CN109547478A - A kind of anti-network scanning method and system based on SDN - Google Patents

A kind of anti-network scanning method and system based on SDN Download PDF

Info

Publication number
CN109547478A
CN109547478A CN201811612433.7A CN201811612433A CN109547478A CN 109547478 A CN109547478 A CN 109547478A CN 201811612433 A CN201811612433 A CN 201811612433A CN 109547478 A CN109547478 A CN 109547478A
Authority
CN
China
Prior art keywords
network
sdn
user
data packet
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811612433.7A
Other languages
Chinese (zh)
Inventor
冯毓
刘赟
陈思
张位
毛得明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Technology Cyber Security Co Ltd
Original Assignee
China Electronic Technology Cyber Security Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Technology Cyber Security Co Ltd filed Critical China Electronic Technology Cyber Security Co Ltd
Priority to CN201811612433.7A priority Critical patent/CN109547478A/en
Publication of CN109547478A publication Critical patent/CN109547478A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to field of information security technology, and specifically disclose a kind of anti-network scanning method and system based on SDN, and it further includes that invalid data flow resistance is disconnected and/or scanning response is forged that this method, which includes legitimate user's authentication and legitimate traffic Path Setup,.It may be implemented in by these stages under the premise of not influencing regular traffic; attacker is prevented to obtain the terminal system characteristic information in protected SDN network; or it is drawn on " honey jar " node being deployed in SDN network; " network sweep " behavior invalidation for this attacker being implemented, to reach anti-network sweep effect.

Description

A kind of anti-network scanning method and system based on SDN
Technical field
The present invention relates to field of information security technology more particularly to a kind of anti-network scanning methods and system based on SDN.
Background technique
Anti- Port Scan Techniques are for a kind of essential active safety defence investigating link and creating of attack chain Technology, so that attacker can not obtain by being in scanning tools (such as nmap, zmap and masscan) acquisition protected network The characteristic information of system, such as the online situation of system, OS Type, open port, operation service characteristic information, thus Achieve the effect that anti-network sweep.
What " software defined network " (SDN) technique functions proposed in OpenFlow technical foundation derived from Stanford Univ USA A kind of emerging software-based network architecture and technology, it is the system structure mode of a kind of optimization and simplified network operation, Flexibly and effectively information interactive interface is provided for network and using between the application of network, network is made to have " open, network The technical characterstics such as programmable, network virtualization ", to assign network stronger dynamic agile ability.
By software defined network (SDN) technology, it can be achieved that the transport plane of network is mutually separated with control plane, so that net Network can logically by centralized control, so that the network control planes management that can transfer to SDN is established in the connection of regular traffic, Be conducive to screen out and be hidden in the network reconnaissance detection packet that regular traffic connection is shaken hands in flow, to be distinguished for more accurately detection Regular traffic flow and Network Attack provide support, for the Prevention-Security technology creation condition of anti-network sweep.
Anti- Port Scan Techniques research based on SDN is concentrated mainly on following two o'clock: first is that in SDN environment, realizing In the case where not influencing regular traffic, mainstream network scanning software is prevented to obtain protected network characteristic information;Second is that in SDN It in environment, realizes in the case where not influencing regular traffic, intentionally induces mainstream network scanning software and obtain deceptive information, from And form anti-network sweep ability.
Currently, not yet finding technology compatible with the anti-Port Scan Techniques based on SDN, the technology is as a kind of novel Active safety defense technique, the probability that the terminal system that can be effectively reduced in protected SDN network is found by malicious attacker, Avoid the exposure of system features information.Alternatively, attack can be drawn to " honey jar " section being deployed in SDN network On point, " network sweep " behavior invalidation for this attacker being implemented, to form effective anti-network sweep ability.
Summary of the invention
The technical problems to be solved by the present invention are: in view of the problems of the existing technology, the present invention proposes that one kind is based on The anti-Port Scan Techniques of SDN prevent attacker from obtaining protected SDN net, it can be achieved that under the premise of not influencing regular traffic Terminal system characteristic information in network, to reach anti-network sweep effect.
A kind of anti-network scanning method based on SDN provided by the invention, including legitimate user's authentication and legal number It is established according to circulation road, further includes that invalid data flow resistance is disconnected and/or scanning response is forged;
Legitimate user's authentication includes: to work as a user to need to access in SDN network, communicates it with other terminals Before, SDN switch of the user into network sends a special data package to implement authentication, the SDN network be by The network of protection;
The legitimate traffic Path Setup includes: that the data flow that SDN controller is legitimate user establishes several transmission Channel, to ensure the normal transmission of data flow, the legitimate user is the user by authentication;
It includes: that call network security policy appropriate in application layer all illegal to block that the invalid data flow resistance is disconnected Data flow enters network, and the invalid data stream is generated when being user's intention access SDN network not by authentication Data flow;
It includes: that flow entry is arranged in SDN switch that the scanning response, which is forged, flows into the illegal of SDN network for all Data flow is drawn to " honey jar " equipment being previously deployed in network and gets on.
A kind of anti-network scanning system based on SDN that another aspect of the present invention provides, including infrastructure layer, control layer And application layer, the infrastructure layer are SDN network, i.e., shielded network, SDN network includes several connecting with user terminal SDN switch;SDN controller is provided in the control layer, SDN controller includes nucleus module, data packet transmission channel Module and routing calculation module;Application layer includes user authentication module and network security policy scheduler module;
The nucleus module is for analyzing whether the business data packet that SDN switch sends over is transmitted by legitimate user Data packet configure in SDN network institute in the transmission path and according to the calculated data packet transmission path of routing calculation module There is the flow table in SDN switch, makes its forwarding that there is the data packet of specific characteristic;
The data packet transmission channel module is for submitting to identification authentication data packet transmitted by user in application layer User authentication module;
The routing calculation module is used for the business datum to nucleus module analysis for data packet transmitted by legitimate user Packet is handled, and according to the source of the business data packet, destination address, calculates a source node from SDN network to purpose section The data packet transmission path of point;
The user authentication module is used to test the identity of user according to the identification authentication data packet received Card, and final verification result is fed back into SDN controller;
The network security policy scheduler module is used to assign security strategy to SDN controller, enables it block all illegal Data flow enters SDN network;And/or by SDN controller configuration command, all invalid data streams for flowing into SDN network are led It guides to " honey jar " equipment being previously deployed in network to get on, the invalid data stream is not to be intended to by the user of authentication Access generated data flow when SDN network.
The present invention utilizes software defined network (SDN) technology, devises the technical method and system of a kind of anti-network sweep, It realizes under the premise of not influencing normal communications traffic, mainstream network scanning software is prevented to obtain the spy of protected SDN network Reference breath, or be drawn on " honey jar " node being deployed in SDN network, " the net for this attacker being implemented Network scanning " behavior invalidation, to form effective anti-network sweep ability.
Detailed description of the invention
Examples of the present invention will be described by way of reference to the accompanying drawings, in which:
Fig. 1 is legitimate user's authentication flow chart of the embodiment of the present invention;
Fig. 2 is the legitimate traffic Path Setup flow chart of the embodiment of the present invention;
Fig. 3 is the disconnected flow chart of invalid data flow resistance of the embodiment of the present invention;
Fig. 4 is that flow chart is forged in the scanning response of the embodiment of the present invention.
Specific embodiment
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive Feature and/or step other than, can combine in any way.
Any feature disclosed in this specification unless specifically stated can be equivalent or with similar purpose by other Alternative features are replaced.That is, unless specifically stated, each feature is an example in a series of equivalent or similar characteristics ?.
Anti- Port Scan Techniques provided by the invention based on SDN mainly consider the following:
1, legitimate user's identity validation technology problem based on SDN: if user is intended to access it in shielded SDN network Before, then the legitimacy that demand proves itself to the SDN network (i.e. shielded network) after being verified, can be accessed and be protected In the SDN network of shield.Accordingly, it is desirable to provide it is a kind of for SDN network, high-level safe authentication techniques, that is, it is not easy to be disliked Meaning attack, which intercepts, to be utilized, and otherwise will cause the serious problems such as network information deception.
2, it the legitimate traffic transmission channel establishing techniques problem based on SDN: in order to not influence normal traffic communication, needs Establish dedicated data stream transmitting channel for legitimate user, i.e., by the legitimate user after certification can in protected SDN network Other terminals carry out regular traffic, otherwise will cause normal traffic communication and the serious problems such as be obstructed.
3, the invalid data flow resistance based on SDN break technical problem: attacker usually utilize network sweep tool (such as nmap, Zmap, masscan etc.) SDN network characteristic information can be obtained, such as online situation, the operating system of terminal system in SDN network Type, operation service, open port etc., and penetration attack is carried out using the key message got.Accordingly, it is desirable to provide a kind of Invalid data stream interrupter technique based on SDN, so that " network sweep behavior " invalidation of network attack person, i.e. attacker can not Any characteristic information of protected SDN network is obtained by scanning means, to achieve the effect that anti-network sweep, otherwise can be made At serious problems such as protected network key feature information leakages.
4, technical problem: anti-network sweep ability in order to better improve is forged in the scanning response based on SDN, and is effectively protected Protect the terminal system in true SDN network, it is desirable to provide a kind of active safety defense mechanism, the person's that can forge network attack sweeps Retouch response data, and return to the network feature information of attacker's falseness, make its take for its initiation attack at Otherwise function will cause protected network key feature information to realize to the effective protection of terminal system in true SDN network Reveal and be subject to the serious problems such as network attack.
Technical solution of the present invention mainly includes legitimate user's authentication and legitimate traffic Path Setup as a result, is gone back Break including invalid data flow resistance and/or scan response and forges.It may be implemented in by these stages before not influencing regular traffic It puts, prevents attacker from obtaining the terminal system characteristic information in protected SDN network, to reach anti-network sweep effect.
1, legitimate user's authentication
When a legal user needs to access in shielded network, before being communicated with other terminals, the user demand The legitimacy of itself is proved to network (i.e. shielded network).In SDN network, user is exchanged by the SDN into network Machine sends a special data package to implement authentication.
As shown in Figure 1, in embodiments of the present invention, the step of user carries out authentication, includes:
(1) SDN switch 12 of the user into infrastructure layer 1 i.e. shielded SDN network sends a special body Part authentication data packet, the data packet have special network characterization (such as: specific IP address, specific port numbers, specifically Protocol type etc.), and these special characteristic informations only have the user authentication module of legitimate user oneself He application layer Just know.Preferably, in the data packet, the digital certificate of verifying user identity is encapsulated.
(2) identification authentication data packet transmitted by user reaches the SDN switch being connected in network with user terminal 11 Before 12, (usual feelings of SDN controller 20 which will be submitted to by SDN switch 12 by control channel in control layer 2 It under condition, is submitted in the form of Packet-in message).
(3) in SDN controller 20, it is embedded in data packet transmission channel module 22, which can be by these special users Identification authentication data packet submits to the user authentication module 31 in application layer 3.
(4) in application layer 3, user authentication module 31 is demonstrate,proved according to number packaged in the data packet received Book verifies the identity of user.
(5) final verification result is fed back to SDN controller 20 by user authentication module 31.
2, legitimate traffic transmission channel is established
When the identity of user is after verifying, that is, it is defined as legitimate user, hereafter user's (or terminal) is transmitted All data flows be identified as legitimate traffic.In SDN network, SDN controller will be built for the data flow of legitimate user Several transmission channels are erected, to ensure the normal transmission of data flow.
As shown in Fig. 2, the valid data amount transmission channel foundation of the embodiment of the present invention includes:
(1) after authentication, legitimate user (legitimate user terminal A) arbitrary destination address (user into network Terminal B) send business data packet.
(2) first business data packet transmitted by user reaches in SDN network, passes through control letter by SDN switch 12 Submit to SDN controller 20 in road.
(3) nucleus module of SDN controller 20 connects 21 and receives to after data packet, finds the number by analyzing its network characterization It is the data packet as transmitted by legitimate user according to packet, then the data packet is submitted into routing calculation module 23 and handled.SDN control Routing calculation module 23 in device 20 processed calculates one and saves from the source of SDN network according to the source of the data packet, destination address Point arrives the data packet transmission path of destination node.
(4) nucleus module 21 in SDN controller 20 configures SDN network according to the calculated result of routing calculation module 23 In flow table in the transmission path in all SDN switches 12, make its forwarding that there is the data packet of specific characteristic, and be forwarded To purpose terminal B.
(5) follow-up data stream caused by user terminal A, by SDN network along the data stream transmitting having built up Channel transfer.
3, invalid data flow resistance is disconnected
When not being intended to access shielded network by the user of authentication, data flow quilt caused by these users " invalid data stream " is regarded as, " network sweep " data flow transmitted by potential network attack person is wherein just being contained.For " network sweep behavior " invalidation for the person that makes network attack, then need that all " invalid data stream " is blocked to enter network.? It, can be by calling network security policy appropriate to implement in application layer in SDN network.
As shown in figure 3, the invalid data flow resistance of the embodiment of the present invention is disconnected includes:
(1) in application layer 3, network security policy scheduler module 32 assigns security strategy to SDN controller 20, enables its resistance All invalid data streams that break enter shielded network.
(2) after SDN controller 20 receives order, by dispatching networking rule module therein, in all of SDN network Entrance deployment strategy (configures the flow table of SDN switch 12), it is enabled to abandon all its for being not belonging to legitimate user received Its data packet.
(3) data flow of legitimate user still is able to the data stream transmitting channel normal transmission by being established.
(4) data packet of all illegal users will be abandoned at " entrance " of SDN network by SDN switch.
For network attack person, sending all " network sweep " data packets all cannot be introduced into shielded net Network also can not just receive the response data packet of feedback.Therefore, in the perception of network attack person, shielded network is exactly One " black hole ", any active terminal is not present in target network, also can not just initiate network attack.Side in this way Method realizes the purpose of anti-network sweep.
4, scanning response is forged
Another more efficiently anti-Port Scan Techniques method is the scanning response data of forgery network attack person, thus It is set to obtain false network feature information, the core of this method is to establish one " honey jar " in a network." honey jar " technology is To a kind of technology common in network attacks, the essence of " honey jar " is that " decoy " is deliberately arranged in network manager, is drawn Stalker network attacker (hacker) comes to attack, to grasp its attack pattern, to cope with the attack row using effective strategy For.On the other hand, " honey jar " (decoy) can be used for fascination network attack person, allow its with for current attack Succeed, it is made no longer to replace attack pattern and target of attack, to protect real target object.
It, can be by the way that flow entry be arranged in SDN switch, so that network sweep data flow be drawn in SDN network Into preset " honey jar " equipment.
As shown in figure 4, the network security policy scheduler module in application layer passes through SDN controller configuration command, will own The invalid data stream for flowing into shielded network is drawn to " honey jar " equipment (usually server) being previously deployed in network Up, network sweep data flow transmitted by potential network attack person is also contained in these invalid data streams." honey jar " is set It is standby after receiving network sweep data packet and forge false response data packet according to preconfigured security strategy, and to Network attack person feedback.It is special can only to get false target network after receiving false response data by network attack person Reference breath, and network attack person can also be drawn in " honey jar " equipment in the network attack data packet initiated later, thus Terminal in true SDN network is protected not under fire, to achieve the purpose that anti-network sweep." honey jar " refers to catch It catches network attack, for the information system of network security research, has the function of service analogue, behavior monitoring, data analysis etc., Form is not limited to server, it is any can simulate certain or a variety of specific business, being capable of monitoring and control recording system behavior, Neng Goucun The information system of storage analysis data all can serve as honey jar use.
The invention is not limited to specific embodiments above-mentioned.The present invention, which expands to, any in the present specification to be disclosed New feature or any new combination, and disclose any new method or process the step of or any new combination.

Claims (10)

1. a kind of anti-network scanning method based on SDN, which is characterized in that including legitimate user's authentication and legitimate traffic Path Setup further includes that invalid data flow resistance is disconnected and/or scanning response is forged;
Legitimate user's authentication includes: to work as a user to need to access in SDN network, before being communicated with other terminals, SDN switch of the user into network sends a special data package to implement authentication, and the SDN network is protected Network;
The legitimate traffic Path Setup includes: that the data flow that SDN controller is legitimate user establishes several transmission channels, To ensure the normal transmission of data flow, the legitimate user is the user by authentication;
It includes: to call network security policy appropriate in application layer to block all invalid datas that the invalid data flow resistance is disconnected Stream enters network, the invalid data stream generated data when being user's intention access SDN network not by authentication Stream;
It includes: that flow entry is arranged in SDN switch that the scanning response, which is forged, by all invalid datas for flowing into SDN network Stream is drawn to " honey jar " equipment being previously deployed in network and gets on.
2. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the legitimate user Authentication specifically includes:
SDN switch of the user into network sends a special identification authentication data packet, which has special net Network feature, these special network feature informations only have legitimate user oneself and the user authentication module of application layer just to know Road;
After identification authentication data packet transmitted by user reaches the SDN switch being connected in network with user terminal, the data It is coated with SDN switch and SDN controller is submitted to by control channel;
Identification authentication data packet is submitted to the subscriber authentication in application layer by the data packet transmission channel module of SDN controller Module;
In application layer, user authentication module is verified according to identity of the data packet received to user, and will most Whole verification result feeds back to SDN controller.
3. a kind of anti-network scanning method based on SDN according to claim 2, which is characterized in that the special body The digital certificate of verifying user identity is encapsulated in part authentication data packet;The user authentication module of application layer is according to receiving Data packet in packaged digital certificate, the identity of user is verified.
4. a kind of anti-network scanning method based on SDN according to claim 2, which is characterized in that the special net Network feature includes specific IP address, specific port numbers and/or specific protocol type.
5. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the valid data Circulation road foundation specifically includes:
After authentication, legitimate user's arbitrary destination address into SDN network sends business data packet;
First business data packet transmitted by user reaches in SDN network, is submitted to by SDN switch by control channel SDN controller;
After the nucleus module of SDN controller receives the business data packet, the business datum is found by analyzing its network characterization Packet is the data packet as transmitted by legitimate user, then the business data packet is submitted to routing calculation module and handled;
Routing calculation module in SDN controller calculates one from SDN net according to the source of the business data packet, destination address Data packet transmission path of the source node of network to destination node;
Nucleus module in SDN controller configures the transmission path in SDN network according to the calculated result of routing calculation module Flow table in upper all SDN switches makes its forwarding have the data packet of specific characteristic;
Follow-up data stream caused by user terminal, by SDN network along the data stream transmitting channel transfer having built up.
6. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the invalid data Flow resistance is disconnected to be specifically included:
In application layer, network security policy scheduler module assigns security strategy to SDN controller, it is enabled to block all illegal numbers Enter SDN network according to stream;
After SDN controller receives order, by dispatching networking rule module therein, disposed in all entrances of SDN network Strategy enables it abandon all other data packets for being not belonging to legitimate user received;
The data flow of legitimate user still is able to the data stream transmitting channel normal transmission by being established;
The data packet of all illegal users is abandoned in the inlet of SDN network by SDN switch.
7. a kind of anti-network scanning method based on SDN according to claim 6, which is characterized in that described in SDN network All entrance deployment strategies be specially configure SDN switch flow table.
8. a kind of anti-network scanning method based on SDN according to claim 1, which is characterized in that the scanning response Forgery specifically includes:
The network security policy scheduler module of application layer flows into the illegal of SDN network by SDN controller configuration command, by all Data flow is drawn to " honey jar " equipment being previously deployed in network and gets on;
" honey jar " equipment forges false number of responses according to preconfigured security strategy after receiving network sweep data packet It is fed back according to packet, and to network attack person.
9. a kind of anti-network scanning method based on SDN according to claim 8, which is characterized in that " honey jar " is set Standby is server.
10. a kind of anti-network scanning system based on SDN, including infrastructure layer, control layer and application layer, the infrastructure Layer is SDN network, i.e., shielded network, SDN network includes several SDN switches connecting with user terminal;The control SDN controller is provided in layer, which is characterized in that SDN controller includes nucleus module, data packet transmission channel module and routing Computing module;Application layer includes user authentication module and network security policy scheduler module;
The nucleus module is for analyzing whether the business data packet that SDN switch sends over is number transmitted by legitimate user According to packet, and according to the calculated data packet transmission path of routing calculation module, configures in SDN network and own in the transmission path Flow table in SDN switch makes its forwarding have the data packet of specific characteristic;
The data packet transmission channel module is used to identification authentication data packet transmitted by user submitting to the use in application layer Family authentication module;
The routing calculation module be used for nucleus module analysis be legitimate user transmitted by data packet business data packet into Row processing, according to the source of the business data packet, destination address, calculates a source node from SDN network to destination node Data packet transmission path;
The user authentication module is used to verify the identity of user according to the identification authentication data packet received, and Final verification result is fed back into SDN controller;
The network security policy scheduler module is used to assign security strategy to SDN controller, it is enabled to block all invalid datas Stream enters SDN network;And/or by SDN controller configuration command, all invalid data streams for flowing into SDN network are drawn to " honey jar " equipment being previously deployed in network gets on, and the invalid data stream is not to be intended to access by the user of authentication Generated data flow when SDN network.
CN201811612433.7A 2018-12-27 2018-12-27 A kind of anti-network scanning method and system based on SDN Pending CN109547478A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811612433.7A CN109547478A (en) 2018-12-27 2018-12-27 A kind of anti-network scanning method and system based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811612433.7A CN109547478A (en) 2018-12-27 2018-12-27 A kind of anti-network scanning method and system based on SDN

Publications (1)

Publication Number Publication Date
CN109547478A true CN109547478A (en) 2019-03-29

Family

ID=65857705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811612433.7A Pending CN109547478A (en) 2018-12-27 2018-12-27 A kind of anti-network scanning method and system based on SDN

Country Status (1)

Country Link
CN (1) CN109547478A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710307A (en) * 2021-09-28 2022-07-05 北京卫达信息技术有限公司 Network detection and identification method and system based on virtual network

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647658A (en) * 2013-11-27 2014-03-19 华为技术有限公司 Management method of network equipment in software-defined network system and controller
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
US20150341377A1 (en) * 2014-03-14 2015-11-26 Avni Networks Inc. Method and apparatus to provide real-time cloud security
CN105978810A (en) * 2016-06-27 2016-09-28 上海斐讯数据通信技术有限公司 User authentication method and system based on SDN (Software Defined Network)
CN106982188A (en) * 2016-01-15 2017-07-25 阿里巴巴集团控股有限公司 The detection method and device in malicious dissemination source
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
US20180034847A1 (en) * 2016-07-27 2018-02-01 Fugue, Inc. Regeneration and generational mutation for security and fidelity in software defined networks
CN108494731A (en) * 2018-02-08 2018-09-04 中国电子科技网络信息安全有限公司 A kind of anti-network scanning method based on bidirectional identity authentication

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647658A (en) * 2013-11-27 2014-03-19 华为技术有限公司 Management method of network equipment in software-defined network system and controller
US20150341377A1 (en) * 2014-03-14 2015-11-26 Avni Networks Inc. Method and apparatus to provide real-time cloud security
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN106982188A (en) * 2016-01-15 2017-07-25 阿里巴巴集团控股有限公司 The detection method and device in malicious dissemination source
CN105978810A (en) * 2016-06-27 2016-09-28 上海斐讯数据通信技术有限公司 User authentication method and system based on SDN (Software Defined Network)
US20180034847A1 (en) * 2016-07-27 2018-02-01 Fugue, Inc. Regeneration and generational mutation for security and fidelity in software defined networks
CN107222433A (en) * 2017-04-18 2017-09-29 中国科学院信息工程研究所 A kind of access control method and system based on SDN path
CN108494731A (en) * 2018-02-08 2018-09-04 中国电子科技网络信息安全有限公司 A kind of anti-network scanning method based on bidirectional identity authentication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710307A (en) * 2021-09-28 2022-07-05 北京卫达信息技术有限公司 Network detection and identification method and system based on virtual network

Similar Documents

Publication Publication Date Title
Li et al. A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures
US10362048B2 (en) Distributed online wireless security test system
CN103561011B (en) A kind of SDN controller method and system for preventing blind DDoS attacks on
CN105227383B (en) A kind of device of network topology investigation
US8516575B2 (en) Systems, methods, and media for enforcing a security policy in a network including a plurality of components
CN106850690B (en) Honeypot construction method and system
CN111586025B (en) SDN-based SDP security group implementation method and security system
US20020166063A1 (en) System and method for anti-network terrorism
US20050182968A1 (en) Intelligent firewall
CN114302402A (en) Electric power regulation and control business safety communication method based on 5G
CN107222433A (en) A kind of access control method and system based on SDN path
CN106464659A (en) Security in software defined network
Xia et al. An active defense solution for ARP spoofing in OpenFlow network
CN110601889B (en) System and method for realizing safe backtracking deep encryption controlled network link resource scheduling management
EP3433749B1 (en) Identifying and trapping wireless based attacks on networks using deceptive network emulation
CN105933245A (en) Secure and credible access method in software defined network
Hussein et al. Software-Defined Networking (SDN): the security review
CN111314381A (en) Safety isolation gateway
TW202137735A (en) Programmable switching device for network infrastructures
Mubarakali et al. A survey: Security threats and countermeasures in software defined networking
CN107835145A (en) The method and distributed system of a kind of anti-replay-attack
CN109547478A (en) A kind of anti-network scanning method and system based on SDN
Dimitriadis Improving mobile core network security with honeynets
Mack Cyber security
CN111585972B (en) Security protection method and device for gatekeeper and network system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190329