CN110808836A - Network authentication attack prediction method and system - Google Patents
Network authentication attack prediction method and system Download PDFInfo
- Publication number
- CN110808836A CN110808836A CN201911135959.5A CN201911135959A CN110808836A CN 110808836 A CN110808836 A CN 110808836A CN 201911135959 A CN201911135959 A CN 201911135959A CN 110808836 A CN110808836 A CN 110808836A
- Authority
- CN
- China
- Prior art keywords
- controller
- switch
- network
- trusted authority
- digital signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network authentication attack prediction method and a system, wherein a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate Authority) is added to carry out authentication signature on the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is carried out between the controller and the switch, and the purpose of improving SDN network loopholes in a targeted manner is realized; meanwhile, data segment copies are collected, attack vectors which can be utilized are extracted, whether the data segments are abnormal or not is analyzed, whether logic association exists among a plurality of abnormal data segments or not is analyzed, abnormal points are determined, potential attack tracks and security vulnerabilities of network nodes are obtained, whether the abnormal network nodes are improved in the future or not is predicted, and whether other nodes similar to the network nodes are attacked or not is predicted.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for predicting a network authentication attack.
Background
In the existing SDN, a TLS security channel is not forcibly established between a controller and a switch, and a default state is a non-open state, so that the network becomes vulnerable, clear text communication may occur between the controller and the switch, and any third party can intercept or modify communication contents of both parties and is easily attacked by a man-in-the-middle. Lack of authentication of the certificate between the controller and the switch makes it easy for an attacker to intercept the request sent by the controller to the switch, disguise that the controller is communicating with the switch, and thus obtain all the content of the communication between the switch and the controller.
Meanwhile, the reasons for the abnormality of the single network node are different, and it is necessary for the system to be able to find out what the abnormal item is according to the condition of each network node, predict that the network node will not improve in the future, and predict that other nodes similar to the network node will not encounter attacks.
Therefore, a method and a system for improving security authentication attack prediction of SDN network vulnerabilities are urgently needed.
Disclosure of Invention
The invention aims to provide a network authentication attack prediction method and a system, wherein a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate authority) is added to authenticate and sign the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is performed between the controller and the switch, and a specific improvement on SDN network loopholes is realized; meanwhile, data segment copies are collected, attack vectors which can be utilized are extracted, whether the data segments are abnormal or not is analyzed, whether logic association exists among a plurality of abnormal data segments or not is analyzed, abnormal points are determined, potential attack tracks and security vulnerabilities of network nodes are obtained, whether the abnormal network nodes are improved in the future or not is predicted, and whether other nodes similar to the network nodes are attacked or not is predicted.
In a first aspect, the present application provides a network authentication attack prediction method, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting data fragments in network flow, extracting usable attack vectors from the data fragments, and merging the received data fragments with local historical data fragments of a server;
analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the digital signature certificate employs a hash operation.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In a second aspect, the present application provides a network authentication attack prediction system, including: the system comprises a gateway server, a network intermediate trusted authority CA, at least one SDN controller, at least one SDN switch and a prediction server;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the gateway server collects data fragments in network flow, extracts usable attack vectors from the data fragments, and merges the received data fragments with local historical data fragments of the server;
the prediction server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the digital signature certificate employs a hash operation.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
The invention provides a network authentication attack prediction method and a system, wherein a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate Authority) is added to carry out authentication signature on the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is carried out between the controller and the switch, and the purpose of improving SDN network loopholes in a targeted manner is realized; meanwhile, data segment copies are collected, attack vectors which can be utilized are extracted, whether the data segments are abnormal or not is analyzed, whether logic association exists among a plurality of abnormal data segments or not is analyzed, abnormal points are determined, potential attack tracks and security vulnerabilities of network nodes are obtained, whether the abnormal network nodes are improved in the future or not is predicted, and whether other nodes similar to the network nodes are attacked or not is predicted.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a network authentication attack prediction method of the present invention;
fig. 2 is an architecture diagram of the network authentication attack prediction system according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a network authentication attack prediction method provided in the present application, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting data fragments in network flow, extracting usable attack vectors from the data fragments, and merging the received data fragments with local historical data fragments of a server;
analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
Fig. 2 is an architecture diagram of a network authentication attack prediction system provided in the present application, where the system includes: the system comprises a gateway server, a network intermediate trusted authority CA, at least one SDN controller, at least one SDN switch and a prediction server;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the gateway server collects data fragments in network flow, extracts usable attack vectors from the data fragments, and merges the received data fragments with local historical data fragments of the server;
the prediction server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (8)
1. A network authentication attack prediction method, the method comprising:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting data fragments in network flow, extracting usable attack vectors from the data fragments, and merging the received data fragments with local historical data fragments of a server;
analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
2. The method of claim 1, wherein the digitally signed certificate employs a hash operation.
3. The method according to any of claims 1-2, wherein the encryption algorithm comprises any of DES, MD5, AES.
4. The method according to any one of claims 1 to 3, wherein the network intermediary trusted authority (CA) can be any one of a certificate server, a key server and a digital certificate server.
