CN110366170A - A kind of wireless network secure defence method based on software definition safety - Google Patents

A kind of wireless network secure defence method based on software definition safety Download PDF

Info

Publication number
CN110366170A
CN110366170A CN201910518416.5A CN201910518416A CN110366170A CN 110366170 A CN110366170 A CN 110366170A CN 201910518416 A CN201910518416 A CN 201910518416A CN 110366170 A CN110366170 A CN 110366170A
Authority
CN
China
Prior art keywords
network
attack
defence
data
wireless
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910518416.5A
Other languages
Chinese (zh)
Inventor
杨帆
李荣鹏
赵志峰
张宏纲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910518416.5A priority Critical patent/CN110366170A/en
Publication of CN110366170A publication Critical patent/CN110366170A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/65Environment-dependent, e.g. using captured environmental data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of, and the wireless network secure based on software definition safety defends method.The method is based on software definition security network infrastructure, including cloud platform, SDN controller and wireless access point.Network environment data packet in wireless access point sniff wireless network, uploads to cloud platform for network environment data in real time;The network flow table from SDN controller is executed, realizes cyber-defence.Cloud platform completes the attack detecting of network environment data, and defence decision is generated after detecting network attack, is issued to SDN controller.The network forwarding equipment of SDN controller management and configuration including wireless access point issues network flow table according to defence decision.The present invention realizes the attack detecting under wireless network and automates with defence, is integrated, improves protection efficiency.

