CN111131169A - A Dynamic ID Hiding Method for Switching Networks - Google Patents
A Dynamic ID Hiding Method for Switching Networks Download PDFInfo
- Publication number
- CN111131169A CN111131169A CN201911208371.8A CN201911208371A CN111131169A CN 111131169 A CN111131169 A CN 111131169A CN 201911208371 A CN201911208371 A CN 201911208371A CN 111131169 A CN111131169 A CN 111131169A
- Authority
- CN
- China
- Prior art keywords
- internal
- external network
- network
- hidden
- dynamic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000013507 mapping Methods 0.000 claims abstract description 33
- 230000009466 transformation Effects 0.000 claims abstract description 7
- 230000000737 periodic effect Effects 0.000 claims description 4
- 238000005336 cracking Methods 0.000 abstract description 3
- 230000008859 change Effects 0.000 abstract description 2
- 230000007123 defense Effects 0.000 abstract 1
- 230000008685 targeting Effects 0.000 abstract 1
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明属于交换网络安全技术领域,公开一种面向交换网络的动态ID隐藏方法,包括:步骤1:设置交换设备端口的内外网属性,建立端口内外网属性表;步骤2:构建隐藏ID池;步骤3:设置内外网ID隐藏表;步骤4:动态调整ID映射算法。本发明针对特定ID的普通类型攻击,攻击者无法通过扫描用户的ID达到攻击用户的目的,比如DDos攻击等;针对特定ID的APT攻击,本发明可以动态的变换内外网ID映射关系,理论上,只要动态ID变换周期小于攻击者破解周期,就可以避免该类攻击;该方法采用软件构建隐藏ID池,硬件实现隐藏表,并通过随机动态调度隐藏ID池的方式实现了动态ID变换,可以防御针对用户ID的攻击手段。
The invention belongs to the technical field of switching network security, and discloses a dynamic ID hiding method oriented to switching networks. Step 3: Set the ID hidden table of the internal and external networks; Step 4: Dynamically adjust the ID mapping algorithm. The present invention is aimed at common types of attacks with specific IDs, and attackers cannot achieve the purpose of attacking users by scanning user IDs, such as DDos attacks, etc.; for APT attacks with specific IDs, the present invention can dynamically change the mapping relationship between internal and external network IDs, theoretically , as long as the dynamic ID transformation period is less than the attacker's cracking period, this type of attack can be avoided; this method uses software to build a hidden ID pool, hardware implements a hidden table, and realizes dynamic ID transformation by randomly and dynamically scheduling the hidden ID pool. Defense against attacks targeting user IDs.
Description
Technical Field
The invention belongs to the technical field of switched network security, and particularly relates to a switched network-oriented dynamic ID hiding method.
Background
With the rapid development of the internet, network security is becoming a focus of attention, and especially in a switching network, ID information is one of the sensitive information that is most concerned by an attacker. An attacker can easily obtain ID information of a specific user by means of sniffing or the like. Once the attacker acquires the ID information of the data packet, further APT attacks (lisv, lischev, wang surpass. typical APT attack event case analysis [ J ] information network security (s 1)) may be performed, such as stealing information of a specific user by disguising means, or launching a DDoS attack (xumada. DDoS attack principle and coping strategy [ J ] information network security (5): 48-50.) against the specific user, thereby causing system paralysis of the target user. Therefore, in the switching network, how to transmit the ID securely becomes one of the research hotspots.
The current ID protection measures mainly include the following ways: 1. the ID protection is performed on the endpoint device, that is, the ID is directly protected on the source, for example, data transmission is performed by using an encryption protocol or the ID is encrypted separately, the method is simple and feasible, but each user accessing the switching network needs to deploy an ID protection measure, which increases the cost of the user; 2. in the switching network, the ID hiding function is completed by handing the data packet to the control management layer, for example, the data packet requiring ID hiding is sent to the processor, and the processor completes the operations such as ID conversion and the like and then sends the data packet to the forwarding device. Therefore, in order to eliminate such an influence, it is necessary to propose a protection technique that can be deployed in a switching network, does not affect forwarding performance, and can protect a specific user ID. The patent provides a dynamic ID hiding method facing a switching network from the ID protection requirement of the switching network.
Disclosure of Invention
The invention provides a switching network-oriented dynamic ID hiding method aiming at the problems of high cost and influence on the performance of forwarding equipment in the existing ID protection method of the switching network.
In order to achieve the purpose, the invention adopts the following technical scheme:
a switching network-oriented dynamic ID hiding method comprises the following steps:
step 1: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
step 2: constructing a hidden ID pool;
and step 3: setting an internal and external network ID hidden table;
and 4, step 4: the ID mapping algorithm is dynamically adjusted.
Further, the step 2 comprises:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Further, the step 3 comprises:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Further, the step 4 comprises:
and (4) carrying out periodic internal and external network ID mapping transformation according to the mapping method in the step (2).
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the invention can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool, hardware to realize a hidden table, and realizes dynamic ID conversion by randomly and dynamically scheduling the hidden ID pool, and the method can defend an attack means aiming at the user ID.
