CN109818953A - A kind of sensor safe defense technique in mobile Internet of things system - Google Patents

A kind of sensor safe defense technique in mobile Internet of things system Download PDF

Info

Publication number
CN109818953A
CN109818953A CN201910055695.6A CN201910055695A CN109818953A CN 109818953 A CN109818953 A CN 109818953A CN 201910055695 A CN201910055695 A CN 201910055695A CN 109818953 A CN109818953 A CN 109818953A
Authority
CN
China
Prior art keywords
network
address
mobile internet
things system
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910055695.6A
Other languages
Chinese (zh)
Inventor
杨小来
钮鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changzhou Vocational Institute of Engineering
Original Assignee
Changzhou Vocational Institute of Engineering
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changzhou Vocational Institute of Engineering filed Critical Changzhou Vocational Institute of Engineering
Priority to CN201910055695.6A priority Critical patent/CN109818953A/en
Publication of CN109818953A publication Critical patent/CN109818953A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to internet of things field, specifically, it is the sensor safe defense technique in a kind of mobile Internet of things system, using the SDN technology based on Openflow, sensor network technique plateform system in mobile Internet of things system is constructed, which includes data link control system, data communication repeater system and IP packet content change system etc..Present invention deployment is opposite to be easier to, and traditional sensor network system can be compatible with;The top level structure relative transparent of system does not need to install any feature card, third party software, does not need the data communication to original Internet of things system yet, carries out any amendment;The technical program not only each sensor device node communication in protection system; it can also be to sensor device trans-regional; data transmission link in Internet environment is protected, and realizes that the Prevention-Security to each sensor device of mobile Internet of things system and its data communication process is protected.