Description

A kind of wireless network secure defence method based on software definition safety
Technical field
The present invention relates to a kind of wireless network secures to defend method, belongs to network safety filed.
Background technique
With the rapid development of internet, network and information technology is widely used, but also adjoint and come more The network attack of large area, wider range.
The existing detection defence method for wireless network is using wireless sniff deployed with devices in a network environment come sniff Environmental data whether there is attack by Expert Rules library detection network environment data, determine network attack position, then passes through people Work or other network tools are on the defensive to network.Existing method relies on the deployment of Network Sniffing equipment in a network, Wu Fajian Measure the network attack except deployment range;In addition, existing method often only focuses on the monitoring and detection of network, can not detect Automated network defence is executed after to attack, protection efficiency is lower in actual deployment.
The rise of software defined network (SDN) provides important support for the evolution of the network information security, turns to network Managing and controlling for hair equipment makes it possible cyber-defence.The software definition safety (SDS) proposed on the basis of SDN Security protection thinking improves the initiative and linkage of safety detection and defence, enhances managerial ability, the collaboration water of network Gentle service quality.Its thought is by data plane and to control planar separation, top-down to be divided into: application layer, control layer and object Manage layer.Physical layer network resource is managed collectively by control layer, centralized control they specific Prevention-Security implemented according to instruction grasp Make, application layer is unified to carry out intelligence, the arranging service of automation and management by way of software definition, corresponding to complete Security function, to realize the Security mechanism of flexible function, ability elasticity, intelligent decision-making.
Summary of the invention
The object of the present invention is to provide a kind of, and the wireless network secure based on software definition security architecture defends method, it is logical It crosses and network security agent is combined into realization environment sensing with the network equipment, complete intelligent algorithm detection using cloud platform and determine Plan, and automatic defense is realized by SDN controller, it realizes that the attack detecting under wireless network automates with defence, is integrated, mentions High protection efficiency.
The present invention realizes that its purpose is adopted the technical scheme that:
The present invention is based on the wireless network secures of software definition security architecture to defend method specifically: in the software definition safety In framework, the wireless access point of physical layer includes broker security, the cloud platform of application layer include database, the communication server and Detection system, the SDN controller of control layer include firewall;The wireless network secure defence method includes the following steps:
(1) broker security sniff wireless network environment, and network environment data is uploaded to the communication server;The communication server pair The network environment data packet received is parsed, and the network environment data after parsing is deposited into the database;
(2) it whether there is network attack data in the network environment data after detection system detection parsing, and if it exists, then detection system System acts and from network attack data according to the attack type in network attack data from corresponding defence is transferred in database Extracting attack characteristic information by defence movement and attack signature Information encapsulation at defence decision, and issues defence decision and controls to SDN Device processed;
(3) firewall in SDN controller, which is acted according to defence to network forwarding equipment, issues network flow table, network forwarding equipment Corresponding defence movement is executed according to the network flow table received.
Further, for the present invention in the step (1), broker security uploads network environment data using CoAP agreement To the communication server.
Further, broker security of the present invention includes communication customer end and environment sniff module;In the step (1) In, by environment sniff module sniff wireless network environment and the network environment data of acquisition is sent to communication customer end, is communicated Received network environment data is uploaded to the communication server by client.
Further, environment sniff module of the present invention obtains network environment data by the following method:
1) environment sniff module establishes web socket in application process, by the wireless network of web socket and wireless access point Card binding;
2) environment sniff module captures the institute in network environment locating for the wireless network card by the wireless network card of wireless access point There is wireless data packet, and wireless data packet is transmitted to from wireless network card by environment sniff module by web socket;
3) environment sniff module is that wireless data packet adds pcap format packet header, generates pcap formatted data, and is pcap format Data add communication protocol packet header, obtain network environment data.
Further, detection system of the present invention includes that attack detection module and decision issue module;It executes by the following method The step (2):
Attack detection module analyzing network circumstance data, judge whether there is network attack data;If it exists, then decision issues mould The attack type that root tuber judges according to attack detection module transfers corresponding defence movement from database, and extracts network attack number Attack signature information in;Decision issues module for defence movement and attack signature Information encapsulation into defence decision, and will prevent Imperial decision is issued to SDN controller.
Compared with prior art, the beneficial effects of the present invention are: (1) is by being divided into environment for the detection defence of wireless network Perception, intelligent measurement, three step of automatic defense are realized to wireless network attack from the complete closed loop for detecting defence.It (2) will be wireless Access point captures network environment data packet as Technology of Network Sniffer, and universe network can be realized in the case where not depending on other equipment Monitoring solves the problems, such as to rely on equipment dependence and limited coverage area caused by when specific sniffer is disposed in the prior art; Largely expand Network Sniffing range, reduces Network Sniffing and environment sensing difficulty, realize large-scale network environment Real-time perception.(3) complexity can be realized using the powerful calculating of cloud platform and storage capacity by attack detecting being deployed in cloud platform Algorithm detection and data storage solve to cannot achieve algorithm detection and unitized prison since computing capability is limited in the prior art The problem of control and storage.(4) wireless network is managed using SDN controller and realize automatic defense, solve prior art dependence The problem of low efficiency is defendd caused by artificial defence or other defence tools realizes defence automation, improves protection efficiency.
Detailed description of the invention
Fig. 1 is the software definition roll-over protective structure composition of one embodiment of the present of invention.
Specific embodiment
The present invention is further elaborated with a specific embodiment below.The software that Fig. 1 shows the present embodiment is fixed Adopted security architecture, is described as follows:
