CN110839036B - Attack detection method and system for SDN (software defined network) - Google Patents

Attack detection method and system for SDN (software defined network) Download PDF

Info

Publication number
CN110839036B
CN110839036B CN201911136044.6A CN201911136044A CN110839036B CN 110839036 B CN110839036 B CN 110839036B CN 201911136044 A CN201911136044 A CN 201911136044A CN 110839036 B CN110839036 B CN 110839036B
Authority
CN
China
Prior art keywords
controller
switch
network
trusted authority
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911136044.6A
Other languages
Chinese (zh)
Other versions
CN110839036A (en
Inventor
娈靛浆
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201911136044.6A priority Critical patent/CN110839036B/en
Publication of CN110839036A publication Critical patent/CN110839036A/en
Application granted granted Critical
Publication of CN110839036B publication Critical patent/CN110839036B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The invention provides an attack detection method and system of an SDN (software defined network), which are characterized in that a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate authority) is added to authenticate and sign the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is performed between the controller and the switch, and the purpose of improving SDN vulnerabilities in a targeted manner is realized; a plurality of key parameters are obtained by aggregating the feature vectors of the network flow data, so that the system is better helped to detect the attack.

Description

Attack detection method and system for SDN (software defined network)
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack detection method and system for an SDN network.
Background
In the existing SDN, a TLS security channel is not forcibly established between a controller and a switch, and a default state is a non-open state, so that the network becomes vulnerable, clear text communication may occur between the controller and the switch, and any third party can intercept or modify communication contents of both parties and is easily attacked by a man-in-the-middle. Lack of authentication of the certificate between the controller and the switch makes it easy for an attacker to intercept the request sent by the controller to the switch, disguise that the controller is communicating with the switch, and thus obtain all the content of the communication between the switch and the controller.
Meanwhile, how to better detect network attacks in the SDN network system is also a focus of attention now.
Therefore, a security authentication method and system for improving SDN network vulnerabilities are urgently needed.
Disclosure of Invention
The invention aims to provide an attack detection method and system for an SDN network, wherein a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate authority) is added to authenticate and sign the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is performed between the controller and the switch, and the purpose of improving the SDN network vulnerability in a targeted manner is realized; a plurality of key parameters are obtained by aggregating the feature vectors of the network flow data, so that the system is better helped to detect the attack.
In a first aspect, the present application provides an attack detection method for an SDN network, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting flow statistic information by using an OpenFlow protocol, analyzing and extracting a feature vector in network flow data, and aggregating one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vector;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the attack detection analysis result shows whether the host is attacked or not and the specific positions of other hosts communicating with the attacked host.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the digital signature certificate employs a hash operation.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In a second aspect, the present application provides an attack detection system for an SDN network, the system including: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the analysis server collects flow statistic information by using an OpenFlow protocol, analyzes and extracts feature vectors in network flow data, and aggregates one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vectors;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the attack detection analysis result shows whether the host is attacked or not and the specific positions of other hosts communicating with the attacked host.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the digital signature certificate employs a hash operation.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the encryption algorithm includes any one of DES, MD5, and AES.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
The invention provides an attack detection method and system of an SDN (software defined network), which are characterized in that a secure encryption channel is established between a controller and a switch, a trusted authority CA (certificate authority) is added to authenticate and sign the controller and the switch, so that bidirectional authentication between the controller and the switch is realized, key negotiation is performed between the controller and the switch, and the purpose of improving SDN vulnerabilities in a targeted manner is realized; a plurality of key parameters are obtained by aggregating the feature vectors of the network flow data, so that the system is better helped to detect the attack.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an attack detection method for an SDN network according to the present invention;
fig. 2 is an architecture diagram of an attack detection system of an SDN network according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of an attack detection method for an SDN network provided in the present application, where the method includes:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting flow statistic information by using an OpenFlow protocol, analyzing and extracting a feature vector in network flow data, and aggregating one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vector;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the attack detection analysis result shows whether the host is attacked or not and the specific positions of other hosts communicating with the attacked host.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
Fig. 2 is an architecture diagram of an attack detection system of an SDN network provided in the present application, where the system includes: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the analysis server collects flow statistic information by using an OpenFlow protocol, analyzes and extracts feature vectors in network flow data, and aggregates one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vectors;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting the third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the attack detection analysis result shows whether the host is attacked or not and the specific positions of other hosts communicating with the attacked host.
In some preferred embodiments, the digitally signed certificate employs a hash operation.
In some preferred embodiments, the encryption algorithm comprises any one of DES, MD5, AES.