Description

A kind of sensor safe defense technique in mobile Internet of things system
Technical field
The present invention relates to internet of things field, specifically, being the sensor safe in a kind of mobile Internet of things system Defense technique.
Background technique
The sensor safe defense technique based on Openflow is a kind of novel defense technique in mobile Internet of things system, By this technology, make protected internet of things equipment for public network, the state always in constantly variation and movement, Achieve the purpose that protect Internet of things system.Relevant research all has been carried out to mobile Internet of things system defense technique both at home and abroad, this A little technologies generally need just to be able to achieve Prevention-Security skill, or the technical equipment that deployment is new using third party software, behaved The generally existing problem incompatible to existing Internet of things system.
More famous has external RHM and OF-RHM mobile device defense technique, these technologies are based on Openflow System proposes respective Prevention-Security scheme respectively.But all equipment is in RHM defense technique requirement system Openflow interchanger, disposes difficulty and cost is high, and can not be compatible with existing network, in actual operation, it is impossible to general All equipment is changed to Openflow interchanger.OF-RHM then only carries out the communicating node device in Prevention-Security region Protection, can not trans-regional (Internet) realization system all-around defense.Therefore, the present invention discloses in a kind of mobile Internet of things system Sensor safe defense technique scheme based on Openflow is based on Openflow technology, using the mobile Internet of Things of software definition System provides control managerial ability, and traditional Internet of things system compatibility for mobile Internet of Things system of defense.
Summary of the invention
In order to solve the above-mentioned technical problem, the present invention, which discloses, a kind of provides sensor device for mobile Internet of things system Active safety defense technique, the active safety defense technique of this sensor device can break out first in rogue attacks such as hackers During the network system sniff in stage beginning, maximum limit degree provides actively the mobile Internet of things system of carrying public network data Prevention-Security.
The specific technical solution that the present invention uses is as follows:
Sensor safe defense technique in a kind of mobile Internet of things system, using the SDN technology based on Openflow, structure Sensor network technique plateform system in mobile Internet of things system is built, which includes data link control system, data communication Repeater system and IP packet content change system etc..By this technology platform system, construct in mobile Internet of things system Each sensor defense module simultaneously realizes its function, by the co-ordination of each defense function module, completes mobile Internet of Things The Prevention-Security function of system.
The present invention discloses this Prevention-Security technical solution and is directed to mobile Internet of things system, realizes following 3 function mesh Mark: deployment is opposite to be easier to, and traditional sensor network system can be compatible with, and is able to achieve anti-to the safety of movable sensor equipment It is imperial;The top level structure relative transparent of system moves the sensor device equipment in Internet of things system, does not need to install any function Plug-in unit, third party software do not need the data communication to original Internet of things system yet, carry out any amendment;It can be realized shifting The whole network of animal networked system is defendd, safety defense technique scheme not only each sensor device node in protection system Communication, can also be to sensor device trans-regional, and the data transmission link in Internet environment is protected, and is realized to shifting The protection of the Prevention-Security of each sensor device of animal networked system and its data communication process.
Further, sensor is completed using network ip address hopping algorithms in the interior zone of mobile Internet of things system Equipment actual address is hidden.Trans-regional, Openflow switch device data transmission port is then used in Internet environment Jump carries out the data communication protection in public network environment.Using MTD controller (the mobile target defence control of Openflow technology Device processed) operating status of mobile Internet of things system is monitored and safeguarded, it is located at multiple and different mobile Internet of things system The mobile target of interior zone defends controller, synchronous by the data information between each mobile Internet of things system region Server realizes the synchronizing function of control management strategy.
Movable sensor equipment defense function module and Openflow controller function module based on Openflow technology Constitute mobile target defence controller.The data communication of sensor safe defense module and Openflow controller module is passed through Northbound interface carries out.Its Prevention-Security functional module include control instruction, input/output module, network ip address jump module, The data information that Openflow switch device data transmission port jumps between module, each mobile Internet of things system region is same Walk module.Mobile target defence controller in each mobile Internet of things system region passes through the number between each system realm It is believed that breath sync server connection, completes the data information synchronizing function of data transmission port jump.
The network ip address that network ip address jumps the mobile Internet of things system interior zone of module management jumps work.It is mobile The data packet of Internet of things system interior zone transmission, in the path of its transmission, the router process passed through, progress network The adjustment of IP address changes, and in this way, the network ip address for carrying out data communication both sides is hidden.Network illegal invasion Person cannot monitor simultaneously capture portion when the sensor device of mobile Internet of things system interior zone carries out data information transfer Divided data information therefrom analyzes the various information of mobile Internet of things system inner sensor equipment, this mode, referred to as network IP address jump.
