CN110719301A - Attack defense method and system for flow adaptive scheduling - Google Patents

Attack defense method and system for flow adaptive scheduling Download PDF

Info

Publication number
CN110719301A
CN110719301A CN201911135956.1A CN201911135956A CN110719301A CN 110719301 A CN110719301 A CN 110719301A CN 201911135956 A CN201911135956 A CN 201911135956A CN 110719301 A CN110719301 A CN 110719301A
Authority
CN
China
Prior art keywords
switch
controller
trusted authority
network
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911135956.1A
Other languages
Chinese (zh)
Inventor
娈靛浆
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Original Assignee
Wuhan Sipuleng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuleng Technology Co Ltd filed Critical Wuhan Sipuleng Technology Co Ltd
Priority to CN201911135956.1A priority Critical patent/CN110719301A/en
Publication of CN110719301A publication Critical patent/CN110719301A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an attack defense method and system with adaptive traffic scheduling.A secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate Authority) is added to authenticate and sign the controller and the switch, bidirectional authentication between the controller and the switch is realized, key negotiation is carried out between the controller and the switch, and the purpose of improving SDN network loopholes in a targeted manner is realized; and the network flow of the attacked switch is dispatched to other neighbor switches in real time, so that the time delay of the link is effectively reduced.

Description

Attack defense method and system for flow adaptive scheduling
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack defense method and system for adaptive traffic scheduling.
Background
In the existing SDN, a TLS security channel is not forcibly established between a controller and a switch, and a default state is a non-open state, so that the network becomes vulnerable, clear text communication may occur between the controller and the switch, and any third party can intercept or modify communication contents of both parties and is easily attacked by a man-in-the-middle. Lack of authentication of the certificate between the controller and the switch makes it easy for an attacker to intercept the request sent by the controller to the switch, disguise that the controller is communicating with the switch, and thus obtain all the content of the communication between the switch and the controller.
Meanwhile, DDos attack in the SDN network system may seriously consume resources of the attacked target host, so that a user cannot normally access the attacked host, and a secure channel between the controller and the attacked switch is blocked.
Therefore, an attack defense method and system for improving SDN network vulnerabilities are urgently needed.
Disclosure of Invention
The invention aims to provide an attack defense method and system with flow adaptive scheduling.A secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate Authority) is added to authenticate and sign the controller and the switch, bidirectional authentication between the controller and the switch is realized, key negotiation is carried out between the controller and the switch, and the purpose of improving SDN network vulnerabilities in a targeted manner is realized; and the network flow of the attacked switch is dispatched to other neighbor switches in real time, so that the time delay of the link is effectively reduced.
In a first aspect, the present application provides an attack defense method for adaptive traffic scheduling, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
judging whether DDos attack occurs between the controller and the current switch, if so, acquiring the quantity of Packet-in messages uploaded by at least one neighbor switch of the current switch, and calculating the speed of the uploaded Packet-in messages;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the digital signature certificate employs a hash operation.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In a second aspect, the present application provides an attack defense system for adaptive traffic scheduling, where the system includes: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the analysis server judges whether DDos attack occurs between the controller and the current switch, if so, the number of Packet-in messages uploaded by at least one neighbor switch of the current switch is obtained, and the rate of the Packet-in messages uploaded is calculated;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the digital signature certificate employs a hash operation.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
The invention provides an attack defense method and system with adaptive traffic scheduling.A secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate Authority) is added to authenticate and sign the controller and the switch, bidirectional authentication between the controller and the switch is realized, key negotiation is carried out between the controller and the switch, and the purpose of improving SDN network loopholes in a targeted manner is realized; and the network flow of the attacked switch is dispatched to other neighbor switches in real time, so that the time delay of the link is effectively reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of an attack defense method for adaptive traffic scheduling according to the present invention;
fig. 2 is an architecture diagram of an attack defense system with adaptive traffic scheduling according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of an attack defense method for adaptive traffic scheduling provided in the present application, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
judging whether DDos attack occurs between the controller and the current switch, if so, acquiring the quantity of Packet-in messages uploaded by at least one neighbor switch of the current switch, and calculating the speed of the uploaded Packet-in messages;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
Fig. 2 is an architecture diagram of an attack defense system with adaptive traffic scheduling provided in the present application, where the system includes: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the analysis server judges whether DDos attack occurs between the controller and the current switch, if so, the number of Packet-in messages uploaded by at least one neighbor switch of the current switch is obtained, and the rate of the Packet-in messages uploaded is calculated;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. An attack defense method for adaptive traffic scheduling, the method comprising:
acquiring network flow data, and identifying the type of a network according to network characteristics;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
judging whether DDos attack occurs between the controller and the current switch, if so, acquiring the quantity of Packet-in messages uploaded by at least one neighbor switch of the current switch, and calculating the speed of the uploaded Packet-in messages;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
2. The method of claim 1, wherein the digitally signed certificate employs a hash operation.
3. The method according to any of claims 1-2, wherein the encryption algorithm comprises any of DES, MD5, AES.
4. The method according to any one of claims 1 to 3, wherein the network intermediary trusted authority (CA) can be any one of a certificate server, a key server and a digital certificate server.
5. An attack defense system with adaptive traffic scheduling, the system comprising: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the analysis server judges whether DDos attack occurs between the controller and the current switch, if so, the number of Packet-in messages uploaded by at least one neighbor switch of the current switch is obtained, and the rate of the Packet-in messages uploaded is calculated;
sequencing Packet-in message rates of the at least one neighbor switch, determining a neighbor switch with the minimum Packet-in message rate, and acquiring an identifier DPID of the neighbor switch with the minimum rate;
acquiring content, an input port and a path set of a network flow data packet according to a destination IP address, selecting a path meeting a preset condition from the path set according to an identification DPID and the input port of a neighbor switch, and issuing an updated flow rule to an attacked current switch according to the path;
and waiting for a preset time interval, and judging whether the DDos attack occurs between the controller and the current switch again.
6. The system of claim 5, wherein the digitally signed certificate employs a hash operation.
7. The system according to any of claims 5-6, wherein the encryption algorithm comprises any of DES, MD5, AES.
8. The system according to any one of claims 5-7, wherein the network intermediary trusted authority CA can be any one of a certificate server, a key server, a digital certificate server.
CN201911135956.1A 2019-11-19 2019-11-19 Attack defense method and system for flow adaptive scheduling Pending CN110719301A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911135956.1A CN110719301A (en) 2019-11-19 2019-11-19 Attack defense method and system for flow adaptive scheduling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911135956.1A CN110719301A (en) 2019-11-19 2019-11-19 Attack defense method and system for flow adaptive scheduling

Publications (1)

Publication Number Publication Date
CN110719301A true CN110719301A (en) 2020-01-21

Family

ID=69216167

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911135956.1A Pending CN110719301A (en) 2019-11-19 2019-11-19 Attack defense method and system for flow adaptive scheduling

Country Status (1)

Country Link
CN (1) CN110719301A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571340A (en) * 2010-12-23 2012-07-11 普天信息技术研究院有限公司 Certificate authentication device as well as access method and certificate update method thereof
CN104811338A (en) * 2015-04-16 2015-07-29 中国科学院计算技术研究所 Communication channel self-configuration method and system facing control layer and data layer of SDN (Software Defined Network)
US20160373310A1 (en) * 2015-06-19 2016-12-22 International Business Machines Corporation Automated configuration of software defined network controller
CN107733929A (en) * 2017-11-30 2018-02-23 中国联合网络通信集团有限公司 Authentication method and Verification System
CN108712364A (en) * 2018-03-22 2018-10-26 西安电子科技大学 A kind of safety defense system and method for SDN network
CN109525397A (en) * 2018-10-12 2019-03-26 南京邮电大学 A kind of block chain and method towards SDN network stream rule safety guarantee

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571340A (en) * 2010-12-23 2012-07-11 普天信息技术研究院有限公司 Certificate authentication device as well as access method and certificate update method thereof
CN104811338A (en) * 2015-04-16 2015-07-29 中国科学院计算技术研究所 Communication channel self-configuration method and system facing control layer and data layer of SDN (Software Defined Network)
US20160373310A1 (en) * 2015-06-19 2016-12-22 International Business Machines Corporation Automated configuration of software defined network controller
CN107733929A (en) * 2017-11-30 2018-02-23 中国联合网络通信集团有限公司 Authentication method and Verification System
CN108712364A (en) * 2018-03-22 2018-10-26 西安电子科技大学 A kind of safety defense system and method for SDN network
CN109525397A (en) * 2018-10-12 2019-03-26 南京邮电大学 A kind of block chain and method towards SDN network stream rule safety guarantee

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孟庆月: ""SDN网络南向安全防护系统研究与实现"", 《中国优秀硕士学位论文全文数据库-信息科技辑》 *
陶蒙恩: ""面向SDN的DDoS攻击防御技术研究与系统实现"", 《中国优秀硕士学位论文全文数据库-信息科技辑》 *

Similar Documents

Publication Publication Date Title
Agborubere et al. Openflow communications and tls security in software-defined networks
US7600255B1 (en) Preventing network denial of service attacks using an accumulated proof-of-work approach
CN110808836A (en) Network authentication attack prediction method and system
CN110855695A (en) Improved SDN network security authentication method and system
CN107396350B (en) SDN-5G network architecture-based security protection method between SDN components
US11722595B2 (en) Systems and methods for processing calls
JP2011515961A (en) Authentication storage method and authentication storage system for client side certificate authentication information
CN110839036B (en) Attack detection method and system for SDN (software defined network)
CN109525565B (en) Defense method and system for short message interception attack
CN114362993B (en) Block chain assisted Internet of vehicles security authentication method
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
EP3442195A1 (en) Method and device for parsing packet
US10893414B1 (en) Selective attestation of wireless communications
CN110839037A (en) Attack scene mining method and system for SDN network
CN110855693A (en) Network authentication method and system based on CNN
KR102413497B1 (en) Systems and methods for secure electronic data transmission
CN107979466B (en) iSCSI protocol security enhancement method based on Diffie-Hellman protocol
Noh et al. Secure and lightweight subflow establishment of multipath-TCP
Furukawa et al. Highly secure communication service architecture using SDN switch
Halgamuge Latency estimation of blockchain-based distributed access control for cyber infrastructure in the iot environment
AU2012210978B2 (en) Controlled security domains
CN110855694A (en) Improved network authentication detection method and system
CN110719301A (en) Attack defense method and system for flow adaptive scheduling
CN115473655A (en) Terminal authentication method, device and storage medium for access network
CN112995140B (en) Safety management system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200121