In some preferred embodiments, the network intermediary trusted authority CA may be any one of a certificate server, a key server, and a digital certificate server.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. An attack detection method for an SDN network, the method comprising:
acquiring network flow data, and identifying the type of a network according to network characteristics;
collecting flow statistic information by using an OpenFlow protocol, analyzing and extracting a feature vector in network flow data, and aggregating one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vector;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, a control instruction is issued to a controller and a switch, and the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the controller and the switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identification of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identifier, judges whether the controller and the switch are legal, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the controller and the switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the controller and the switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the controller and the switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the controller and the switch send a notice of authentication error to the trusted authority CA;
after the controller and the switch are successfully verified, the switch sends an encryption security connection request to the controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting a third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the results of the attack detection analysis show whether a host is attacked and the specific locations of other hosts communicating with the attacked host.
2. The method of claim 1, wherein the digitally signed certificate employs a hash operation.
3. The method according to any of claims 1-2, wherein the encryption algorithm comprises any of DES, MD5, AES.
4. The method according to any one of claims 1 to 3, wherein the network intermediary trusted authority (CA) can be any one of a certificate server, a key server and a digital certificate server.
5. An attack detection system for an SDN network, the system comprising: the system comprises a gateway server, an analysis server, a trusted authority CA in the middle of a network, at least one SDN controller and at least one SDN switch;
the gateway server acquires network flow data and identifies the type of a network according to network characteristics;
the analysis server collects flow statistic information by using an OpenFlow protocol, analyzes and extracts feature vectors in network flow data, and aggregates one or more of flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio by using the feature vectors;
inputting the feature vector and one or more information of the aggregated flow entry transmission rate, data packet transmission rate, data packet mean value, duration standard deviation, data packet standard deviation and one-way flow table ratio into a convolutional neural network model for attack detection analysis;
when the network is identified to be the SDN network, issuing a control instruction to at least one controller and at least one switch, wherein the control instruction carries an identifier and an address of a trusted authority CA in the middle of the network;
the at least one controller and the at least one switch receive the control instruction and respectively send identity authentication requests to a trusted authority CA in the middle of the network, wherein the identity authentication requests carry respective public keys, user identity information and equipment identifications of the controller and the switch;
the trusted authority CA receives the identity authentication request, queries a database according to the equipment identification, judges whether the at least one controller and the at least one switch are legal or not, and returns a plaintext message and a digital signature certificate of the plaintext message by using a CA private key to the at least one controller and the at least one switch if the judgment result is legal; if the judgment result is illegal, the trusted authority CA returns a notice of authentication failure;
the at least one controller and the at least one switch receive the digital signature certificate sent by the trusted authority CA, the public key of the trusted authority CA is used for verifying the digital signature certificate, and if the verification is successful, the at least one controller and the at least one switch replace the digital signature certificate with respective identity information; if the verification is unsuccessful, the at least one controller and the at least one switch send a notification of authentication error to the trusted authority CA;
after the at least one controller and the at least one switch are successfully verified, the switch sends an encryption security connection request to the corresponding controller, wherein the encryption security connection request carries version information, a supported encryption algorithm and a first random number;
after receiving the encryption security connection request, the controller returns a response message to the switch, wherein the response message comprises a confirmed encryption algorithm, a randomly generated second random number and a digital signature certificate of the controller;
after the switch receives the response message, the switch verifies the digital signature certificate of the controller by using the public key of the trusted authority CA, if the verification is successful, a third random number is generated, the public key of the controller is used for encrypting the third random number, and the third random number and the digital signature certificate of the switch are sent to the controller;
after the controller receives the message sent by the switch, the public key of the trusted authority CA is used for verifying the digital signature certificate of the switch, if the verification is successful, the private key of the controller is used for decrypting a third random number ciphertext in the message, and the key agreement between the controller and the switch is completed;
the controller and the switch carry out encryption communication on the established encryption security connection by using the negotiated encryption algorithm and key;
the results of the attack detection analysis show whether a host is attacked and the specific locations of other hosts communicating with the attacked host.
6. The system of claim 5, wherein the digitally signed certificate employs a hash operation.
7. The system according to any of claims 5-6, wherein the encryption algorithm comprises any of DES, MD5, AES.
8. The system according to any one of claims 5-7, wherein the network intermediary trusted authority CA can be any one of a certificate server, a key server, a digital certificate server.
CN201911136044.6A 2019-11-19 2019-11-19 Attack detection method and system for SDN (software defined network) Active CN110839036B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911136044.6A CN110839036B (en) 2019-11-19 2019-11-19 Attack detection method and system for SDN (software defined network)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911136044.6A CN110839036B (en) 2019-11-19 2019-11-19 Attack detection method and system for SDN (software defined network)