The Prevention-Security work of data information transfer between mobile Internet of things system region, is jumped by data transmission port Become module to complete.In order to compatible with existing Internet of things system, safety defense technique conceptual design and using having The interchanger based on Openflow technology of gateway function.By Openflow interchanger, each mobile Internet of things system is completed When carrying out information interchange between region, the jump work of data transmission port.By the way of device port jump, transmission Data information stashes, meanwhile, which also carries out moving what Internet of things system region received from other The reduction work of data packet port.Network illegal invasion person cannot be intercepted and captured between each mobile Internet of things system region (Internet) data packet transmitted, therefrom analyzes the various information of mobile Internet of things system inner sensor equipment.
Data information sync server between each mobile Internet of things system region, in different motive objects The equipment in networked system region provides the synchronous working of data transmission port jump synchronizing information work and system time.It moves The data information synchronous service between synchronization module and each mobile Internet of things system region within animal networked system region Device carries out Data Encryption Transmission by SSL security protocol, ensures the communication security between synchronization module and sync server.It adopts With technologies such as software and hardware firewalls, the hardware system of data information sync server and controller and the peace of software systems are ensured Entirely.
The number between sensor device Prevention-Security module and Openflow controller in mobile Internet of things system region According to information interchange, realized by control instruction, input/output module.
Beneficial effects of the present invention: the flexible network characteristic that the present invention uses Openflow network structure to have is being moved Animal networked system network level, by each sensor device in mobile Internet of things system, the institute in data transmission procedure Each router device passed through, while carrying out network ip address and trans-regional Openflow switch device data transmission terminal Double random digits transformation of mouth reaches and protects the equipment such as sensor device and router, interchanger in mobile Internet of things system Target.Relative to existing mobile Internet of things system Prevention-Security technology, the good compatibility of the technical program, deployment is relatively held Easily, it is able to carry out the total system data transmission protection of mobile Internet of things system.In the initial stage of the rogue attacks such as hacker outburst Network system sniff during, by using modes such as hide sensor facility informations, maximum limit degree to carrying public network The mobile Internet of things system of data provides active safety defence.
Detailed description of the invention
Fig. 1 is the sensor safe system of defense structure chart in mobile Internet of things system based on Openflow.
Fig. 2 is the Prevention-Security functional module structure of sensor device in mobile Internet of things system.
Fig. 3 is network ip address jump process.
Fig. 4 is Openflow switch device data transmission port jump process.
Specific embodiment
In order to deepen the understanding of the present invention, the present invention is done below in conjunction with drawings and examples and is further retouched in detail It states, the embodiment is only for explaining the present invention, does not constitute and limits to protection scope of the present invention.
Embodiment: the sensor safe defense technique in a kind of mobile Internet of things system, using the SDN based on Openflow Technology constructs sensor network technique plateform system in mobile Internet of things system, which includes data link control system, number According to communication repeater system and IP packet content change system etc..By this technology platform system, mobile Internet of Things is constructed Each sensor defense module and its function is realized in system, passes through the co-ordination of each defense function module, completes movement The Prevention-Security function of Internet of things system.
As shown in Figure 1, completing sensing using network ip address hopping algorithms in the interior zone of mobile Internet of things system Device equipment actual address is hidden.Trans-regional, Openflow switch device data transmission terminal is then used in Internet environment Mouth jump carries out the data communication protection in public network environment.Using MTD controller (the mobile target defence of Openflow technology Controller) operating status of mobile Internet of things system is monitored and safeguarded, it is located at multiple and different mobile Internet of Things systems The mobile target of system interior zone defends controller, same by the data information between each mobile Internet of things system region Server is walked, realizes the synchronizing function of control management strategy.
As shown in Fig. 2, the data communication of sensor safe defense module and Openflow controller module connects by north orientation Mouth carries out.Its Prevention-Security functional module include control instruction, input/output module, network ip address jump module, The data information that Openflow switch device data transmission port jumps between module, each mobile Internet of things system region is same Walk module.Mobile target defence controller in each mobile Internet of things system region passes through the number between each system realm It is believed that breath sync server connection, completes the data information synchronizing function of data transmission port jump.Network ip address jumps mould The network ip address of the mobile Internet of things system interior zone of block management jumps work.Mobile Internet of things system interior zone transmission Data packet, in the path of its transmission, the router process passed through, the adjustment variation of progress network ip address pass through this Kind mode, the network ip address for carrying out data communication both sides is hidden.Network illegal invasion person cannot be in mobile Internet of Things When the sensor device in internal system region carries out data information transfer, simultaneously capture portion data information is monitored, is therefrom analyzed The various information of mobile Internet of things system inner sensor equipment, the jump of this mode, referred to as network ip address.Mobile Internet of Things The Prevention-Security of data information transfer between system realm works, and jumps module by data transmission port to complete.In order to Can be compatible with existing Internet of things system, safety defense technique conceptual design and using have gateway function based on The interchanger of Openflow technology.By Openflow interchanger, complete to carry out letter between each mobile Internet of things system region When breath exchange, the jump work of data transmission port.By the way of device port jump, the data information of transmission is hidden Come, meanwhile, which also carries out going back for the data packet port received from other movement Internet of things system regions Original work.Network illegal invasion person cannot intercept and capture the number that (Internet) is transmitted between each mobile Internet of things system region According to packet, the various information of mobile Internet of things system inner sensor equipment are therefrom analyzed.Positioned at each mobile Internet of things system area Data information sync server between domain provides data transmission for the equipment in different mobile Internet of things system regions The synchronous working of the work of port-hopping synchronizing information and system time.Synchronization module within mobile Internet of things system region with Data information sync server between each mobile Internet of things system region carries out data encryption biography by SSL security protocol It is defeated, ensure the communication security between synchronization module and sync server.Using technologies such as software and hardware firewalls, data information is ensured The safety of the hardware system and software systems of sync server and controller.Sensor device in mobile Internet of things system region Data information exchange between Prevention-Security module and Openflow controller, by control instruction, input/output module come real It is existing.
In the interior zone of mobile Internet of things system, it is practical that sensor device is completed using network ip address hopping algorithms Address hiding carries out sensor device Initiative Defense, the network management skill that cooperation is provided using the interchanger of Openflow technology The network ip address hopping algorithms of art and this patent design, realize network ip address jump technique.Network ip address jumps module It is deployed in mobile target defence controller.
Network ip address jumps process
Such as: sensor device X and sensor device Y in the interior zone of some movement Internet of things system lead to The interchanger 1 using Openflow technology is crossed, interchanger 2, interchanger 3 ... interchanger n, the operating mode of Proactive routing is by institute Some interchangers use, when the data packet for not knowing track data pass-through mode reaches certain interchanger therein, firstly, to Controller inquires the pass-through mode of the data packet of the unknown pass-through mode, then according to the data forwarding flow table received, is turned Hair.When sensor device X attempts a connection to sensor device Y, the network of sensor device X foundation sensor device Y Location information structuring, which goes out, new has five yuan of array informations { source device network ip address, the source device network port, purpose equipment networks IP address, the purpose equipment network port and data communication protocol type } data packet.
As shown in figure 3, in the header packet information (five yuan of array informations) of the initial data packets of sensor device X construction, source Address and destination address are the network address of sensor device X and sensor device Y respectively, reach in data packet and set with sensor When the interchanger for the Openflow technology that standby X is directly connected to, the header packet information of the initial data packets is sent to control by interchanger Device, meanwhile, the pass-through mode of this initial data packets is inquired to the controller.Controller receives query information, according to header packet information (five yuan of array informations), the network ip address hopping algorithms designed using this patent, in transmission process, the different friendships of process Change planes 1, interchanger 2, interchanger 3 ... generates different forwarding strategies { forwarding strategy 1, forwarding strategy 2, forwarding strategy respectively 3 ... ..., forwarding strategy n }, meanwhile, forwarding strategy is sent to corresponding Openflow interchanger.When Openflow interchanger After receiving corresponding forwarding strategy, the corresponding forwarding behavior of data packet is completed.
The present invention discloses network ip address jump strategy, uses the friendship of Openflow technology in each that data packet is passed through When changing planes, the random variation of the source and destination network ip address of sensor device can be all carried out, thus hide sensor equipment True source address and destination address realize the target protected to the sensor device in mobile Internet of things system region.
Assuming that illegal invasion person intercepted data packet, but under the influence of network ip address disclosed by the invention jumps strategy, The data packet that illegal invasion person can not be intercepted and captured by analysis, obtains the information of sensor device.The sensing of mobile Internet of things system Device equipment is in data transmission procedure, the port for the Openflow interchanger being only directly connected to sensor device, Ke Yishou The data packet with live network IP address transmitted to sensor device.The data packet transmitted mutually between other interchangers Packet header in, be the virtual address changed at random.Illegal invasion person can not be in the process that sensor device carries out data transmission In, the data packet with live network IP address of sensor device is intercepted and captured, the information of sensor device also can not be just obtained.
Used in the present embodiment, network ip address hopping algorithms specifically include following technical scheme:
In the interior zone of mobile Internet of things system, when carrying out using the deployment of Openflow exchange of skills machine, first pass through Dijkstra's algorithm (shortest path first), most by each sensor device in the interior zone of mobile Internet of things system Short path calculates.
In this algorithm, data packet passes through the number of interchanger, the as length in path on the transmit path.Using Di Jiesi Spy draws algorithm when calculating shortest path, in the interior zone of mobile Internet of things system Openflow interchanger M and Openflow interchanger N calculates M, shortest path r and its linkage length k between N.Meanwhile M is constructed, shortest path between N Drive matrix;Shortest path matrix=(r, k) | the interior zone of the mobile Internet of things system of r, k ∈, r ≠ k }.
System initialization: it after the shortest path matrix between each Openflow interchanger calculates completion, generates request and turns Hair has five yuan of array informations { source device network ip address, the source device network port, purpose equipment network ip address, purpose Device network port and data communication protocol type } data packet header packet information.
When Openflow interchanger M and Openflow interchanger N is within the t time, new data packet is not generated, then is carried out Circulate operation.It is every to pass through time t, check this connection judge whether the secondary connection disconnects or suspend mode, if oneself disconnection Or suspend mode, then delete all forwarding strategies of this data packet.If keeping connection status, network ip address jump is updated Become strategy;
The shortest path matrix between Openflow interchanger M and Openflow interchanger N is inquired, this data packet is obtained Most short transmission path r;
Cyclic query obtains all exchanger informations on most short transmission path r, and generates corresponding data to interchanger Forwarding strategy.First use random algorithm, the IP of the random IP for generating source interchanger and purpose interchanger, if newly-generated is random IP address jumps strategy use mistake by existing network ip address, then continues using random algorithm, random to generate source exchange The IP of the machine and IP of purpose interchanger, until not having repetition.By the IP and purpose interchanger of the source interchanger generated at random IP, be added in the network ip address database being being currently used, data forwarding strategy is as shown in following table 1-1:
Table 1-1 data forwarding flow table
In the forwarding strategy of data packet, source device that first Openflow interchanger that each data packet is passed through uses Network ip address and purpose equipment network ip address, source device network ip address and purpose equipment network IP as the data packet Address, other Openflow interchangers all use in the forwarding strategy of previous data packet, the source device net after changing Network IP address and purpose equipment network ip address.On the last one Openflow interchanger that data packet is passed through, need source Device network IP address and purpose equipment network ip address are changed to the original address of data packet, thus with existing network communication protocol It is compatible.
Data packet transmit during, by way of each Openflow interchanger forwarding strategy is transmitted to automatically it is corresponding Openflow interchanger in;
Waiting time, t terminated;
Circulation terminates;
It deletes in each Openflow interchanger on data packet transmission path about the newest data forwarding of the data packet Strategy, and will be deleted in the network ip address secondary IP address library being being currently used.
It is every to pass through time t in network ip address hopping algorithms, this connection is checked, judges that the secondary connection is No disconnection or suspend mode delete all forwarding strategies of this data packet if oneself disconnects or suspend mode.If keeping connection State then updates network ip address jump strategy, increases the safety of system.When network ip address, which jumps strategy, to be generated It waits, while generating the IP jump strategy in the transmission direction of this data packet, response data packet generated reversed jump when transmitting Strategy.
In order to compatible with traditional Internet of things system, the data transmission between mobile Internet of things system each region is being carried out When, the data transmission set and agreement between original mobile Internet of things system region cannot be changed.So the present invention discloses one Kind realizes mobile Internet of things system each region using the mode of Openflow switch device data transmission port random jump Between mobile target Defensive Target.
The random jump process of Openflow switch device data transmission port
The task of the random jump of Openflow switch device data transmission port, by the inside of mobile Internet of things system The network ip address and communication port of sensor device are converted into public network by Openflow interchanger in region (Internet) address and corresponding communication port.Meanwhile periodically-varied communicating pair sensor device is corresponding The communication port of Openflow interchanger makes illegal invasion person can not be according to the sensor device IP address and end that certain is intercepted Message breath, obtains the information of sensor device, also can not be in the IP and port information intrusion system for continuing to use intercepting and capturing in the future.
Such as: sensor device E and sensor device F is located at different mobile Internet of things system region 1 and movement Internet of things system region 2, mobile Internet of things system region 1 and mobile Internet of things system region 2 are connected by public network (Internet) It connects.Meanwhile data information sync server is disposed at public network (Internet).Mobile Internet of things system region 1 and mobile Internet of Things 1 He of Openlow interchanger is disposed in the position for the data communication that net system realm 2 is connected with public network (Internet) respectively Openlow interchanger 2.The two interchangers carry out the transmission of Openflow switch device data under the management of MTD controller Port-hopping work.As shown in Figs 1-4, when sensor device E starts to be attached communication to sensor device F, sensor Equipment E first passes through the dns server in mobile Internet of things system region 1, inquires public network (Internet) net of sensor device F Network address.Then, sensor device E is constructed with five yuan of array informations { source device network ip address, source device network-side Mouth, purpose equipment network ip address, the purpose equipment network port and data communication protocol type } header packet information data packet.
In the initial data packets that Openflow switch device issues, the source device of five yuan of array informations in header packet information Network ip address is the public network address of sensor device E, and purpose equipment network ip address is the public network address of sensor device F. Data packet is transmitted in mobile Internet of things system region 1 using the mode that network ip address jumps.Data packet every time by way of When Openflow interchanger, change the network ip address of source and destination equipment.The network ip address jump for being detailed in this patent is calculated Method content.It is located at mobile Internet of things system interior zone and public network (Internet) intersection when data packet is transferred to When Openflow interchanger, carry out data transmission the random jump of port.The Openflow interchanger plays the function of gateway Effect.
There is forwarding data coating containing five yuan of array informations the Openflow interchanger of gateway function to be sent to control Device, controller use data transmission port hopping algorithms, and data transmission port jump strategy is randomly generated, meanwhile, it is forwarded to tool There is the Openflow interchanger of gateway function.At this point, data transmission port jump strategy is also synchronized to and is deployed in public network (Internet) data information sync server.Openflow interchanger with gateway function is jumped according to data transmission port Become strategy, modification source device network ip address is public network (Internet) network ip address in mobile Internet of things system region 1, is repaired Change the random destination port that the source device network port is data transmission port jump strategy production.At interval of time period t 1, foundation Present system time, controller recalculate, and update the jump strategy of the data transmission port.Then, it is forwarded to gateway The Openflow interchanger of function is realized with this and is jumped at interval of the period for the data transmission port of t1.
When data packet by public network (Internet) be forwarded to mobile Internet of things system region 2 with gateway function When Openflow interchanger, the Openflow interchanger in mobile Internet of things system region 2 contains five yuan of array informations for what is received Data packet be sent to MTD controller in mobile Internet of things system region 2, meanwhile, to MTD controller inquire data forwarding plan Slightly.Controller in mobile Internet of things system region 2 in real time with the data information sync server that is located at public network (Internet) The data transmission port jump strategy for synchronizing each mobile Internet of things system region, according to data transmission port hopping algorithms, benefit With present system time, simultaneously restoring data package informatin is calculated.Then, then using in the network ip address hopping algorithms of this patent Hold, data packet carries out data transmission in mobile Internet of things system region 2, is finally transmitted to sensor device F, completes entire number According to communication process.
Data transmission port hopping algorithms
When public network (Internet) of the data packet between mobile Internet of things system each region transmits, data transmission Port-hopping algorithm converts public affairs in such a way that data transmission port maps for the data packet in mobile Internet of things system region The address net (Internet), and at interval of time period t 1, port-hopping periodically is carried out to mapped port, realizes hiding data The effect of communications feature.
System initialization: data packet reaches the Openflow interchanger with gateway function, and data packet is that have five yuan Array information { source device network ip address, the source device network port, purpose equipment network ip address, the purpose equipment network port With data communication protocol type } data packet of header packet information.
Send the mobile Internet of things system region of data packet:
1, it when communicating pair does not generate new data packets within the t2 time, is recycled;
2, controller uses random function, generates not currently used new source data transmission port, same in data information It inquires whether this new port is used in step server, if used, generates new source at random again Mouthful.If this new source port can be used without occupied.Meanwhile it inquiring and obtaining in data information sync server Take new destination port;
3, as shown in table 1-2, the mobile Internet of things system area end mouth that construction sends data packet maps flow entry;
The mobile Internet of things system area end mouth that table 1-2 sends data packet maps flow table
4, new mobile Internet of things system area end mouth mapping flow table is synchronized in data information sync server;
5, waiting time t2;
6, end loop;
7, the mobile Internet of things system area end mouth mapping flow table of this data packet is removed.
The mobile Internet of things system region of received data packet:
1, it when communicating pair does not generate new data packets in time t2, is recycled;
2, controller generates the port of receiving end to the port mapping flow table of data information sync server inquiry transmitting terminal Flow table is mapped, as shown in table 1-3, meanwhile, this port mapping flow table is transmitted to gateway switch;
3, waiting time t2;
4, end loop;
5, the mobile Internet of things system area end mouth mapping flow table of this data packet is removed.
The mobile Internet of things system area end mouth of table 1-3 received data packet maps flow table
The invention patent resists illegal sniff capability analysis
Rogue attacks person can smell for p times each second to sensor device in the interior zone of mobile Internet of things system Attack is visited, in time period t 3, the Sniffing Attack sum that rogue attacks person can complete is S=p*t3, so, for no portion The mobile Internet of things system of Prevention-Security technology is affixed one's name to, rogue attacks person can within the limited time, in system, all network Equipment in address area completes whole Sniffing Attack tasks.Complete time t3 and rogue attacks person required for Sniffing Attack Attacking ability (each second carry out p Sniffing Attack) be inversely proportional.
After constructing safety defense system using the invention patent, network IP in the interior zone of mobile Internet of things system The period that location jump updates is t4, the IP quantity that the random address pond of network ip address jump includes be N (according to IPV4, IP 30 quadratic powers that location space maximum quantity is 2 subtract 1).At interval of time t4, network ip address jump updates, rogue attacks person Sniffing Attack task can not be completed within the limited time, the successful probability of Sniffing Attack: SC=(p*t4)/N.When randomly When location pond takes IP address space maximum quantity 4294967295 (2 30 quadratic powers subtract 1), the denominator of SC is far longer than molecule, The Sniffing Attack success rate of rogue attacks person is substantially zeroed.IP address space maximum quantity (the 32 of 2 are taken in random address pond Power subtracts 1) when, shorten the period that network ip address jump updates, can effectively further decrease the sniff of rogue attacks person Success attack rate, but also mean that the MTD controller, Openflow interchanger and faster network data for needing higher performance Transmission speed.So the period assignment of network ip address jump update is according to these three because usually setting.
For coming from the Sniffing Attack of public network (Internet), the range of the network port is 65535, the number of the invention patent Full port range 65535 is set as according to transmission port pond.Using data transmission port hopping algorithms, periodically to mapped port into Row port-hopping realizes the effect of hiding data communications feature, smell rogue attacks person can not using fixed port Attack is visited, the ability of defensive attack is improved.Since data transmission port jump strategy is only applied with gateway function Openflow interchanger.So mapped port carries out the configuration of port-hopping period, main foundation has gateway function The performance and network data transmission speed of Openflow interchanger is set.
Basic principles and main features and advantage of the invention have been shown and described above.The technical staff of the industry should Understand, the present invention is not limited to the above embodiments, and the above embodiments and description only describe originals of the invention Reason, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes and improvements It all fall within the protetion scope of the claimed invention.The claimed scope of the invention is by appended claims and its equivalent circle It is fixed.

Claims (8)

1. the sensor safe defense technique in a kind of mobile Internet of things system, which is characterized in that using based on Openflow's SDN technology constructs sensor network technique platform in mobile Internet of things system, which includes data link control system, number System is changed according to communication repeater system and IP packet content.
2. the sensor safe defense technique in mobile Internet of things system according to claim 1, which is characterized in that moving Sensor device actual address is completed using network ip address hopping algorithms in the interior zone of animal networked system to hide;Across Region then carries out the number in public network environment in Internet environment using the jump of Openflow switch device data transmission port According to communications protection;Using Openflow technology MTD controller to the operating status of mobile Internet of things system carry out monitoring and Maintenance, is located at the MTD controller of multiple and different mobile Internet of things system interior zones, by being located at each mobile Internet of Things Data information sync server between system realm realizes the synchronizing function of control management strategy.
3. the sensor safe defense technique in mobile Internet of things system according to claim 2, which is characterized in that be based on The movable sensor equipment defense function module and Openflow controller function module of Openflow technology constitute MTD control Device.
4. the sensor safe defense technique in mobile Internet of things system according to claim 3, which is characterized in that mobile The data packet of Internet of things system interior zone transmission, in the path of its transmission, the router process passed through, progress network The adjustment of IP address changes.
5. the sensor safe defense technique in mobile Internet of things system according to claim 4, which is characterized in that mobile The Prevention-Security of data information transfer between Internet of things system region works, and jumps module by data transmission port come complete At, and each shifting is completed by Openflow interchanger using the interchanger based on Openflow technology for having gateway function When carrying out information interchange between animal networked system region, the jump work of data transmission port.
6. the sensor safe defense technique in mobile Internet of things system according to claim 5, which is characterized in that mobile The data information sync server between synchronization module and each mobile Internet of things system region within Internet of things system region, Data Encryption Transmission is carried out by SSL security protocol, ensures the communication security between synchronization module and sync server, use is soft The technologies such as hardware firewall ensure the hardware system of data information sync server and controller and the safety of software systems.
7. the sensor safe defense technique in mobile Internet of things system according to claim 1, which is characterized in that the skill The network ip address jump strategy used in art, uses the interchanger of Openflow technology in each that data packet is passed through When, the random variation of the source and destination network ip address of sensor device can be all carried out, so that hide sensor equipment is true Source address and destination address realize the target protected to the sensor device in mobile Internet of things system region, wherein net Network IP address hopping algorithms content is as follows:
In the interior zone of mobile Internet of things system, when carrying out using the deployment of Openflow exchange of skills machine, Di Jie is first passed through Si Tela algorithm calculates the shortest path of each sensor device in the interior zone of mobile Internet of things system;
When calculating shortest path using Dijkstra's algorithm, in the interior zone of mobile Internet of things system Openflow interchanger M and Openflow interchanger N calculates M, shortest path r and its linkage length k between N, meanwhile, structure M is built out, shortest path matrix between N: shortest path matrix=(r, k) | the interior zone of the mobile Internet of things system of r, k ∈, r ≠k};
System initialization: after the shortest path matrix between each Openflow interchanger calculates completion, request forwarding is generated With five yuan of array informations { source device network ip address, the source device network port, purpose equipment network ip address, purpose equipment The network port and data communication protocol type } data packet header packet information;
When Openflow interchanger M and Openflow interchanger N is within the t time, new data packet is not generated, then is recycled Operation, it is every to pass through time t, check this connection judge whether the secondary connection disconnects or suspend mode, if oneself disconnection or All forwarding strategies of this data packet are then deleted in suspend mode, if keeping connection status, update network ip address jump plan Slightly;
The shortest path matrix between Openflow interchanger M and Openflow interchanger N is inquired, the most short of this data packet is obtained Transmission path r;
Cyclic query obtains all exchanger informations on most short transmission path r, and generates corresponding data forwarding to interchanger Strategy first uses random algorithm, the IP of random generation source interchanger and the IP of purpose interchanger, if newly-generated random IP Location jumps strategy use mistake by existing network ip address, then continues using random algorithm, random generation source interchanger The IP of IP and purpose interchanger, until there is no repetition, by the IP of the IP of the source interchanger generated at random and purpose interchanger, It is added in the network ip address database being being currently used;
In the forwarding strategy of data packet, source device network that first Openflow interchanger that each data packet is passed through uses IP address and purpose equipment network ip address, as the source device network ip address of the data packet and purpose equipment network IP Location, other Openflow interchangers all use in the forwarding strategy of previous data packet, the source device network after changing IP address and purpose equipment network ip address need to set in source on the last one Openflow interchanger that data packet is passed through Standby network ip address and purpose equipment network ip address are changed to the original address of data packet, thus simultaneous with existing network communication protocol Hold;
Data packet transmit during, by way of each Openflow interchanger forwarding strategy is transmitted to automatically it is corresponding In Openflow interchanger;
Waiting time, t terminated;
Circulation terminates;
It deletes in each Openflow interchanger on data packet transmission path about the newest data forwarding strategy of the data packet, And it will be deleted in the network ip address secondary IP address library being being currently used.
8. the sensor safe defense technique in mobile Internet of things system according to claim 1, which is characterized in that use The mode of Openflow switch device data transmission port random jump is realized between mobile Internet of things system each region Mobile target Defensive Target, the random jump process of Openflow switch device data transmission port are as follows:
The task of the random jump of Openflow switch device data transmission port, by the interior zone of mobile Internet of things system The network ip address and communication port of middle sensor device are converted into public network address and corresponding by Openflow interchanger Communication port, meanwhile, the communication port of the corresponding Openflow interchanger of periodically-varied communicating pair sensor device,
Wherein, data transmission port hopping algorithms:
When public network of the data packet between mobile Internet of things system each region transmits, data transmission port hopping algorithms will Data packet in mobile Internet of things system region is converted into public network address in such a way that data transmission port maps, and at interval of Time period t 1 periodically carries out port-hopping to mapped port, realizes the effect of hiding data communications feature;
System initialization: data packet reaches the Openflow interchanger with gateway function, and data packet is that have five yuan of arrays Information { source device network ip address, the source device network port, purpose equipment network ip address, purpose equipment network port sum number According to communication protocol type } data packet of header packet information;
Send the mobile Internet of things system region of data packet:
1, it when communicating pair does not generate new data packets within the t2 time, is recycled;
2, controller uses random function, generates not currently used new source data transmission port, in the synchronous clothes of data information It inquires whether this new port is used in business device, if used, generates new source port at random again.Such as Fruit does not have occupied, then this new source port can be used.Meanwhile it inquiring and obtaining new in data information sync server Destination port;
3, new mobile Internet of things system area end mouth mapping flow table is synchronized in data information sync server;
4, waiting time t2;
5, end loop;
6, the mobile Internet of things system area end mouth mapping flow table of this data packet is removed;
The mobile Internet of things system region of received data packet:
1, it when communicating pair does not generate new data packets in time t2, is recycled;
2, controller generates the port mapping of receiving end to the port mapping flow table of data information sync server inquiry transmitting terminal Flow table, as shown in table 1-3, meanwhile, this port mapping flow table is transmitted to gateway switch;
3, waiting time t2;
4, end loop;
5, the mobile Internet of things system area end mouth mapping flow table of this data packet is removed.
CN201910055695.6A 2019-01-21 2019-01-21 A kind of sensor safe defense technique in mobile Internet of things system Pending CN109818953A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910055695.6A CN109818953A (en) 2019-01-21 2019-01-21 A kind of sensor safe defense technique in mobile Internet of things system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910055695.6A CN109818953A (en) 2019-01-21 2019-01-21 A kind of sensor safe defense technique in mobile Internet of things system