Wireless access point: for the exploitability for ensureing wireless access point, in the present embodiment, the operating system of wireless access point can Using open source operating system.To make wireless access point adapt to OpenFLow agreement, and realize the access of SDN network, the present embodiment Use Open vSwitch(OVS) as bridge inside wireless access point.In addition, also deploying a peace in wireless access point Full Proxy device.Broker security is made of a communication customer end and an environment sniff module.In the present embodiment, it is contemplated that The hardware limitation of wireless access point, communication customer end are CoAP client, and communication protocol is CoAP agreement.The present invention can also be used The other applications layer communication protocol such as HTTP.After wireless access point booting, communication customer end starting, the communication service into cloud platform Device transmission types are the CoAP data packet of CON, and the MAC Address of wireless access point is stored in the Token of data packet;The communication server MAC Address by authenticating wireless access point is the insertion authority of wireless access point, establishes connection.After communication connection is established, nothing The environment sniff module of line access point starts.Environment sniff module establishes web socket in application process first, and by net Network socket and the wireless network card of wireless access point are bound;Then, the wireless network card of wireless access point captures locating for the network interface card All wireless data packets in network environment transmit wireless data packet to environment sniff module local by web socket;Ring Border sniff module is that wireless data packet adds pcap format packet header, generates pcap formatted data, and add for pcap formatted data CoAP agreement packet header, obtains network environment data.Communication customer end is in real time by obtained network environment data in NON type Reach the communication server in cloud platform.
Cloud platform: cloud platform can realize by open source cloud platform framework, such as OpenStack;Also existing cloud platform can be used Service provider's product, such as Ali's cloud, AWS.In the present embodiment, a communication server, an inspection are at least disposed in cloud platform Examining system and a database.The communication server comes from communication clients end data in wireless access point, communication protocol to receive It is corresponding with communication customer end in wireless access point, it is in the present embodiment CoAP agreement;Detection system includes one for examining The attack detection module and a decision for being used to issue decision for surveying attack issue module;It database purchase network log and is used for The defence of defending against network attacks acts.At the beginning of communication connection is established, the communication server receives the communication in wireless access point The authentication data packet of client, the communication server returns to ack msg packet after authenticating successfully, and stores in the option of data packet Sign on.After communication connection is established, the communication server persistently receives the network of the communication customer end in wireless access point Environmental data.The communication server stores network environment data to database, while networked environments data are transferred to detection system System carries out attack detecting.In the present embodiment, the attack detection module in detection system is detected using algorithmic match.Of the invention Attack detection module can also use other detection modes such as experts database matching detection, and the algorithm that algorithmic match detection uses can be with It is the intelligent algorithms such as CNN, KNN, random forest.In the present embodiment, attack detection module is carried out using algorithmic match Before attack detecting, first with data set training intelligent algorithm generating algorithm model;When detection attack, attack detection module will Network environment data is input in trained algorithm model as input data, and the judging result of model output is then detection As a result.The judging result of output may be normal or certain type flaw attack (such as flood attack, simulation attack, injection attacks).If There is attack in testing result, the decision of detection system issues module and transfers corresponding defence from database according to attack type It acts (drop, block, hopping), and the attack signature information in extracting attack data.Attack signature information is according to attack Type and defence movement difference and it is different, corresponding setting need to be done as the case may be, for example, attacking for flood attack and injection It hits, corresponding defence movement can be " drop ", and attack signature information is the source MAC of Attacking Packets;And interference is attacked It hits, corresponding defence movement can be " hopping ", and attack signature information is then purpose MAC Address, channel number.Finally, under decision Defence movement and attack signature information are packaged into defence decision with JSON data format by hair module, and will be prevented by http protocol Imperial decision is issued to SDN controller.
SDN controller: after SDN controller receives the defence decision from cloud platform, firewall is according in defence decision Hold and generate network flow table, the defence in action item filling defence decision in flow table acts, filling defence decision in object item In attack signature information.Firewall passes through the packet-out message of OpenFLow agreement, by the network flow table issuance of generation To the wireless access point in a wireless local area network in all network forwarding equipment.OVS bridge root in wireless access point Defence movement is executed according to flow table information, realizes network automatic defense.
Below by taking flood attack as an example, just primary typical detection defence of the invention is illustrated with specific embodiment.
Wireless access point booting, starts communication customer end.Communication customer end in wireless access point is first and in cloud platform The communication server be attached certification.If authentification failure, wireless access point returns to error message, EP (end of program).If certification at Function, cloud platform return to sign on to wireless access point, and wireless access point receives startup environment sniff module after sign on, ring The network data of wireless network where border sniff module is captured by the wireless network card of wireless access point, and add pcap data lattice Formula and CoAP agreement packet header generate network environment data packet.The net that communication customer end constantly captures environment sniff module Network environmental data is uploaded to the communication server in cloud platform by CoAP agreement.
There are attackers in network environment locating for wireless access point, and attacker is by largely recognizing wireless access point transmission Data packet is demonstrate,proved as Attacking Packets and implements flood attack.These Attacking Packets are caught by the environment sniff module of wireless access point It obtains and is mingled in proper network environmental data and be uploaded to cloud platform.
The communication server in cloud platform parses data packet after receiving network environment data packet, by the network environment after parsing Data are stored in database.Meanwhile network environment data is input to training by the attack detection module in cloud platform detection system Attack detecting is carried out in good CNN model.Due to having the Attacking Packets of flood attack, attack detecting mould in network environment data Block detects Attacking Packets, and determines attack type for flood attack.
According to the attack type that attack detection module determines, the decision of detection system issues module and transfers flood from database The defence movement of model attack, is herein " drop ", and it is to abandon all numbers from certain MAC Address that this, which acts specific defense mechanism, According to packet.Meanwhile being acted according to attack type and defence, decision issues the attack signature information in module extracting attack data packet, It is herein source MAC.
Decision issues module for attack signature information and defence movement with the encapsulation of JSON format, and is forwarded by http protocol To SDN controller.
After SDN controller receives the message from cloud platform, firewall parsing defence decision, according to anti-in defence decision Imperial movement and attack signature information generate network flow table, are issued to wireless access with the packet-out message of Openflow agreement Network forwarding equipment all in WLAN where point.
Increasing a movement on the OVS bridge of wireless access point newly is " drop ", and object is the network flow of above-mentioned MAC Address Table, OVS bridge will abandon all data-messages from the MAC Address, complete cyber-defence.
Circulation wireless access point capture network environment data and the mistake for being uploaded to the detection attack of cloud platform attack detection system Journey, once detecting attack data, then cloud platform and SDN controller respond, defensive attack, to protect network.

Claims (5)

1. a kind of wireless network secure based on software definition security architecture defends method, it is characterised in that: fixed in the software In adopted security architecture, the wireless access point of physical layer includes broker security, and the cloud platform of application layer includes database, communication clothes Business device and detection system, the SDN controller of control layer include firewall;The wireless network secure defence method includes following step It is rapid:
(1) broker security sniff wireless network environment, and network environment data is uploaded to the communication server;The communication server pair The network environment data packet received is parsed, and the network environment data after parsing is deposited into the database;
(2) it whether there is network attack data in the network environment data after detection system detection parsing, and if it exists, then detection system System acts and from network attack data according to the attack type in network attack data from corresponding defence is transferred in database Extracting attack characteristic information by defence movement and attack signature Information encapsulation at defence decision, and issues defence decision and controls to SDN Device processed;
(3) firewall in SDN controller, which is acted according to defence to network forwarding equipment, issues network flow table, network forwarding equipment Corresponding defence movement is executed according to the network flow table received.
2. wireless network secure according to claim 1 defends method, it is characterised in that: in the step (1), safety Proxy server uploads network environment data to the communication server using CoAP agreement.
3. wireless network secure according to claim 1 or 2 defends method, it is characterised in that: broker security includes logical Believe client and environment sniff module;In the step (1), by environment sniff module sniff wireless network environment and it will obtain Network environment data be sent to communication customer end, received network environment data is uploaded to communication clothes by communication customer end Business device.
4. wireless network secure according to claim 3 defends method, it is characterised in that: environment sniff module is pressed with lower section Method obtains network environment data:
1) environment sniff module establishes web socket in application process, by the wireless network of web socket and wireless access point Card binding;
2) environment sniff module captures the institute in network environment locating for the wireless network card by the wireless network card of wireless access point There is wireless data packet, and wireless data packet is transmitted to from wireless network card by environment sniff module by web socket;
3) environment sniff module is that wireless data packet adds pcap format packet header, generates pcap formatted data, and is pcap format Data add communication protocol packet header, obtain network environment data.
5. wireless network secure according to any one of claim 1 to 4 defends method, it is characterised in that: detection system Module is issued including attack detection module and decision;The step (2) are executed by the following method:
Attack detection module analyzing network circumstance data, judge whether there is network attack data;If it exists, then decision issues mould The attack type that root tuber judges according to attack detection module transfers corresponding defence movement from database, and extracts network attack number Attack signature information in;Decision issues module for defence movement and attack signature Information encapsulation into defence decision, and will prevent Imperial decision is issued to SDN controller.
CN201910518416.5A 2019-06-15 2019-06-15 A kind of wireless network secure defence method based on software definition safety Pending CN110366170A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910518416.5A CN110366170A (en) 2019-06-15 2019-06-15 A kind of wireless network secure defence method based on software definition safety

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910518416.5A CN110366170A (en) 2019-06-15 2019-06-15 A kind of wireless network secure defence method based on software definition safety

Publications (1)

Publication Number Publication Date
CN110366170A true CN110366170A (en) 2019-10-22

Family

ID=68217314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910518416.5A Pending CN110366170A (en) 2019-06-15 2019-06-15 A kind of wireless network secure defence method based on software definition safety

Country Status (1)

Country Link
CN (1) CN110366170A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104580168A (en) * 2014-12-22 2015-04-29 华为技术有限公司 Method, device and system for processing attack data packages
US20160381069A1 (en) * 2012-06-11 2016-12-29 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks
CN108063747A (en) * 2016-11-09 2018-05-22 北京君正集成电路股份有限公司 Wireless data processing method and apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160381069A1 (en) * 2012-06-11 2016-12-29 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104580168A (en) * 2014-12-22 2015-04-29 华为技术有限公司 Method, device and system for processing attack data packages
CN108063747A (en) * 2016-11-09 2018-05-22 北京君正集成电路股份有限公司 Wireless data processing method and apparatus

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection

Similar Documents

Publication Publication Date Title
Zhijun et al. Low-rate DoS attacks, detection, defense, and challenges: A survey
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
US11695792B2 (en) Leveraging synthetic traffic data samples for flow classifier training
US11032314B2 (en) Triggering targeted scanning to detect rats and other malware
CN103905451B (en) System and method for trapping network attack of embedded device of smart power grid
CN110224990A (en) A kind of intruding detection system based on software definition security architecture
US11570166B2 (en) Semi-active probing framework to gather threat intelligence for encrypted traffic and learn about devices
Casola et al. A security monitoring system for internet of things
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
Hofmann et al. Online intrusion alert aggregation with generative data stream modeling
Igbe et al. Deterministic dendritic cell algorithm application to smart grid cyber-attack detection
Jankowski et al. Intrusion Detection in Software Dened Networks with Self-organized Maps: Dened
Osanaiye et al. TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment
US20230115046A1 (en) Network security system for preventing unknown network attacks
SG184120A1 (en) Method of identifying a protocol giving rise to a data flow
CN106899978A (en) A kind of wireless network attack localization method
CN110213233A (en) Defend the emulation platform and method for building up of power grid distributed denial of service attack
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
Pashamokhtari et al. Progressive monitoring of iot networks using sdn and cost-effective traffic signatures
Farea et al. Detections of iot attacks via machine learning-based approaches with cooja
CN110366170A (en) A kind of wireless network secure defence method based on software definition safety
Wang et al. DDoS attacks traffic and Flash Crowds traffic simulation with a hardware test center platform
US20240114052A1 (en) Network security system for preventing spoofed ip attacks
Lin et al. RICSel21 data collection: Attacks in a virtual power network
Heigl et al. A resource-preserving self-regulating Uncoupled MAC algorithm to be applied in incident detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191022