5. A network authentication attack prediction system, the system comprising: the system comprises a gateway server, a network intermediate trusted authority CA, at least one SDN controller, at least one SDN switch and a prediction server;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the gateway server collects data fragments in network flow, extracts usable attack vectors from the data fragments, and merges the received data fragments with local historical data fragments of the server;
the prediction server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
for a network node marked as an abnormal point and continuously evaluated as untrusted, the server analyzes historical access data of the network node, extracts one or more items of resources, application programs, action instructions, user types and service types accessed by the network node, finds a reason causing the network node to be abnormal and untrusted, and predicts whether the reason is improved in a future period of time;
analyzing other network nodes similar to the network node marked as the abnormal point and continuously evaluated as the incredible network node, and predicting whether the other network nodes are also subjected to attack; the similarity refers to the fact that the same resources, the same type of application programs, the same action instructions, the same type of users or services are owned;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch perform encrypted communication on the established encrypted secure connection by using the negotiated encryption algorithm and key.
6. The system of claim 5, wherein the digitally signed certificate employs a hash operation.
7. The system according to any of claims 5-6, wherein the encryption algorithm comprises any of DES, MD5, AES.
8. The system according to any one of claims 5-7, wherein the network intermediary trusted authority CA can be any one of a certificate server, a key server, a digital certificate server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911135959.5A CN110808836A (en) | 2019-11-19 | 2019-11-19 | Network authentication attack prediction method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911135959.5A CN110808836A (en) | 2019-11-19 | 2019-11-19 | Network authentication attack prediction method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110808836A true CN110808836A (en) | 2020-02-18 |
Family
ID=69490546
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911135959.5A Pending CN110808836A (en) | 2019-11-19 | 2019-11-19 | Network authentication attack prediction method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110808836A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111404947A (en) * | 2020-03-19 | 2020-07-10 | 李子钦 | Lightweight control channel communication protection method and system in OpenFlow network |
CN111866028A (en) * | 2020-08-10 | 2020-10-30 | 武汉思普崚技术有限公司 | Attack surface visualization method and system |
CN111917792A (en) * | 2020-08-10 | 2020-11-10 | 武汉思普崚技术有限公司 | Method and system for analyzing and mining flow safety |
CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
CN112003840A (en) * | 2020-08-10 | 2020-11-27 | 武汉思普崚技术有限公司 | Vulnerability detection method and system based on attack surface |
CN113472724A (en) * | 2020-03-31 | 2021-10-01 | 中国联合网络通信集团有限公司 | Network authentication method, equipment and system |
CN114785532A (en) * | 2022-06-22 | 2022-07-22 | 广州万协通信息技术有限公司 | Security chip communication method and device based on bidirectional signature authentication |
CN114826721A (en) * | 2022-04-19 | 2022-07-29 | 广东工业大学 | Method for detecting man-in-the-middle attack in SDN network |
CN116827688A (en) * | 2023-08-28 | 2023-09-29 | 北京安天网络安全技术有限公司 | Equipment safety protection method, device, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
CN109309565A (en) * | 2017-07-28 | 2019-02-05 | 中国移动通信有限公司研究院 | A kind of method and device of safety certification |
CN110365674A (en) * | 2019-07-11 | 2019-10-22 | 武汉思普崚技术有限公司 | A kind of method, server and system for predicting network attack face |
-
2019
- 2019-11-19 CN CN201911135959.5A patent/CN110808836A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109309565A (en) * | 2017-07-28 | 2019-02-05 | 中国移动通信有限公司研究院 | A kind of method and device of safety certification |
CN107919956A (en) * | 2018-01-04 | 2018-04-17 | 重庆邮电大学 | End-to-end method for protecting under a kind of internet of things oriented cloud environment |
CN110365674A (en) * | 2019-07-11 | 2019-10-22 | 武汉思普崚技术有限公司 | A kind of method, server and system for predicting network attack face |
Non-Patent Citations (1)
Title |
---|
孟庆月: "《SDN网络南向安全防护系统研究与实现》", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111404947A (en) * | 2020-03-19 | 2020-07-10 | 李子钦 | Lightweight control channel communication protection method and system in OpenFlow network |
CN111404947B (en) * | 2020-03-19 | 2023-04-18 | 李子钦 | Lightweight control channel communication protection method and system in OpenFlow network |
CN113472724B (en) * | 2020-03-31 | 2023-03-24 | 中国联合网络通信集团有限公司 | Network authentication method, equipment and system |
CN113472724A (en) * | 2020-03-31 | 2021-10-01 | 中国联合网络通信集团有限公司 | Network authentication method, equipment and system |
CN112003840A (en) * | 2020-08-10 | 2020-11-27 | 武汉思普崚技术有限公司 | Vulnerability detection method and system based on attack surface |
CN111935143A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
CN111866028B (en) * | 2020-08-10 | 2021-11-26 | 武汉思普崚技术有限公司 | Method, system and storage medium for visualizing attack surface |
CN111935143B (en) * | 2020-08-10 | 2021-11-26 | 武汉思普崚技术有限公司 | Method and system for visualizing attack defense strategy |
CN111917792A (en) * | 2020-08-10 | 2020-11-10 | 武汉思普崚技术有限公司 | Method and system for analyzing and mining flow safety |
CN111866028A (en) * | 2020-08-10 | 2020-10-30 | 武汉思普崚技术有限公司 | Attack surface visualization method and system |
CN114826721A (en) * | 2022-04-19 | 2022-07-29 | 广东工业大学 | Method for detecting man-in-the-middle attack in SDN network |
CN114826721B (en) * | 2022-04-19 | 2023-06-06 | 广东工业大学 | Detection method for man-in-the-middle attack of SDN network |
CN114785532A (en) * | 2022-06-22 | 2022-07-22 | 广州万协通信息技术有限公司 | Security chip communication method and device based on bidirectional signature authentication |
CN114785532B (en) * | 2022-06-22 | 2022-10-14 | 广州万协通信息技术有限公司 | Security chip communication method and device based on bidirectional signature authentication |
CN116827688A (en) * | 2023-08-28 | 2023-09-29 | 北京安天网络安全技术有限公司 | Equipment safety protection method, device, equipment and medium |
CN116827688B (en) * | 2023-08-28 | 2023-11-10 | 北京安天网络安全技术有限公司 | Equipment safety protection method, device, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110808836A (en) | Network authentication attack prediction method and system | |
US10848319B2 (en) | System for issuing certificate based on blockchain network, and method for issuing certificate based on blockchain network by using same | |
US11223480B2 (en) | Detecting compromised cloud-identity access information | |
EP3090520B1 (en) | System and method for securing machine-to-machine communications | |
US7526654B2 (en) | Method and system for detecting a secure state of a computer system | |
US10333930B2 (en) | System and method for transparent multi-factor authentication and security posture checking | |
CN110855695A (en) | Improved SDN network security authentication method and system | |
US20040083373A1 (en) | Automatically generated cryptographic functions for renewable tamper resistant security systems | |
CN108243176B (en) | Data transmission method and device | |
KR102179497B1 (en) | System for Data Storing and Managing based on Multi-cloud and Driving method thereof | |
EP3490212A1 (en) | Actively identifying and neutralizing network hot spots | |
CN110839036B (en) | Attack detection method and system for SDN (software defined network) | |
CN116405187B (en) | Distributed node intrusion situation sensing method based on block chain | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
CN110839037A (en) | Attack scene mining method and system for SDN network | |
CN106850592B (en) | A kind of information processing method, server and terminal | |
CN110855693A (en) | Network authentication method and system based on CNN | |
Williams et al. | Security aspects of internet of things–a survey | |
CN108429732B (en) | Method and system for acquiring resources | |
CN110855694A (en) | Improved network authentication detection method and system | |
CN110650012A (en) | Improved SDN network attack detection method and system | |
CN115189928A (en) | Dynamic safe migration method and system for password service virtual machine | |
CN106714159B (en) | Network access control method and system | |
Darwish et al. | Privacy and security of cloud computing: a comprehensive review of techniques and challenges | |
Aftab et al. | Towards a distributed ledger based verifiable trusted protocol for VANET |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200218 |
|
RJ01 | Rejection of invention patent application after publication |