Publications (2)

Publication Number Publication Date
CN110839036A CN110839036A (en) 2020-02-25
CN110839036B true CN110839036B (en) 2021-09-03

Family

ID=69576698

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911136044.6A Active CN110839036B (en) 2019-11-19 2019-11-19 Attack detection method and system for SDN (software defined network)

Country Status (1)

Country Link
CN (1) CN110839036B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431889B (en) * 2020-03-19 2023-08-08 李子钦 Communication protection method for lightweight control channel in OpenFlow network
CN113709191B (en) * 2021-10-27 2022-02-15 之江实验室 Method for safely adjusting deterministic time delay
CN117376039A (en) * 2023-12-08 2024-01-09 四川科朗新创建设有限公司 Encryption method, system, equipment and medium of SD-WAN communication system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system
CN105119911A (en) * 2015-07-28 2015-12-02 上海斐讯数据通信技术有限公司 Safety authentication method and system based on SDN flow
CN106209897A (en) * 2016-07-28 2016-12-07 重庆邮电大学 A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency
CN107517183A (en) * 2016-06-15 2017-12-26 华为技术有限公司 The method and apparatus of encrypted content detection
WO2018049646A1 (en) * 2016-09-18 2018-03-22 Nokia Shanghai Bell Co., Ltd. Unified security architecture
CN108377495A (en) * 2016-10-31 2018-08-07 华为技术有限公司 A kind of data transmission method, relevant device and system
CN109391650A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of method and device for establishing session

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10666639B2 (en) * 2016-05-20 2020-05-26 Avaya, Inc. Customer-centric workflow for initial on-boarding of an OpenFlow enabled switch

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system
CN105119911A (en) * 2015-07-28 2015-12-02 上海斐讯数据通信技术有限公司 Safety authentication method and system based on SDN flow
CN107517183A (en) * 2016-06-15 2017-12-26 华为技术有限公司 The method and apparatus of encrypted content detection
CN106209897A (en) * 2016-07-28 2016-12-07 重庆邮电大学 A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency
WO2018049646A1 (en) * 2016-09-18 2018-03-22 Nokia Shanghai Bell Co., Ltd. Unified security architecture
CN108377495A (en) * 2016-10-31 2018-08-07 华为技术有限公司 A kind of data transmission method, relevant device and system
CN109391650A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of method and device for establishing session

Also Published As

Publication number Publication date
CN110839036A (en) 2020-02-25

Similar Documents

Publication Publication Date Title
US9094823B2 (en) Data processing for securing local resources in a mobile device
EP2954448B1 (en) Provisioning sensitive data into third party network-enabled devices
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
US7752320B2 (en) Method and apparatus for content based authentication for network access
CN110808836A (en) Network authentication attack prediction method and system
CN105828332B (en) improved method of wireless local area network authentication mechanism
CN110839036B (en) Attack detection method and system for SDN (software defined network)
CN110855695A (en) Improved SDN network security authentication method and system
JP2011515961A (en) Authentication storage method and authentication storage system for client side certificate authentication information
WO2011038620A1 (en) Access authentication method, apparatus and system in mobile communication network
WO2015158228A1 (en) Server, user equipment, and method for user equipment to interact with server
US10893414B1 (en) Selective attestation of wireless communications
JP2016522637A (en) Secured data channel authentication that implies a shared secret
CN110929231A (en) Digital asset authorization method and device and server
CN110572392A (en) Identity authentication method based on HyperLegger network
CN112448958B (en) Domain policy issuing method and device, electronic equipment and storage medium
CN110839037A (en) Attack scene mining method and system for SDN network
CN110855693A (en) Network authentication method and system based on CNN
US11240661B2 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN112995140B (en) Safety management system and method
CN110855694A (en) Improved network authentication detection method and system
CN110650012A (en) Improved SDN network attack detection method and system
US20210306306A1 (en) Method and system for secure communication
CN110830498A (en) Continuous attack detection method and system based on mining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant