made
At serious problems such as protected network key feature information leakages.
4, technical problem: anti-network sweep ability in order to better improve is forged in the scanning response based on SDN, and is effectively protected
Protect the terminal system in true SDN network, it is desirable to provide a kind of active safety defense mechanism, the person's that can forge network attack sweeps
Retouch response data, and return to the network feature information of attacker's falseness, make its take for its initiation attack at
Otherwise function will cause protected network key feature information to realize to the effective protection of terminal system in true SDN network
Reveal and be subject to the serious problems such as network attack.
Technical solution of the present invention mainly includes legitimate user's authentication and legitimate traffic Path Setup as a result, is gone back
Break including invalid data flow resistance and/or scan response and forges.It may be implemented in by these stages before not influencing regular traffic
It puts, prevents attacker from obtaining the terminal system characteristic information in protected SDN network, to reach anti-network sweep effect.
1, legitimate user's authentication
When a legal user needs to access in shielded network, before being communicated with other terminals, the user demand
The legitimacy of itself is proved to network (i.e. shielded network).In SDN network, user is exchanged by the SDN into network
Machine sends a special data package to implement authentication.
As shown in Figure 1, in embodiments of the present invention, the step of user carries out authentication, includes:
(1) SDN switch 12 of the user into infrastructure layer 1 i.e. shielded SDN network sends a special body
Part authentication data packet, the data packet have special network characterization (such as: specific IP address, specific port numbers, specifically
Protocol type etc.), and these special characteristic informations only have the user authentication module of legitimate user oneself He application layer
Just know.Preferably, in the data packet, the digital certificate of verifying user identity is encapsulated.
(2) identification authentication data packet transmitted by user reaches the SDN switch being connected in network with user terminal 11
Before 12, (usual feelings of SDN controller 20 which will be submitted to by SDN switch 12 by control channel in control layer 2
It under condition, is submitted in the form of Packet-in message).
(3) in SDN controller 20, it is embedded in data packet transmission channel module 22, which can be by these special users
Identification authentication data packet submits to the user authentication module 31 in application layer 3.
(4) in application layer 3, user authentication module 31 is demonstrate,proved according to number packaged in the data packet received
Book verifies the identity of user.
(5) final verification result is fed back to SDN controller 20 by user authentication module 31.
2, legitimate traffic transmission channel is established
When the identity of user is after verifying, that is, it is defined as legitimate user, hereafter user's (or terminal) is transmitted
All data flows be identified as legitimate traffic.In SDN network, SDN controller will be built for the data flow of legitimate user
Several transmission channels are erected, to ensure the normal transmission of data flow.
As shown in Fig. 2, the valid data amount transmission channel foundation of the embodiment of the present invention includes:
(1) after authentication, legitimate user (legitimate user terminal A) arbitrary destination address (user into network
Terminal B) send business data packet.
(2) first business data packet transmitted by user reaches in SDN network, passes through control letter by SDN switch 12
Submit to SDN controller 20 in road.
(3) nucleus module of SDN controller 20 connects 21 and receives to after data packet, finds the number by analyzing its network characterization
It is the data packet as transmitted by legitimate user according to packet, then the data packet is submitted into routing calculation module 23 and handled.SDN control
Routing calculation module 23 in device 20 processed calculates one and saves from the source of SDN network according to the source of the data packet, destination address
Point arrives the data packet transmission path of destination node.
(4) nucleus module 21 in SDN controller 20 configures SDN network according to the calculated result of routing calculation module 23
In flow table in the transmission path in all SDN switches 12, make its forwarding that there is the data packet of specific characteristic, and be forwarded
To purpose terminal B.
(5) follow-up data stream caused by user terminal A, by SDN network along the data stream transmitting having built up
Channel transfer.
3, invalid data flow resistance is disconnected
When not being intended to access shielded network by the user of authentication, data flow quilt caused by these users
" invalid data stream " is regarded as, " network sweep " data flow transmitted by potential network attack person is wherein just being contained.For
" network sweep behavior " invalidation for the person that makes network attack, then need that all " invalid data stream " is blocked to enter network.?
It, can be by calling network security policy appropriate to implement in application layer in SDN network.
As shown in figure 3, the invalid data flow resistance of the embodiment of the present invention is disconnected includes:
(1) in application layer 3, network security policy scheduler module 32 assigns security strategy to SDN controller 20, enables its resistance
All invalid data streams that break enter shielded network.
(2) after SDN controller 20 receives order, by dispatching networking rule module therein, in all of SDN network
Entrance deployment strategy (configures the flow table of SDN switch 12), it is enabled to abandon all its for being not belonging to legitimate user received
Its data packet.
(3) data flow of legitimate user still is able to the data stream transmitting channel normal transmission by being established.
(4) data packet of all illegal users will be abandoned at " entrance " of SDN network by SDN switch.
For network attack person, sending all " network sweep " data packets all cannot be introduced into shielded net
Network also can not just receive the response data packet of feedback.Therefore, in the perception of network attack person, shielded network is exactly
One " black hole ", any active terminal is not present in target network, also can not just initiate network attack.Side in this way
Method realizes the purpose of anti-network sweep.
4, scanning response is forged
Another more efficiently anti-Port Scan Techniques method is the scanning response data of forgery network attack person, thus
It is set to obtain false network feature information, the core of this method is to establish one " honey jar " in a network." honey jar " technology is
To a kind of technology common in network attacks, the essence of " honey jar " is that " decoy " is deliberately arranged in network manager, is drawn
Stalker network attacker (hacker) comes to attack, to grasp its attack pattern, to cope with the attack row using effective strategy
For.On the other hand, " honey jar " (decoy) can be used for fascination network attack person, allow its with for current attack
Succeed, it is made no longer to replace attack pattern and target of attack, to protect real target object.
It, can be by the way that flow entry be arranged in SDN switch, so that network sweep data flow be drawn in SDN network
Into preset " honey jar " equipment.
As shown in figure 4, the network security policy scheduler module in application layer passes through SDN controller configuration command, will own
The invalid data stream for flowing into shielded network is drawn to " honey jar " equipment (usually server) being previously deployed in network
Up, network sweep data flow transmitted by potential network attack person is also contained in these invalid data streams." honey jar " is set
It is standby after receiving network sweep data packet and forge false response data packet according to preconfigured security strategy, and to
Network attack person feedback.It is special can only to get false target network after receiving false response data by network attack person
Reference breath, and network attack person can also be drawn in " honey jar " equipment in the network attack data packet initiated later, thus
Terminal in true SDN network is protected not under fire, to achieve the purpose that anti-network sweep." honey jar " refers to catch
It catches network attack, for the information system of network security research, has the function of service analogue, behavior monitoring, data analysis etc.,
Form is not limited to server, it is any can simulate certain or a variety of specific business, being capable of monitoring and control recording system behavior, Neng Goucun
The information system of storage analysis data all can serve as honey jar use.
The invention is not limited to specific embodiments above-mentioned.The present invention, which expands to, any in the present specification to be disclosed
New feature or any new combination, and disclose any new method or process the step of or any new combination.
Claims (10)
1. a kind of anti-network scanning method based on SDN, which is characterized in that including legitimate user's authentication and legitimate traffic
Path Setup further includes that invalid data flow resistance is disconnected and/or scanning response is forged;
Legitimate user's authentication includes: to work as a user to need to access in SDN network, before being communicated with other terminals,
SDN switch of the user into network sends a special data package to implement authentication, and the SDN network is protected
Network;
The legitimate traffic Path Setup includes: that the data flow that SDN controller is legitimate user establishes several transmission channels,
To ensure the normal transmission of data flow, the legitimate user is the user by authentication;
It includes: to call network security policy appropriate in application layer to block all invalid datas that the invalid data flow resistance is disconnected
Stream enters network, the invalid data stream generated data when being user's intention access SDN network not by authentication
Stream;
It includes: that flow entry is arranged in SDN switch that the scanning response, which is forged, by all invalid datas for flowing into SDN network
Stream is drawn to " honey jar " equipment being previously deployed in network and gets on.
2. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the legitimate user
Authentication specifically includes:
SDN switch of the user into network sends a special identification authentication data packet, which has special net
Network feature, these special network feature informations only have legitimate user oneself and the user authentication module of application layer just to know
Road;
After identification authentication data packet transmitted by user reaches the SDN switch being connected in network with user terminal, the data
It is coated with SDN switch and SDN controller is submitted to by control channel;
Identification authentication data packet is submitted to the subscriber authentication in application layer by the data packet transmission channel module of SDN controller
Module;
In application layer, user authentication module is verified according to identity of the data packet received to user, and will most
Whole verification result feeds back to SDN controller.
3. a kind of anti-network scanning method based on SDN according to claim 2, which is characterized in that the special body
The digital certificate of verifying user identity is encapsulated in part authentication data packet;The user authentication module of application layer is according to receiving
Data packet in packaged digital certificate, the identity of user is verified.
4. a kind of anti-network scanning method based on SDN according to claim 2, which is characterized in that the special net
Network feature includes specific IP address, specific port numbers and/or specific protocol type.
5. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the valid data
Circulation road foundation specifically includes:
After authentication, legitimate user's arbitrary destination address into SDN network sends business data packet;
First business data packet transmitted by user reaches in SDN network, is submitted to by SDN switch by control channel
SDN controller;
After the nucleus module of SDN controller receives the business data packet, the business datum is found by analyzing its network characterization
Packet is the data packet as transmitted by legitimate user, then the business data packet is submitted to routing calculation module and handled;
Routing calculation module in SDN controller calculates one from SDN net according to the source of the business data packet, destination address
Data packet transmission path of the source node of network to destination node;
Nucleus module in SDN controller configures the transmission path in SDN network according to the calculated result of routing calculation module
Flow table in upper all SDN switches makes its forwarding have the data packet of specific characteristic;
Follow-up data stream caused by user terminal, by SDN network along the data stream transmitting channel transfer having built up.
6. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the invalid data
Flow resistance is disconnected to be specifically included:
In application layer, network security policy scheduler module assigns security strategy to SDN controller, it is enabled to block all illegal numbers
Enter SDN network according to stream;
After SDN controller receives order, by dispatching networking rule module therein, disposed in all entrances of SDN network
Strategy enables it abandon all other data packets for being not belonging to legitimate user received;
The data flow of legitimate user still is able to the data stream transmitting channel normal transmission by being established;
The data packet of all illegal users is abandoned in the inlet of SDN network by SDN switch.
7. a kind of anti-network scanning method based on SDN according to claim 6, which is characterized in that described in SDN network
All entrance deployment strategies be specially configure SDN switch flow table.
8. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the scanning response
Forgery specifically includes:
The network security policy scheduler module of application layer flows into the illegal of SDN network by SDN controller configuration command, by all
Data flow is drawn to " honey jar " equipment being previously deployed in network and gets on;
" honey jar " equipment forges false number of responses according to preconfigured security strategy after receiving network sweep data packet
It is fed back according to packet, and to network attack person.
9. a kind of anti-network scanning method based on SDN according to claim 8, which is characterized in that " honey jar " is set
Standby is server.
10. a kind of anti-network scanning system based on SDN, including infrastructure layer, control layer and application layer, the infrastructure
Layer is SDN network, i.e., shielded network, SDN network includes several SDN switches connecting with user terminal;The control
SDN controller is provided in layer, which is characterized in that SDN controller includes nucleus module, data packet transmission channel module and routing
Computing module;Application layer includes user authentication module and network security policy scheduler module;
The nucleus module is for analyzing whether the business data packet that SDN switch sends over is number transmitted by legitimate user
According to packet, and according to the calculated data packet transmission path of routing calculation module, configures in SDN network and own in the transmission path
Flow table in SDN switch makes its forwarding have the data packet of specific characteristic;
The data packet transmission channel module is used to identification authentication data packet transmitted by user submitting to the use in application layer
Family authentication module;
The routing calculation module be used for nucleus module analysis be legitimate user transmitted by data packet business data packet into
Row processing, according to the source of the business data packet, destination address, calculates a source node from SDN network to destination node
Data packet transmission path;
The user authentication module is used to verify the identity of user according to the identification authentication data packet received, and
Final verification result is fed back into SDN controller;
The network security policy scheduler module is used to assign security strategy to SDN controller, it is enabled to block all invalid datas
Stream enters SDN network;And/or by SDN controller configuration command, all invalid data streams for flowing into SDN network are drawn to
" honey jar " equipment being previously deployed in network gets on, and the invalid data stream is not to be intended to access by the user of authentication
Generated data flow when SDN network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811612433.7A CN109547478A (en) | 2018-12-27 | 2018-12-27 | A kind of anti-network scanning method and system based on SDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811612433.7A CN109547478A (en) | 2018-12-27 | 2018-12-27 | A kind of anti-network scanning method and system based on SDN |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109547478A true CN109547478A (en) | 2019-03-29 |
Family
ID=65857705
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811612433.7A Pending CN109547478A (en) | 2018-12-27 | 2018-12-27 | A kind of anti-network scanning method and system based on SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109547478A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114710307A (en) * | 2021-09-28 | 2022-07-05 | 北京卫达信息技术有限公司 | Network detection and identification method and system based on virtual network |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103647658A (en) * | 2013-11-27 | 2014-03-19 | 华为技术有限公司 | Management method of network equipment in software-defined network system and controller |
CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
US20150341377A1 (en) * | 2014-03-14 | 2015-11-26 | Avni Networks Inc. | Method and apparatus to provide real-time cloud security |
CN105978810A (en) * | 2016-06-27 | 2016-09-28 | 上海斐讯数据通信技术有限公司 | User authentication method and system based on SDN (Software Defined Network) |
CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
US20180034847A1 (en) * | 2016-07-27 | 2018-02-01 | Fugue, Inc. | Regeneration and generational mutation for security and fidelity in software defined networks |
CN108494731A (en) * | 2018-02-08 | 2018-09-04 | 中国电子科技网络信息安全有限公司 | A kind of anti-network scanning method based on bidirectional identity authentication |
-
2018
- 2018-12-27 CN CN201811612433.7A patent/CN109547478A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103647658A (en) * | 2013-11-27 | 2014-03-19 | 华为技术有限公司 | Management method of network equipment in software-defined network system and controller |
US20150341377A1 (en) * | 2014-03-14 | 2015-11-26 | Avni Networks Inc. | Method and apparatus to provide real-time cloud security |
CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
CN106982188A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | The detection method and device in malicious dissemination source |
CN105978810A (en) * | 2016-06-27 | 2016-09-28 | 上海斐讯数据通信技术有限公司 | User authentication method and system based on SDN (Software Defined Network) |
US20180034847A1 (en) * | 2016-07-27 | 2018-02-01 | Fugue, Inc. | Regeneration and generational mutation for security and fidelity in software defined networks |
CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
CN108494731A (en) * | 2018-02-08 | 2018-09-04 | 中国电子科技网络信息安全有限公司 | A kind of anti-network scanning method based on bidirectional identity authentication |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114710307A (en) * | 2021-09-28 | 2022-07-05 | 北京卫达信息技术有限公司 | Network detection and identification method and system based on virtual network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures | |
US10362048B2 (en) | Distributed online wireless security test system | |
CN103561011B (en) | A kind of SDN controller method and system for preventing blind DDoS attacks on | |
CN105227383B (en) | A kind of device of network topology investigation | |
US8516575B2 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
CN106850690B (en) | Honeypot construction method and system | |
CN111586025B (en) | SDN-based SDP security group implementation method and security system | |
US20020166063A1 (en) | System and method for anti-network terrorism | |
US20050182968A1 (en) | Intelligent firewall | |
CN114302402A (en) | Electric power regulation and control business safety communication method based on 5G | |
CN107222433A (en) | A kind of access control method and system based on SDN path | |
CN106464659A (en) | Security in software defined network | |
Xia et al. | An active defense solution for ARP spoofing in OpenFlow network | |
CN110601889B (en) | System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management | |
EP3433749B1 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
CN105933245A (en) | Secure and credible access method in software defined network | |
Hussein et al. | Software-Defined Networking (SDN): the security review | |
CN111314381A (en) | Safety isolation gateway | |
TW202137735A (en) | Programmable switching device for network infrastructures | |
Mubarakali et al. | A survey: Security threats and countermeasures in software defined networking | |
CN107835145A (en) | The method and distributed system of a kind of anti-replay-attack | |
CN109547478A (en) | A kind of anti-network scanning method and system based on SDN | |
Dimitriadis | Improving mobile core network security with honeynets | |
Mack | Cyber security | |
CN111585972B (en) | Security protection method and device for gatekeeper and network system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190329 |