Drawings
Fig. 1 is a basic flowchart of a switching network-oriented dynamic ID hiding method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a location of a dynamic ID hidden in a system according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
example 1:
as shown in fig. 1, a method for hiding a dynamic ID facing a switching network includes:
step S101: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
according to application requirements, internal and external network attribute setting is carried out on the switch port, namely, the switch port is set as an internal network attribute (internal network) port or an external network attribute (external network) port. The ID of the user data passing through the intranet attribute port, namely the intranet ID, is a private ID and is internally visible, namely only an intranet user is visible; the ID of the user data passing through the attribute port of the external network, namely the ID of the external network, is a public ID and is externally visible, namely all external network users and attackers can see the user data.
Step S102: constructing a hidden ID pool;
specifically, the step S102 includes:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Step S103: setting an internal and external network ID hidden table;
specifically, the step S103 includes:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Step S104: the ID mapping algorithm is dynamically adjusted.
Specifically, the step S104 includes:
and performing periodic internal and external network ID mapping transformation according to the mapping method in the step S102, and increasing the dynamic property of mapping so as to ensure the dynamic property of user ID hiding.
It should be noted that, in this embodiment, the ID may be an IP address or a MAC address, so the hidden ID pool may also be referred to as a hidden address pool.
As a specific implementable manner, as shown in fig. 2, the dynamic ID is hidden in a position in the switching network system, and the key module includes: a dynamic ID mapping algorithm, a hidden ID pool, a port internal and external network attribute table and an internal and external network ID hidden table. The dynamic ID mapping algorithm and the hidden ID pool are arranged in a system control management layer, and the port internal and external network attribute table and the internal and external network ID hidden table are arranged in the hardware (a switching chip) of the switching equipment. Among them, the two hidden tables (intranet and extranet ID hidden tables) shown in fig. 2 may be one or two physically.
In a system control management layer, a dynamic ID mapping algorithm for hiding dynamic IDs refers to: firstly, selecting a random number and an intranet ID to carry out logic operation; secondly, will transportAnd taking the calculation result as input, and mapping by using a hash algorithm, wherein the hash algorithm can select CRC-32, and the generating polynomial is as follows: x16+X15+X5+ 1; and finally, mapping each intranet ID for multiple times, storing the mapping relation into a hidden ID pool, randomly and dynamically selecting an intranet ID pair from the hidden pool, storing the mapping relation to be issued, and issuing an updated ID conversion mapping relation to switching equipment hardware (a switching chip).
And issuing configuration to the exchange chip according to a common configuration flow, and realizing dynamic change of an internal and external network ID hidden table in the chip by periodic calling so as to achieve dynamic ID hiding.
Dynamic ID hiding is implemented in the switching hardware (switching chip). Because the dynamic ID is hidden for a specific user, the specific user is set as an intranet user, an unprotected user is set as an extranet user, and for different scenes, the processing modes of data messages through the switching chip are different:
1. when an intranet user sends a data message to an extranet user, firstly, header analysis is carried out, intranet attributes of a data packet are determined through an port intranet attribute table and an extranet attribute table, a target port is inquired through routing forwarding, after the intranet attributes cannot be matched, an intranet ID hidden table and an extranet ID hidden table are inquired, the source ID is replaced by the inquired result, the source ID is modified and hidden, the target port is inquired through routing forwarding, and finally, packet forwarding is carried out;
2. when an external network user sends a data message to an internal network user, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, then a routing forwarding table is carried out to query a target port, then an internal and external network ID hidden table is queried, a corresponding internal network ID is obtained, a query result replaces the target ID in the data packet, and finally, packet forwarding is carried out;
3. when communication is carried out between external network users, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, a destination port is inquired by routing forwarding, and packet forwarding is carried out;
4. when an intranet user sends a data message to the intranet user, firstly, header analysis is carried out, the intranet attribute of the data packet is determined through the port intranet and intranet attribute table, the destination port is inquired through routing forwarding, matching can be carried out, the destination port is inquired through routing forwarding, and after the attribute of the intranet port is confirmed, packet forwarding is carried out.
