CN110798442A - Data injection attack detection method and related device - Google Patents
Data injection attack detection method and related device Download PDFInfo
- Publication number
- CN110798442A CN110798442A CN201910850860.7A CN201910850860A CN110798442A CN 110798442 A CN110798442 A CN 110798442A CN 201910850860 A CN201910850860 A CN 201910850860A CN 110798442 A CN110798442 A CN 110798442A
- Authority
- CN
- China
- Prior art keywords
- sdn switch
- sdn
- host information
- packet
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of SDN, and provides a data injection attack detection method and a related device, wherein the method comprises the following steps: receiving a Packet-In data Packet sent by an SDN switch; when the Packet-In data Packet comprises source host information, detecting whether the source host information exists locally; when source host information does not exist locally, acquiring network flow of the SDN switch; entropy analysis is carried out on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack to the SDN controller through the SDN switch exists or not. The false alarm rate for judging whether the data injection attack exists is reduced through secondary detection.
Description
Technical Field
The invention relates to the technical field of SDN, in particular to a data injection attack detection method and a related device.
Background
Software-Defined networking (SDN) is a new Network architecture, and its main feature is separation of control and forwarding planes. When the SDN switch receives data sent by the host and no flow table item can be matched, the data is packaged into a Packet-In data Packet and sent to the SDN controller, and the SDN controller processes the Packet-In data Packet. Under the mechanism, any unmatched data can make the switch send Packet-In to the controller, so as long as a large number of data packets with random Media Access Control (MAC) addresses are manufactured, the Packet-In data packets can be easily and continuously triggered, and therefore, data injection attack on the SDN controller is achieved.
The detection method for judging whether the data injection attack exists or not through one-time matching detection in the prior art has the problem of high false alarm rate.
Disclosure of Invention
In view of the above, the present invention provides a data injection attack detection method and a related apparatus, so as to reduce a false alarm rate of detection of a data injection attack.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a data injection attack detection method, which is applied to a software defined network SDN controller, where the SDN controller is in communication connection with an SDN switch, and the method includes: receiving a Packet-In data Packet sent by an SDN switch; when the Packet-In data Packet comprises source host information, detecting whether the source host information exists locally; when source host information does not exist locally, acquiring network flow of the SDN switch; entropy analysis is carried out on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack to the SDN controller through the SDN switch exists or not.
In a second aspect, an embodiment of the present invention provides a data injection attack detection apparatus, which is applied to a software defined network SDN controller, where the SDN controller is in communication connection with an SDN switch, and the apparatus includes: the receiving module is used for receiving a Packet-In data Packet sent by the SDN switch; the detection module is used for detecting whether source host information exists locally or not when the Packet-In data Packet comprises the source host information; the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the network flow of the SDN switch when source host information does not exist locally; the analysis module is used for carrying out entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack on the SDN controller through the SDN switch exists or not.
In a third aspect, an embodiment of the present invention provides an SDN controller, including a processor and a memory, where the memory stores machine executable instructions executable by the processor, and the processor may execute the machine executable instructions to implement the above-mentioned data injection attack detection method.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the data injection attack detection method described above.
Compared with the prior art, the embodiment of the invention provides a data injection attack detection and related device, which comprises the steps of firstly receiving a Packet-In data Packet sent by an SDN switch, detecting whether source host information exists locally when the Packet-In data Packet comprises the source host information, acquiring network flow of the SDN switch when the source host information does not exist locally, and then carrying out entropy analysis on a sampling data Packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack on an SDN controller through the SDN switch exists. The two-stage detection is adopted, namely, whether source host information exists locally or not is judged, when the source host information does not exist locally, entropy analysis is further carried out on a sampling data packet of the SDN switch, whether data injection attack on the SDN controller through the SDN switch exists or not is judged, and therefore the problem that the false alarm rate is high due to the fact that whether the data injection attack exists or not is judged only through the source host information is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows a schematic view of an application scenario provided in an embodiment of the present invention.
Fig. 2 shows a flowchart of a data injection attack detection method provided by an embodiment of the present invention.
Fig. 3 is a flowchart illustrating sub-steps of step S104 shown in fig. 2.
Fig. 4 is a flowchart illustrating sub-steps of step S108 shown in fig. 2.
Fig. 5 is a schematic diagram illustrating a scenario of communication connection between two SDN controllers according to an embodiment of the present invention.
Fig. 6 is a block diagram illustrating a data injection attack detection apparatus according to an embodiment of the present invention.
Fig. 7 shows a block diagram of an SDN controller according to an embodiment of the present invention.
Icon: 10-an SDN controller; 101-a memory; 102-a communication interface; 103-a processor; 104-a bus; 20-an SDN switch; 30-a host; 200-data injection attack detection means; 201-a receiving module; 202-a detection module; 203-an obtaining module; 204-an analysis module; 205-a staging module; 206-source host information processing module; 207-an interception module; 208-update module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
In order to prevent data injection attacks, a technology is generally adopted to bind a MAC address of a host, an identifier of an SDN switch connected to the host, and a port number of the SDN switch on an SDN controller, that is, host information of the host is added into a binding table, the host information that is not in the binding table is regarded as an attack host, and if a new host is added, the host information of the new host is updated into the binding table. When the host MAC address In the Packet-In data Packet received by the SDN controller is not In the binding table of the SDN controller, the Packet-In data Packet from the forged host is discarded due to the fact that the data injection attack initiated by the forged host through the SDN switch exists, and the size of the binding table capable of being stored by the SDN controller is limited, so that whether the data injection attack exists is judged only by the host MAC address In the Packet-In data Packet existing In the binding table, a normal host not yet In the binding table can be used as an attack host, and the false alarm rate of the detection scheme is high.
In view of this, embodiments of the present invention provide a data injection attack detection method and a related apparatus, which can reduce a false alarm rate of data attack detection. The following is described by way of example.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an application scenario provided by an embodiment of the present invention, in fig. 1, an SDN controller 10 is communicatively connected to at least one SDN switch 20, each SDN switch 20 is communicatively connected to at least one host 30, and the SDN controller 10 is further communicatively connected to other SDN controllers 10. After receiving a Packet-In data Packet sent by the SDN switch 20, the SDN controller 10 first determines whether the Packet-In data Packet includes source host information, and when the Packet-In data Packet includes the source host information, detects whether the source host information exists locally, and when the source host information does not exist locally, acquires network traffic of the SDN switch 20, and performs entropy analysis on a sampling data Packet of the SDN switch 20 according to the network traffic to determine whether a data injection attack on the SDN controller 10 through the SDN switch 20 exists. In a specific embodiment, each SDN controller 10 stores a host information table, and one SDN controller 10 may periodically acquire the host information table stored by another SDN controller 10, and update its local host information table according to the acquired host information table of another SDN controller 10.
It should be noted that, in fig. 1, another SDN controller 10 may also be in communication connection with at least one SDN switch 20, and each SDN switch 20 may also be in communication connection with at least one host 30, although not explicitly shown in fig. 1, the present embodiment is not limited to a scenario in which another SDN controller 10 is not in communication connection with any SDN switch 20.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for detecting a data injection attack according to an embodiment of the present invention, where the method includes the following steps:
and S101, receiving a Packet-In data Packet sent by the SDN switch.
In this embodiment, the Packet-In data packets sent by the SDN switch 20 and received by the SDN controller 10 include at least two types: (1) after the SDN switch 20 receives a data Packet sent by the host 30, when a flow entry matching the data Packet cannot be found, the SDN switch 20 encapsulates the data Packet into a Packet-In data Packet and sends the Packet-In data Packet to the SDN controller 10, where the Packet-In data Packet received by the SDN controller 10 includes host information of the host 30, that is, source host information; (2) when the SDN controller 10 needs to obtain the topology position of the SDN switch 20, the SDN switch 20 encapsulates a Link Layer Discovery Protocol (LLDP) Packet containing Link information between the SDN switches 20 into a Packet-In data Packet, and sends the Packet-In data Packet to the SDN controller 10, where the Packet-In data Packet received by the SDN controller 10 does not include any host information.
Step S102, when the Packet-In data Packet includes the source host information, whether the source host information exists locally is detected.
In this embodiment, the SDN controller 10 decapsulates the Packet-In data Packet, and determines whether the Packet-In data Packet includes source host information, where the source host information includes a source MAC address, an identifier of an SDN switch, and a port number of the SDN switch, and of course, the source host information may also include other information such as a source IP address according to an actual scene requirement.
In an alternative embodiment, the SDN controller 10 stores a host information table, where the host information table includes host information of at least one host 30, and the host information of each host 30 includes a MAC address of the host, an identifier of an SDN switch in communication with the host, and a port number of the SDN switch, and the identifier of the SDN switch may be an ID of the SDN switch. As a specific implementation manner, the method for detecting whether the source host information exists locally may be:
firstly, when the MAC address of any host, the identifier of the SDN switch, and the port number of the SDN switch in the host information table are respectively consistent with the source MAC address, the identifier of the SDN switch, and the port number of the SDN switch in the source host information, it is determined that the source host information exists locally.
Secondly, when at least one of the MAC address of any host, the identifier of the SDN switch and the port number of the SDN switch in the host information table is inconsistent with the source MAC address, the identifier of the SDN switch and the port number of the SDN switch in the source host information, judging that no source host information exists locally.
In this embodiment, host information of any host in the host information table is obtained, a MAC address in the host information of the host is compared with a source MAC address in source host information, an SDN switch identifier in the host information of the host is compared with an SDN switch identifier in the source host information, a port number of the SDN switch in the host information of the host is compared with a port number of the SDN switch in the source host information, and if the three items are all consistent, it is determined that the host information of the host is consistent with the source host information, that is, the source host information exists locally. If any one of the three items is inconsistent, the host information of the host is judged to be consistent with the source host information, and if the host information of any one host in the host information table is inconsistent with the source host information, the source host information is judged not to exist locally.
It should be noted that the host information of the host may also be stored in a file manner, for example, each line in the file corresponds to host information of one host, and detecting whether the source host information exists locally may be implemented by detecting whether the source host information exists in the file.
Step S103, when the source host information does not exist locally, acquiring the network flow of the SDN switch.
In this embodiment, the absence of the source host information means that the host corresponding to the source host information includes, but is not limited to, one of the following two types: (1) is a normal host 30 newly added to the SDN network; (2) the host 30 is a host for data injection attack, which is forged maliciously, and it is necessary to finally determine which kind of the host belongs to by further judgment.
And step S104, carrying out entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack to the SDN controller through the SDN switch exists or not.
In this embodiment, the network traffic of the SDN switch 20 may be real-time network traffic, or may be average network traffic within a preset time period, and the network traffic of the SDN switch 20 may be the number of data packets forwarded by the SDN switch 20 in unit time, or may be the data amount forwarded by the SDN switch 20 in unit time.
In this embodiment, a large number of hosts 30 forging MAC addresses send attack packets to the SDN switch 20, after the SDN switch 20 receives an attack Packet, because a flow entry matching the attack Packet cannot be found, the attack Packet is encapsulated into a Packet-In Packet and then sent to the SDN controller 10, and a large number of attack packets may consume computing resources of the SDN controller 10, thereby implementing data injection attack on the SDN controller 10 through the SDN switch 20.
In an optional embodiment, taking the number of data packets forwarded by the SDN switch 20 per unit time of the network traffic of the SDN switch 20 as an example, the method for performing entropy analysis on the sampled data packets of the SDN switch 20 according to the network traffic of the SDN switch 20 to determine whether there is a data injection attack on the SDN controller 10 through the SDN switch 20 may be: determining window lengths, namely the number of sampling data packets in a window, the window number and a threshold according to network traffic of the SDN switch 20, calculating the number of required sampling data packets according to the window lengths and the window number, then obtaining the sampling data packets meeting the number of the required sampling data packets from the SDN switch 20, calculating window entropy values of source MAC addresses in the sampling data packets in each window, next calculating average entropy values of all the window entropy values, and judging whether a data injection attack on the SDN controller 10 through the SDN switch 20 exists according to the average entropy values and the threshold.
Referring to fig. 3, fig. 3 is a flowchart illustrating sub-steps of step S104 shown in fig. 2, wherein step S104 includes the following sub-steps:
and a substep S1041 of determining a window length, a window number, and a threshold according to the network traffic acquired from the SDN switch, wherein the window length is the number of sampling data packets in the window.
In this embodiment, corresponding window lengths and window numbers, that is, thresholds, may be set for different network traffic intervals, for example, when the network traffic is in the interval [0, 10], the window length is 50, the window number is 10, the threshold is 5, when the network traffic is in the interval [10, 100], the window length is 10, the window number is 3, and the threshold is 10, and if the network traffic acquired from the SDN switch 20 is 50, the corresponding window length is 10, the window number is 3, and the threshold is 10.
And a substep S1042 of calculating the number of sampling packets according to the window length and the window number.
In this embodiment, the required number of sampling packets is the window length × the window number, or the required number of sampling packets is the window length × the window number × the preset parameter.
Substep S1043, obtaining a sampling data packet satisfying the number of sampling data packets from the SDN switch, wherein the sampling data packet includes the source MAC address.
In this embodiment, the MAC address is an identifier for uniquely characterizing a hardware device, and a manufacturer of the hardware device will usually burn a MAC address for the hardware device manufactured by the manufacturer to identify the hardware device. The source MAC address in the sampling packet refers to the MAC address of the host 30 that sent the sampling packet, but of course, the source MAC address in the sampling packet may also be forged maliciously to replace the real MAC address of the host 30.
And a substep S1044 of calculating a window entropy value of the source MAC address in the sampled packet within each window.
In the present embodiment, for each window:
first, by formula Pi=XiCalculating the probability of occurrence of the source MAC address in the sampled data packet in the window, wherein XiAnd W is the window length.
For example, W is 5, i.e. the window has 5 sample packets: the source MAC addresses of the 1# data packet to the 5# data packet are respectively as follows: 00-00-00-00-E0, 00-00-00-00-00-00-00-F0, 00-00-00-00-00-00-E0, 00-00-00-00-00-00-00-D0, 00-00-00-00-A0, the 5 sampling data packets have 4 nonrepeating source MAC addresses in total, the number of times of occurrence of the 1 st source MAC address 00-00-00-00-00-00-00-E0 is 2, the number of times of occurrence of the 2 nd source MAC address 00-00-00-00-F0 is 1, the 3 rd source MAC address 00-00-00-00-00-D0 occurs 1 times and the 4 th source MAC address 00-00-00-00-00-00-00-a0 occurs 1 times.
Secondly, by the formulaAnd calculating a window entropy value of the appearing source MAC addresses, wherein H is the window entropy value, and K is the total number of non-repeating source MAC addresses.
And a substep S1045 of calculating an average entropy value according to all the window entropy values and the number of windows.
In the present embodiment, the formula is usedCalculating a mean entropy value, wherein E is the mean entropy value, n is the number of actual windows, HiThe window entropy value for the ith window.
In this embodiment, for example, the number of windows is 3, the window length is 10, the preset parameter is 3, and the number of actually acquired required sampling packets is 9 when the window length is 3, the window length is 10, the preset parameter is 3, 10, 3, or 90.
And a substep S1046 of determining that there is a data injection attack to the SDN controller through the SDN switch when the average entropy is greater than the threshold.
And a substep S1047 of determining that there is no data injection attack on the SDN controller through the SDN switch when the average entropy value is less than or equal to the threshold.
In this embodiment, since the threshold is determined according to the network traffic, and the network traffic obtained each time represents the current network transmission condition, it can be ensured that the threshold determined each time is matched with the current network transmission condition, thereby ensuring the rationality of the judgment result according to the average entropy and the threshold, and reducing the misjudgment rate.
In this embodiment, when there is no source host information In a Packet-In Packet locally, the Packet-In Packet may be an attack Packet or a normal Packet from a new host 30. Before determining whether a data injection attack on the SDN controller 10 through the SDN switch 20 exists, the source host information needs to be temporarily stored, and after waiting for entropy analysis according to a sampling data packet of the SDN switch 20, it is determined whether a data injection attack on the SDN controller 10 through the SDN switch 20 exists, and then the source host information is further processed. Therefore, the present embodiment further includes step S105.
Step S105, when the source host information does not exist locally, the source host information is temporarily stored.
It should be noted that step S105 may be executed at any time after detecting that there is no source host information locally and before determining whether there is a data injection attack on the SDN controller 10 by the SDN switch 20 in step S104, that is, step S105 may be executed before step S103, or after step S103 and before step S104.
In this embodiment, when there is no data injection attack on the SDN controller 10 through the SDN switch 20, it means that the Packet-In Packet is a normal Packet-In Packet from a new host 30, In order to ensure that a subsequent normal Packet-In Packet from the new host 30 is normally processed, it is necessary to add source host information In the Packet-In Packet to the host information table, when there is a data injection attack on the SDN controller 10 through the SDN switch 20, it means that the Packet-In Packet is an attack Packet, and In order to ensure that a subsequent attack Packet can be detected In time, it is necessary to delete source host information In the Packet-In Packet that is temporarily stored, so this embodiment further includes step S106 and step S107.
And step S106, when data injection attack on the SDN controller through the SDN switch does not exist, adding the temporarily stored source host information to a host information table.
In the present embodiment, step S106 may be executed before step S109 or after step S110.
And step S107, deleting the temporarily stored source host information when data injection attack to the SDN controller through the SDN switch exists.
In the process of researching the present solution, the inventor further finds that, In order to prevent injection attack data from occupying a secure communication channel between the SDN controller 10 and the SDN switch 20 In the prior art, once the SDN controller 10 finds itself being attacked by data injection from the SDN switch 20, measures generally taken are to directly discard Packet-In packets forwarded by the SDN switch 20. However, this method may cause normal Packet-In to be discarded, which affects normal forwarding service of the SDN switch 20, and increases the cost of defending against attacks. Based on this problem, the inventor proposes a solution to reduce the cost of defending against attacks, and therefore, the present embodiment further includes step S108.
And S108, intercepting a Packet-In data Packet sent by the SDN switch at regular time to defend against the data injection attack when the data injection attack to the SDN controller by the SDN switch exists.
In this embodiment, In order to intercept a Packet-In Packet sent by the SDN switch 20, an interception flow table is sent to the SDN switch 20, so that the SDN switch 20 directly discards the received Packet-In Packet without forwarding the Packet-In Packet to the SDN controller 10 for processing. After intercepting the Packet-In Packet sent by the SDN switch 20, all Packet-In packets from the SDN switch 20 are prohibited from being forwarded to the SDN controller 10, so that normal Packet-In packets are not processed, the cost of defending against attacks is invisibly increased, in order to reduce the cost of defending against the attack caused by the interception, after Packet-In packets sent by the SDN switch 20 are intercepted, periodically detecting whether a data injection attack to the SDN controller 10 through the SDN switch 20 exists again, deleting the interception flow table and removing interception once detecting that the data injection attack does not exist, to recover the Packet-In packets sent by the SDN switch 20, the impact of the defensive attack on the normal functioning of the SDN switch 20 is minimized, thereby reducing the cost of intercepting the resulting defensive attack.
Referring to fig. 4, fig. 4 is a flowchart illustrating sub-steps of step S108 shown in fig. 2, wherein step S108 includes the following sub-steps:
and a substep S1081 of sending an interception flow table to the SDN switch to intercept the Packet-In data Packet sent by the SDN switch.
And a substep S1082 of acquiring network flow of the SDN switch every other preset time period, and performing entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack on the SDN controller through the SDN switch exists or not.
In this embodiment, as an implementation manner, a timer may be set, and when the timer expires, the entropy analysis is started, that is: firstly, acquiring network flow of the SDN switch 20; then, entropy analysis is performed on the sampling data packet of the SDN switch 20 according to the network traffic of the SDN switch 20, and finally, it is determined whether a data injection attack to the SDN controller 10 through the SDN switch 20 exists according to an entropy analysis result, which is similar to step S104 and is not described here again.
And a substep S1083, deleting the interception flow table to recover and receive a Packet-In data Packet sent by the SDN switch when the SDN controller is not attacked by data injection through the SDN switch.
In this embodiment, the host information table includes more host information of the host 30, and the more accurate the host information, the smaller the probability of false alarm, so that when the topology position of the host 30 changes or a new host 30 is added, the changed host information is updated to the host information table in time, and this embodiment further includes step S109 and step S110.
Step S109, periodically acquiring a host information table stored in another SDN controller.
In the present embodiment, one SDN controller 10 is generally in communication connection with another SDN controller 10, each SDN controller 10 stores a host information table, and the host information table of each SDN controller 10 generally stores host information of a host corresponding to the SDN switch 20 in communication connection with the SDN controller 10 after initialization is completed.
Fig. 5 is a schematic diagram illustrating a scenario in which two SDN controllers 10 are communicatively connected according to an embodiment of the present invention, in fig. 5, a # 1 SDN controller is communicatively connected to a # 2 SDN controller, a # 1 SDN controller is communicatively connected to an # 11 SDN switch, a # 2 SDN controller is communicatively connected to a # 21 SDN switch, an # 11 SDN switch is communicatively connected to three hosts A, B, C, and a # 21 SDN switch is communicatively connected to three hosts D, E, F. After the initialization is completed, the host information table stored in the # 1 SDN controller includes the host information of the host A, B, C, and the host information table stored in the # 2 SDN controller includes the host information of the host D, E, F.
Step S110, updating a local host information table according to a host information table stored by another SDN controller.
In this embodiment, after the SDN controller 10 acquires the host information table of another SDN controller 10, the host information in the host information table of another SDN controller 10 is updated to the local host information table of the SDN controller 10, so that the host information table of the SDN controller 10 includes host information of more hosts, thereby reducing a false alarm rate.
For example, in fig. 5, the 1# SDN controller periodically acquires the host information table of the 2# SDN controller, updates the host information of the host D, E, F in the host information table of the 2# SDN controller into its own host information table, and after the update, the host information table of the 1# SDN controller includes the host information of the host A, B, C, D, E, F.
Note that, the SDN controller 10 may also send the local host information table to another SDN controller 10 at regular time, so that the other SDN controller 10 updates its own host information table according to the received host information table of the SDN controller.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
firstly, by judging whether source host information exists locally or not, and when the source host information does not exist locally, a two-stage detection method for performing entropy analysis on a sampling data packet of the SDN switch 20 is further performed, so that the problem of high false alarm rate caused by judging whether data injection attack exists or not only through the source host information is solved.
Secondly, the window length, the window number and the threshold value are determined according to the network flow of the SDN switch 20, so that the entropy analysis of the sampling data packet of the SDN switch 20 is more accurate, and the accuracy of data injection attack detection is further improved.
Thirdly, the source host information which does not exist locally is temporarily stored, when it is further confirmed that there is no data injection attack, the source host information is added into the local host information table as normal host information, Packet-In data packets from the host 30 are prevented from being misjudged as abnormal data packets next time, the false alarm rate is reduced, and when it is further confirmed that there is data injection attack, the source host information is timely deleted, so that the source host information is prevented from occupying too many storage resources of the SDN controller 10.
Fourthly, when there is a data injection attack, a Packet-In data Packet sent by the SDN switch 20 is intercepted at regular time, and the data injection attack is defended.
Fifthly, when detecting that no data injection attack exists, intercepting the Packet-In data Packet sent by the SDN switch 20 is cancelled In time, so that the SDN controller 10 recovers to receive the Packet-In data Packet sent by the SDN switch 20, and defense cost of the data injection attack is reduced.
Sixthly, a host information table stored by another SDN controller 10 is obtained at regular time, and the local host information table is updated according to the host information table, so that the local host information table is ensured to include more normal host information, false alarm caused by the fact that the local host information table does not include normal host information is avoided, and false alarm rate is reduced.
Based on the same inventive idea as the data injection attack detection method, an embodiment of the present invention further provides a data injection attack detection device, which is applied to a software defined network SDN controller, please refer to fig. 6, and fig. 6 shows a block schematic diagram of a data injection attack detection device 200 provided in an embodiment of the present invention. The data injection attack detection apparatus 200 includes a receiving module 201, a detection module 202, an obtaining module 203, an analysis module 204, a temporary storage module 205, a source host information processing module 206, an interception module 207, and an update module 208.
A receiving module 201, configured to receive a Packet-In data Packet sent by an SDN switch.
The detecting module 202 is configured to detect whether source host information exists locally when the Packet-In Packet includes the source host information.
As an embodiment, the SDN switch is in communication connection with at least one host, the SDN controller stores a host information table, the host information table includes host information of the at least one host, the host information of each host includes a MAC address of the host, an identifier of the SDN switch in communication with the host, and a port number of the SDN switch, and the detection module 202 is specifically configured to: when the MAC address of any host, the identifier of the SDN switch and the port number of the SDN switch in the host information table are respectively consistent with the source MAC address, the identifier of the SDN switch and the port number of the SDN switch in the source host information, judging that the source host information exists locally; when at least one of the MAC address of any host, the identifier of the SDN switch and the port number of the SDN switch in the host information table is inconsistent with the source MAC address, the identifier of the SDN switch and the port number of the SDN switch in the source host information, judging that no source host information exists locally.
An obtaining module 203, configured to obtain network traffic of the SDN switch when there is no source host information locally.
An analysis module 204, configured to perform entropy analysis on a sampling data packet of the SDN switch according to a network traffic of the SDN switch, so as to determine whether a data injection attack on the SDN controller through the SDN switch exists.
As an embodiment, the analysis module 204 is specifically configured to: determining window length, window number and a threshold value according to network flow acquired from an SDN switch, wherein the window length is the number of sampling data packets in a window; calculating the number of the data packets to be sampled according to the window length and the number of the windows; acquiring sampling data packets meeting the number of the sampling data packets from an SDN switch, wherein the sampling data packets comprise source MAC addresses; calculating a window entropy value of a source MAC address in a sampling data packet in each window; calculating an average entropy value according to all the window entropy values and the window number; when the average entropy value is larger than a threshold value, judging that a data injection attack on the SDN controller through the SDN switch exists; when the average entropy value is less than or equal to the threshold value, determining that no data injection attack on the SDN controller through the SDN switch exists.
The temporary storage module 205 is configured to temporarily store the source host information when the source host information does not exist locally.
A source host information processing module 206, configured to add the temporarily stored source host information to a host information table when there is no data injection attack to the SDN controller through the SDN switch; and when data injection attack on the SDN controller through the SDN switch exists, deleting the temporarily stored source host information.
The intercepting module 207 is configured to intercept a Packet-In data Packet sent by the SDN switch at regular time to defend against a data injection attack when the data injection attack to the SDN controller by the SDN switch exists.
As an embodiment, the intercepting module 207 is specifically configured to: sending an interception flow table to the SDN switch to intercept a Packet-In data Packet sent by the SDN switch; acquiring network flow of the SDN switch every other preset time period, and carrying out entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether data injection attack on an SDN controller through the SDN switch exists or not; and when the data injection attack on the SDN controller through the SDN switch does not exist, deleting the interception flow table to recover and receive the Packet-In data Packet sent by the SDN switch.
An updating module 208, configured to periodically obtain a host information table stored in another SDN controller; and updating the local host information table according to the host information table stored by another SDN controller.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the data injection attack detection apparatus 200 described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
Referring to fig. 7, fig. 7 is a block diagram illustrating an SDN controller 10 according to an embodiment of the present invention. The SDN controller 10 comprises a memory 101, a communication interface 102, a processor 103 and a bus 104, the memory 101, the communication interface 102 and the processor 103 are connected by the bus 104, and the processor 103 is configured to execute an executable module, such as a computer program, stored in the memory 101.
The Memory 101 may include a high-speed Random Access Memory (RAM) and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the SDN controller 10 and at least one SDN switch 20 or other SDN controllers 10 is implemented by at least one communication interface 102 (which may be wired or wireless).
The bus 104 may be an ISA bus, PCI bus, EISA bus, or the like. Only one bi-directional arrow is shown in fig. 7, but this does not indicate only one bus or one type of bus.
The memory 101 is used to store a program, such as the data injection attack detection apparatus 200 shown in fig. 6. The end data injection attack detection apparatus 200 includes at least one software functional module which may be stored in the memory 101 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the SDN controller 10. After receiving the execution instruction, the processor 103 executes the program to implement the data injection attack detection method disclosed in the above embodiment of the present invention.
The processor 103 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 103. The Processor 103 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by the processor 103, the method for detecting data injection attack applied to the SDN controller 10 as disclosed in the foregoing embodiments is implemented.
In summary, an embodiment of the present invention provides a data injection attack detection method and a related device, which are applied to a software defined network SDN controller, where the SDN controller is in communication connection with an SDN switch, and the method includes: receiving a Packet-In data Packet sent by an SDN switch; when the Packet-In data Packet comprises source host information, detecting whether the source host information exists locally; when source host information does not exist locally, acquiring network flow of the SDN switch; entropy analysis is carried out on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack to the SDN controller through the SDN switch exists or not. Compared with the prior art, two-stage detection is adopted, namely, whether source host information exists locally is judged, when the source host information does not exist locally, entropy analysis is further carried out on a sampling data packet of the SDN switch, whether data injection attack on the SDN controller through the SDN switch exists is judged, and therefore the problem that the false alarm rate is high due to the fact that whether the data injection attack exists is judged only through the source host information is solved.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (11)
1. A data injection attack detection method is applied to a Software Defined Network (SDN) controller, and the SDN controller is in communication connection with an SDN switch, and the method comprises the following steps:
receiving a Packet-In data Packet sent by the SDN switch;
when the Packet-In data Packet comprises source host information, detecting whether the source host information exists locally;
when the source host information does not exist locally, acquiring network flow of the SDN switch;
performing entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch to judge whether a data injection attack on the SDN controller through the SDN switch exists.
2. The data injection attack detection method of claim 1, wherein the step of performing entropy analysis on sampled data packets of the SDN switch according to network traffic of the SDN switch to determine whether there is a data injection attack on the SDN controller by the SDN switch comprises:
determining a window length, a window number and a threshold value according to network traffic acquired from the SDN switch, wherein the window length is the number of sampling data packets in a window;
calculating the number of the data packets to be sampled according to the window length and the window number;
obtaining, from the SDN switch, sampled data packets that satisfy the number of sampled data packets, wherein the sampled data packets include a source MAC address;
calculating a window entropy value of a source MAC address in a sampling data packet in each window;
calculating an average entropy value according to all the window entropy values and the window number;
when the average entropy value is larger than the threshold value, determining that a data injection attack on the SDN controller through the SDN switch exists;
when the average entropy value is less than or equal to the threshold value, determining that there is no data injection attack on the SDN controller by the SDN switch.
3. The data injection attack detection method of claim 1, the method further comprising:
and when the source host information does not exist locally, temporarily storing the source host information.
4. The data injection attack detection method of claim 3, wherein the SDN switch is communicatively connected to at least one host, the SDN controller storing a host information table comprising host information for the at least one host, the method further comprising:
when there is no data injection attack on the SDN controller through the SDN switch, adding the temporarily stored source host information to the host information table;
and deleting the temporarily stored source host information when the data injection attack to the SDN controller through the SDN switch exists.
5. The method of claim 4, wherein the host information of each host includes a MAC address of the host, an identifier of an SDN switch in communication with the host, and a port number of the SDN switch, and the step of detecting whether the source host information exists locally comprises:
when the MAC address of any host, the identifier of the SDN switch and the port number of the SDN switch in the host information table are respectively consistent with the source MAC address, the identifier of the SDN switch and the port number of the SDN switch in the source host information, judging that the source host information exists locally;
when at least one of the MAC address of any one of the hosts, the identifier of the SDN switch, and the port number of the SDN switch in the host information table is inconsistent with the source MAC address, the identifier of the SDN switch, and the port number of the SDN switch in the source host information, it is determined that the source host information does not exist locally.
6. The data injection attack detection method of claim 1, the method further comprising:
when data injection attacks on the SDN controller through the SDN switch exist, Packet-In data packets sent by the SDN switch are intercepted regularly, so that the data injection attacks can be defended.
7. The method for detecting data injection attack as claimed In claim 6, wherein the step of periodically intercepting Packet-In packets sent by the SDN switch includes:
sending an interception flow table to the SDN switch to intercept a Packet-In data Packet sent by the SDN switch;
acquiring network flow of the SDN switch every other preset time period, and carrying out entropy analysis on a sampling data packet of the SDN switch according to the network flow of the SDN switch so as to judge whether a data injection attack on the SDN controller through the SDN switch exists or not;
when the data injection attack on the SDN controller through the SDN switch does not exist, deleting the interception flow table so as to recover and receive a Packet-In data Packet sent by the SDN switch.
8. The data injection attack detection method of claim 1, wherein the SDN controller is communicatively connected with another SDN controller, the method further comprising:
regularly acquiring a host information table stored by the other SDN controller;
and updating a local host information table according to the host information table stored by the other SDN controller.
9. A data injection attack detection apparatus applied to a Software Defined Network (SDN) controller, the SDN controller being in communication connection with an SDN switch, the apparatus comprising:
a receiving module, configured to receive a Packet-In data Packet sent by the SDN switch;
the detection module is used for detecting whether the source host information exists locally or not when the Packet-In data Packet comprises the source host information;
an obtaining module, configured to obtain a network traffic of the SDN switch when the source host information does not exist locally;
an analysis module, configured to perform entropy analysis on a sampling data packet of the SDN switch according to a network traffic of the SDN switch, so as to determine whether a data injection attack on the SDN controller through the SDN switch exists.
10. An SDN controller comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the method of any one of claims 1-8.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910850860.7A CN110798442B (en) | 2019-09-10 | 2019-09-10 | Data injection attack detection method and related device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910850860.7A CN110798442B (en) | 2019-09-10 | 2019-09-10 | Data injection attack detection method and related device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110798442A true CN110798442A (en) | 2020-02-14 |
CN110798442B CN110798442B (en) | 2023-01-20 |
Family
ID=69427314
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910850860.7A Active CN110798442B (en) | 2019-09-10 | 2019-09-10 | Data injection attack detection method and related device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110798442B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116781338A (en) * | 2023-06-12 | 2023-09-19 | 国网河北省电力有限公司信息通信分公司 | DDos attack recognition method and device, electronic equipment and storage medium |
Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120174220A1 (en) * | 2010-12-31 | 2012-07-05 | Verisign, Inc. | Detecting and mitigating denial of service attacks |
CN105162759A (en) * | 2015-07-17 | 2015-12-16 | 哈尔滨工程大学 | SDN network DDoS attack detecting method based on network layer flow abnormity |
CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
US20170142034A1 (en) * | 2015-11-17 | 2017-05-18 | Telefonaktiebolaget L M Ericsson (Publ) | Service based intelligent packet-in buffering mechanism for openflow switches by having variable buffer timeouts |
CN106789351A (en) * | 2017-01-24 | 2017-05-31 | 华南理工大学 | A kind of online intrusion prevention method and system based on SDN |
US20170295207A1 (en) * | 2014-12-22 | 2017-10-12 | Huawei Technologies Co., Ltd. | Attack Data Packet Processing Method, Apparatus, and System |
CN107294969A (en) * | 2017-06-22 | 2017-10-24 | 电子科技大学 | A kind of SQL injection attack detection and system based on SDN |
US20180109556A1 (en) * | 2016-10-17 | 2018-04-19 | Foundation Of Soongsil University Industry Cooperation | SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS AND SWITCH INCLUDED IN THE SAME |
CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
CN108667853A (en) * | 2013-11-22 | 2018-10-16 | 华为技术有限公司 | The detection method and device of malicious attack |
CN108809752A (en) * | 2018-04-27 | 2018-11-13 | 广州西麦科技股份有限公司 | A kind of adaptive process monitoring method, apparatus of network flow, NPB equipment and medium |
CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
US20180375755A1 (en) * | 2016-01-05 | 2018-12-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Mechanism to detect control plane loops in a software defined networking (sdn) network |
CN109302378A (en) * | 2018-07-13 | 2019-02-01 | 哈尔滨工程大学 | A kind of SDN network ddos attack detection method |
CN109617931A (en) * | 2019-02-20 | 2019-04-12 | 电子科技大学 | A kind of the ddos attack defence method and system of defense of SDN controller |
CN110138759A (en) * | 2019-05-06 | 2019-08-16 | 华东师范大学 | The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment |
-
2019
- 2019-09-10 CN CN201910850860.7A patent/CN110798442B/en active Active
Patent Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120174220A1 (en) * | 2010-12-31 | 2012-07-05 | Verisign, Inc. | Detecting and mitigating denial of service attacks |
CN108667853A (en) * | 2013-11-22 | 2018-10-16 | 华为技术有限公司 | The detection method and device of malicious attack |
US20160182541A1 (en) * | 2014-12-18 | 2016-06-23 | Gwangju Institute Of Science And Technology | Method for detecting intrusion in network |
US20170295207A1 (en) * | 2014-12-22 | 2017-10-12 | Huawei Technologies Co., Ltd. | Attack Data Packet Processing Method, Apparatus, and System |
CN105162759A (en) * | 2015-07-17 | 2015-12-16 | 哈尔滨工程大学 | SDN network DDoS attack detecting method based on network layer flow abnormity |
US20170142034A1 (en) * | 2015-11-17 | 2017-05-18 | Telefonaktiebolaget L M Ericsson (Publ) | Service based intelligent packet-in buffering mechanism for openflow switches by having variable buffer timeouts |
CN105357228A (en) * | 2015-12-19 | 2016-02-24 | 中国人民解放军信息工程大学 | Burst traffic detection method based on dynamic threshold |
US20180375755A1 (en) * | 2016-01-05 | 2018-12-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Mechanism to detect control plane loops in a software defined networking (sdn) network |
US20180109556A1 (en) * | 2016-10-17 | 2018-04-19 | Foundation Of Soongsil University Industry Cooperation | SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS AND SWITCH INCLUDED IN THE SAME |
CN106789351A (en) * | 2017-01-24 | 2017-05-31 | 华南理工大学 | A kind of online intrusion prevention method and system based on SDN |
CN107294969A (en) * | 2017-06-22 | 2017-10-24 | 电子科技大学 | A kind of SQL injection attack detection and system based on SDN |
CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
WO2019148576A1 (en) * | 2018-02-05 | 2019-08-08 | 重庆邮电大学 | Ddos attack detection and mitigation method for industrial sdn network |
CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
CN108809752A (en) * | 2018-04-27 | 2018-11-13 | 广州西麦科技股份有限公司 | A kind of adaptive process monitoring method, apparatus of network flow, NPB equipment and medium |
CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
CN109302378A (en) * | 2018-07-13 | 2019-02-01 | 哈尔滨工程大学 | A kind of SDN network ddos attack detection method |
CN109617931A (en) * | 2019-02-20 | 2019-04-12 | 电子科技大学 | A kind of the ddos attack defence method and system of defense of SDN controller |
CN110138759A (en) * | 2019-05-06 | 2019-08-16 | 华东师范大学 | The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment |
Non-Patent Citations (7)
Title |
---|
严芬等: "基于信息熵的DNS拒绝服务攻击的检测研究", 《计算机科学》 * |
夏秦等: "入侵检测系统利用信息熵检测网络攻击的方法", 《西安交通大学学报》 * |
张龙等: "SDN中基于信息熵与DNN的DDoS攻击检测模型", 《计算机研究与发展》 * |
李锦玲等: "基于流量分析的App-DDoS攻击检测", 《计算机应用研究》 * |
闫巧: "软件定义网络中的分布式拒绝服务攻击抑制模型", 《深圳大学学报理工版》 * |
韩子铮: "SDN中一种基于熵值检测DDoS攻击的方法", 《信息技术》 * |
骆凯等: "一种基于动态阈值的突发流量异常检测方法", 《信息工程大学学报》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116781338A (en) * | 2023-06-12 | 2023-09-19 | 国网河北省电力有限公司信息通信分公司 | DDos attack recognition method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110798442B (en) | 2023-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11057404B2 (en) | Method and apparatus for defending against DNS attack, and storage medium | |
WO2021008028A1 (en) | Network attack source tracing and protection method, electronic device and computer storage medium | |
CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
CN107547503B (en) | Session table item processing method and device, firewall equipment and storage medium | |
EP3119052B1 (en) | Method, device and switch for identifying attack flow in a software defined network | |
US7854000B2 (en) | Method and system for addressing attacks on a computer connected to a network | |
US9065724B2 (en) | Managing a flow table | |
US20150229670A1 (en) | Systems and methods for detecting and preventing flooding attacks in a network environment | |
US10505952B2 (en) | Attack detection device, attack detection method, and attack detection program | |
CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
US10834125B2 (en) | Method for defending against attack, defense device, and computer readable storage medium | |
CN110519265B (en) | Method and device for defending attack | |
CN103856470A (en) | Distributed denial of service attack detection method and device | |
CN107547496B (en) | Neighbor table entry processing method and device | |
CN110535888B (en) | Port scanning attack detection method and related device | |
CN110061998B (en) | Attack defense method and device | |
CN101547187A (en) | Network attack protection method for broadband access equipment | |
CN110798442B (en) | Data injection attack detection method and related device | |
CN106657126A (en) | Device and method for detecting and defending DDos attack | |
CN110266668B (en) | Method and device for detecting port scanning behavior | |
CN113194065A (en) | DNS attack protection method and system | |
US20210014254A1 (en) | Device and method for anomaly detection in a communications network | |
CN110958245B (en) | Attack detection method, device, equipment and storage medium | |
CN110191104A (en) | A kind of method and device of security protection | |
CN101883054B (en) | Multicast message processing method and device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Data Injection Attack Detection Method and Related Devices Effective date of registration: 20230824 Granted publication date: 20230120 Pledgee: CITIC Bank Co.,Ltd. Guangzhou Branch Pledgor: GUANGZHOU VCMY TECHNOLOGY Co.,Ltd. Registration number: Y2023980053683 |