Publications (1)

Publication Number Publication Date
CN109818953A true CN109818953A (en) 2019-05-28

Family

ID=66603600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910055695.6A Pending CN109818953A (en) 2019-01-21 2019-01-21 A kind of sensor safe defense technique in mobile Internet of things system

Country Status (1)

Country Link
CN (1) CN109818953A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083173A (en) * 2019-12-31 2020-04-28 中国银行股份有限公司 Dynamic defense method in network communication based on openflow protocol
CN114338075A (en) * 2021-11-10 2022-04-12 国网浙江省电力有限公司金华供电公司 Attack object defense method based on extensive sniffing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN107181688A (en) * 2017-03-31 2017-09-19 武汉绿色网络信息服务有限责任公司 A kind of system and method that the optimization of server end cross-domain data transmission is realized in SDN
CN108965252A (en) * 2018-06-08 2018-12-07 浙江捷尚人工智能研究发展有限公司 A kind of network layer movement target defence method and system based on OpenFlow

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506511A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Moving target defense system and moving target defense method for SDN (self-defending network)
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN107181688A (en) * 2017-03-31 2017-09-19 武汉绿色网络信息服务有限责任公司 A kind of system and method that the optimization of server end cross-domain data transmission is realized in SDN
CN108965252A (en) * 2018-06-08 2018-12-07 浙江捷尚人工智能研究发展有限公司 A kind of network layer movement target defence method and system based on OpenFlow

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
胡毅勋: "基于Openflow的主动防御关键技术研究", 《中国博士学位论文全文数据库 信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083173A (en) * 2019-12-31 2020-04-28 中国银行股份有限公司 Dynamic defense method in network communication based on openflow protocol
CN111083173B (en) * 2019-12-31 2022-03-08 中国银行股份有限公司 Dynamic defense method in network communication based on openflow protocol
CN114338075A (en) * 2021-11-10 2022-04-12 国网浙江省电力有限公司金华供电公司 Attack object defense method based on extensive sniffing
CN114338075B (en) * 2021-11-10 2024-03-12 国网浙江省电力有限公司金华供电公司 Attack object defense method based on extensive sniffing

Similar Documents

Publication Publication Date Title
El Defrawy et al. Privacy-preserving location-based on-demand routing in MANETs
De et al. An epidemic theoretic framework for vulnerability analysis of broadcast protocols in wireless sensor networks
Venkatraman et al. Various attacks in wireless sensor network: Survey
US20070129015A1 (en) Communication control method
Deshmukh et al. AODV-based secure routing against blackhole attack in MANET
Hong et al. Analysis of attack models via unified modeling language in wireless sensor networks: A survey study
CN109818953A (en) A kind of sensor safe defense technique in mobile Internet of things system
CN105871929A (en) Wireless sensor network anonymity communication method
CN110099046A (en) Network hopping method and system of super-convergence server
Kirton et al. Towards optimal source location privacy-aware TDMA schedules in wireless sensor networks
CN106817693B (en) Distributed network security control system and method
CN105099799B (en) Botnet detection method and controller
Jiang et al. An Anonymous Path Routing (APR) Protocol for Wireless Sensor Networks.
Jain et al. Detection and mitigation techniques of black hole attack in MANET: An Overview
Sharma et al. A trust based scheme for spotting malicious node of wormhole in dynamic source routing protocol
Shahare et al. An approach to secure sink node's location privacy in wireless sensor networks
Rios et al. Location privacy in WSNs: solutions, challenges, and future trends
Baroutis et al. Boosting base-station anonymity in wireless sensor networks through illusive multiple-sink traffic
Akilarasu et al. Privacy preserving protocol for secure routing in wireless mesh networks
Chandra et al. Performance evaluation of hybrid routing protocols against network layer attacks in MANET
Kaur et al. Comparative analysis and improvement in AODV protocol for path establishment in MANETS
Anwar et al. Wildlife Monitoring using AODV Routing Protocol in Wireless Sensor Network
Incipini et al. MIMIC: A cybersecurity threat turns into a fog computing agent for IoT systems
Matyáš et al. WSNProtectLayer: Security Middleware for Wireless Sensor Networks
Devassy et al. Prevention of black hole attack in mobile ad-hoc networks using mn-id broadcasting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190528