The embodiment of the invention provides a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the patent can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool in a control management layer of a switching network system, realizes a hidden table by hardware, and realizes dynamic ID conversion by randomly and dynamically scheduling the address of the hidden pool.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (4)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911208371.8A CN111131169B (en) | 2019-11-30 | 2019-11-30 | A Dynamic ID Hiding Method for Switching Networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911208371.8A CN111131169B (en) | 2019-11-30 | 2019-11-30 | A Dynamic ID Hiding Method for Switching Networks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131169A true CN111131169A (en) | 2020-05-08 |
| CN111131169B CN111131169B (en) | 2022-05-06 |
Family
ID=70496845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911208371.8A Active CN111131169B (en) | 2019-11-30 | 2019-11-30 | A Dynamic ID Hiding Method for Switching Networks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131169B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447980A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Collision-resistance method for mapping public-private key pairs by utilizing uniform user identification |
| US7609689B1 (en) * | 2001-09-27 | 2009-10-27 | Cisco Technology, Inc. | System and method for mapping an index into an IPv6 address |
| US8464334B1 (en) * | 2007-04-18 | 2013-06-11 | Tara Chand Singhal | Systems and methods for computer network defense II |
| US20130298228A1 (en) * | 2012-05-01 | 2013-11-07 | Harris Corporation | Router for communicating data in a dynamic computer network |
| US20130298227A1 (en) * | 2012-05-01 | 2013-11-07 | Harris Corporation | Systems and methods for implementing moving target technology in legacy hardware |
| CN104580233A (en) * | 2015-01-16 | 2015-04-29 | 重庆邮电大学 | Internet of Things smart home security gateway system |
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| US20160315914A1 (en) * | 2015-04-24 | 2016-10-27 | Agency For Defense Development | Method for hiding receiver's address for link layer in group communication |
| CN107071075A (en) * | 2016-11-16 | 2017-08-18 | 国家数字交换系统工程技术研究中心 | The device and method of network address dynamic hop |
| CN107682470A (en) * | 2017-10-16 | 2018-02-09 | 杭州迪普科技股份有限公司 | The method and device of public network IP availability in a kind of detection nat address pool |
| CN110365496A (en) * | 2019-07-23 | 2019-10-22 | 泰州学院 | A Network Security Defense System Based on Dynamic Transformation |
-
2019
- 2019-11-30 CN CN201911208371.8A patent/CN111131169B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7609689B1 (en) * | 2001-09-27 | 2009-10-27 | Cisco Technology, Inc. | System and method for mapping an index into an IPv6 address |
| US8464334B1 (en) * | 2007-04-18 | 2013-06-11 | Tara Chand Singhal | Systems and methods for computer network defense II |
| CN101447980A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Collision-resistance method for mapping public-private key pairs by utilizing uniform user identification |
| US20130298228A1 (en) * | 2012-05-01 | 2013-11-07 | Harris Corporation | Router for communicating data in a dynamic computer network |
| US20130298227A1 (en) * | 2012-05-01 | 2013-11-07 | Harris Corporation | Systems and methods for implementing moving target technology in legacy hardware |
| CN104322027A (en) * | 2012-05-01 | 2015-01-28 | 贺利实公司 | Router for communicating data in a dynamic computer network |
| CN104580233A (en) * | 2015-01-16 | 2015-04-29 | 重庆邮电大学 | Internet of Things smart home security gateway system |
| US20160315914A1 (en) * | 2015-04-24 | 2016-10-27 | Agency For Defense Development | Method for hiding receiver's address for link layer in group communication |
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| CN107071075A (en) * | 2016-11-16 | 2017-08-18 | 国家数字交换系统工程技术研究中心 | The device and method of network address dynamic hop |
| CN107682470A (en) * | 2017-10-16 | 2018-02-09 | 杭州迪普科技股份有限公司 | The method and device of public network IP availability in a kind of detection nat address pool |
| CN110365496A (en) * | 2019-07-23 | 2019-10-22 | 泰州学院 | A Network Security Defense System Based on Dynamic Transformation |
Non-Patent Citations (1)
| Title |
|---|
| 罗跃斌: "网络主动防御关键技术研究", 《中国博士学位论文全文库信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131169B (en) | 2022-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104853003B (en) | A kind of address based on Netfilter, port-hopping Realization Method of Communication | |
| US10505961B2 (en) | Digitally signed network address | |
| JP5291725B2 (en) | IP address delegation | |
| US8181014B2 (en) | Method and apparatus for protecting the routing of data packets | |
| US8576845B2 (en) | Method and apparatus for avoiding unwanted data packets | |
| CN101159718B (en) | Embedded Industrial Ethernet Security Gateway | |
| US20170195295A1 (en) | Anonymous communications in software-defined neworks via route hopping and ip address randomization | |
| CN100364306C (en) | Verification method of IPv6 real source address between autonomous systems based on signature | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| CN103297563B (en) | A kind of method preventing repeated address detection attack of identity-based certification | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| CN106027527A (en) | Anonymous communication method based on software defined network (SDN) environment | |
| CN103402197B (en) | A kind of position based on IPv6 technology and path concealment guard method | |
| CN107071075B (en) | Device and method for dynamically jumping network address | |
| CN111131169B (en) | A Dynamic ID Hiding Method for Switching Networks | |
| CN116684869B (en) | An IPv6-based trusted access method, system and medium for campus wireless networks | |
| CN111327628A (en) | Anonymous communication system based on SDN | |
| Zhang et al. | Petri Net Model of MITM Attack Based on NDP Protocol | |
| Jia et al. | RISP: An RPKI-based inter-AS source protection mechanism | |
| Tan et al. | A hierarchical source address validation technique based on cryptographically generated address | |
| Murugesan et al. | Security mechanism for IPv6 router discovery based on distributed trust management | |
| CN102571816B (en) | A kind of method and system preventing neighbor learning attack | |
| Huang et al. | Efficient DoS-limiting support by indirect mapping in networks with locator/identifier separation | |
| Praveena et al. | New Mitigating Technique to Overcome DDOS Attack | |
| Kouachi et al. | OTFI: Communication Privacy in the IoT Based on One Time Flow Information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |