CN111277609A - SDN network monitoring method and system - Google Patents

SDN network monitoring method and system Download PDF

Info

Publication number
CN111277609A
CN111277609A CN202010110505.9A CN202010110505A CN111277609A CN 111277609 A CN111277609 A CN 111277609A CN 202010110505 A CN202010110505 A CN 202010110505A CN 111277609 A CN111277609 A CN 111277609A
Authority
CN
China
Prior art keywords
data
sdn
abnormal
flow
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010110505.9A
Other languages
Chinese (zh)
Inventor
康文倩
欧阳宇宏
车向北
王冬
张宏斌
佘楚云
卢赓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202010110505.9A priority Critical patent/CN111277609A/en
Publication of CN111277609A publication Critical patent/CN111277609A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for monitoring an SDN (software defined network), wherein the method for monitoring the SDN comprises the following steps: the SDN network equipment acquires flow data according to an acquisition strategy of the SDN centralized controller and sends the flow data to SDN acquisition data processing equipment; the SDN data acquisition processing equipment analyzes and processes the acquired flow data and sends the flow data to a database; and the SDN centralized controller analyzes and processes abnormal data of the data in the database. The invention can realize real-time control of network data and quickly find abnormal network flow, thereby improving the network security performance.

Description

SDN network monitoring method and system
Technical Field
The invention belongs to the technical field of SDN networks, and particularly relates to a method and a system for monitoring an SDN network.
Background
At present, the number of power monitoring systems is large, the differentiation is large, the equipment manufacturers are large, the correlation and independence are realized, the unified management cannot be realized, the current manual maintenance is mainly used, the operation and maintenance are complex, the operation and maintenance difficulty is large, the efficiency is low, the automatic operation and maintenance management cannot be realized, when a network fails, the recovery period is long, various tables including an IP table, a table account table, a strategy table and the like need to be maintained by people, the possible omission and errors exist, meanwhile, the corresponding relation of maintaining IP addresses by network maintenance personnel, network strategies by the network maintenance personnel and maintaining application of the maintenance personnel to IP is existed, and the information communication and the maintenance management are complex and high due to the cross-department manual information. When a fault occurs, the problem that the fault is in any of the network major, the server major and the system major cannot be judged, each major needs to be checked one by one, the fault cannot be located quickly, a large amount of time and labor are wasted, and the efficiency is low.
Software Defined Networking (SDN) is a novel Network architecture, and aims to realize direct control and use of underlying Network resources by upper layer service applications, so that the utilization rate of Network resources is greatly improved, the investment cost of a Network scheme is greatly reduced, and the flexibility and controllability of a Network are greatly improved. In this new network environment, centralized control brings convenience and a great deal of insecurity. The attack difficulty is reduced by the fact that attack objects of attackers are concentrated more and more, and once the attackers are invaded, a single point of failure can be caused, so that the whole network is broken down.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide a method and a system for monitoring an SDN network, which can quickly obtain unsafe factors in a network environment, so as to avoid a total network breakdown caused by network attack intrusion.
In order to solve the above technical problem, the present invention provides an SDN network monitoring method, including:
the SDN network equipment acquires flow data according to an acquisition strategy of the SDN centralized controller and sends the flow data to SDN acquisition data processing equipment;
the SDN data acquisition processing equipment analyzes and processes the acquired flow data and sends the flow data to a database;
and the SDN centralized controller analyzes and processes abnormal data of the data in the database.
The method for analyzing and processing the abnormal data of the data by the SDN centralized controller specifically comprises the following steps: comparing with an abnormal flow database to confirm the type of the abnormal flow data, and packaging a specifically processed flow table according to an abnormal flow data message quintuple to generate an abnormal data flow table;
and sending the abnormal data flow table to SDN network equipment.
The SDN network monitoring method further comprises the following steps: and the SDN network equipment rejects the data of the abnormal flow network element according to the abnormal data flow table.
The abnormal traffic library is specifically a third-party abnormal traffic library, and includes any one of a DoS attack traffic library, a DDoS attack traffic library, a port scanning attack traffic library, a network scanning attack traffic library, and a network worm virus traffic library.
Wherein, the comparison with the abnormal flow database confirms the data type of the abnormal flow, which specifically comprises: inputting network flow, extracting and analyzing characteristic values, detecting abnormal network flow, and determining abnormal network flow classification.
The SDN network monitoring method further comprises the following steps: and graphically displaying the flow data.
The invention also provides an SDN network monitoring system, comprising: SDN network equipment, an SDN centralized controller and SDN acquisition data processing equipment,
the SDN network equipment is used for acquiring flow data according to an acquisition strategy of the SDN centralized controller and sending the flow data to SDN acquisition data processing equipment;
the SDN collected data processing equipment is used for analyzing and processing the collected flow data and sending the flow data to a database;
the SDN centralized controller is used for sending an acquisition strategy to the SDN network equipment and analyzing and processing abnormal data of data in a database.
The SDN centralized controller analyzes and processes abnormal data in the following modes: comparing with an abnormal flow database to confirm the type of the abnormal flow data, and packaging a specifically processed flow table according to an abnormal flow data message quintuple to generate an abnormal data flow table; and sending the abnormal data flow table to the SDN network equipment.
The SDN network monitoring system further comprises a display device for graphically displaying the flow data.
Wherein the SDN network device comprises any one of a switch, a bridge, a gateway, a network interface card, a router and a special hub.
The embodiment of the invention has the following beneficial effects: the network data is controlled in real time, and abnormal network flow is found quickly, so that the network security performance is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating an SDN network monitoring method according to an embodiment of the present invention.
Fig. 2 is a schematic block diagram of an SDN network monitoring system according to another embodiment of the present invention.
Detailed Description
The following description of the embodiments refers to the accompanying drawings, which are included to illustrate specific embodiments in which the invention may be practiced.
The invention provides a method and a system for monitoring an SDN network, which can realize real-time control of network data and quickly find abnormal network flow, thereby improving the network security performance.
Fig. 1 is a flowchart illustrating an SDN network monitoring method according to an exemplary embodiment of the present invention.
As shown in fig. 1, the method comprises the steps of:
in step 101, the SDN network device acquires traffic data according to an acquisition policy of the SDN centralized controller, and sends the traffic data to an SDN acquisition data processing device.
In a preferred embodiment, the method further includes before the step, configuring data of the network device, connecting the SDN network device to the SDN centralized controller, starting an sflow function of the device, and using the device as an sflow Agent to provide complete flow information in a range from a second layer to a fourth layer, even a full network range, to the sflow selector remotely.
After step 101 is completed, step 102 is performed, and the SDN collected data processing device analyzes and processes the collected traffic data and sends the traffic data to the database.
Then, step 103, the SDN centralized controller performs abnormal data analysis processing on the data in the database;
in a preferred embodiment, the step specifically comprises: comparing the abnormal flow database with the abnormal flow database to confirm the data type of the abnormal flow, packaging a specifically processed flow table according to the quintuple of the abnormal flow data message, generating an abnormal data flow table, and issuing the flow table to SDN network equipment; and after receiving the abnormal data flow processing table, the SDN network equipment rejects the data of the abnormal flow network element according to the abnormal data flow table.
In a more specific example, the comparison with the abnormal traffic library confirms the abnormal traffic data type, specifically: the method specifically comprises the following steps: inputting network flow, extracting and analyzing characteristic values, detecting abnormal network flow, and determining abnormal network flow classification. The abnormal traffic library is specifically a third-party abnormal traffic library, and includes any one of the following traffic libraries: a DoS attack traffic library, a DDoS attack traffic library, a port scanning attack traffic library, a network scanning attack traffic library, and a network worm virus traffic library. And the data of the third-party database can be acquired in advance to be used as an abnormal flow database, and meanwhile, high-frequency abnormal flow encountered by the network can be acquired by analyzing the database and added into the abnormal flow database. And realizing data updating of the abnormal flow library.
The invention also comprises the steps of carrying out graphical display on the flow data, namely transmitting the flow data to a front-end page for display, displaying detailed flow information according to the port, and reflecting a trend chart of the occupation of the bandwidth of the port flow, wherein when abnormal flow occurs, the occupation of the port bandwidth is generally abnormal. And then, according to the abnormal information, further comparing with an abnormal flow library to obtain the quintuple of the abnormal flow. And the SDN network equipment analyzes the source and destination IP of the abnormal flow according to the acquired abnormal flow quintuple, and further rejects the data of the abnormal flow network element. And after the exception processing is finished, recovering the communication of the abnormal flow network element.
As seen from the embodiment, in the invention, the SDN network device acquires the traffic data according to the acquisition policy of the SDN centralized controller, and sends the traffic data to the SDN acquisition data processing device; then, the SDN collected data processing equipment analyzes and processes the collected flow data and sends the flow data to a database; the SDN centralized controller analyzes and processes abnormal data of the data in the database, can realize real-time control of network data, and can quickly find abnormal network flow, thereby improving network security performance.
Corresponding to the embodiment of the application function implementation method, the invention also provides an SDN network monitoring system and a corresponding embodiment.
Fig. 2 is a schematic block diagram illustrating an SDN network monitoring system according to an exemplary embodiment of the present invention.
Referring to fig. 2, in an SDN network monitoring system may include: an SDN network device 201, an SDN centralized controller 202, and an SDN collected data processing device 203, wherein,
the SDN network device 201 is configured to acquire flow data according to an acquisition policy of the SDN centralized controller 202, and send the flow data to an SDN data acquisition processing 202 device. In a preferred embodiment, the SDN network device includes, but is not limited to: including switches, bridges, gateways, network interface cards, routers, and/or private hubs.
The SDN collected data processing device 202 is configured to analyze and process the collected traffic data, and send the traffic data to a database.
The SDN centralized controller 203 is configured to send an acquisition policy to the SDN network device, and perform abnormal data analysis processing on data in a database.
The SDN network monitoring system of this embodiment further includes a display device (not shown in the figure) configured to graphically display the traffic data.
As can be seen from this embodiment, in the SDN network monitoring system according to the present invention, traffic data is collected by an SDN network device according to a collection policy of the SDN centralized controller, and the traffic data is sent to an SDN collection data processing device; then, the SDN collected data processing equipment analyzes and processes the collected flow data and sends the flow data to a database; the SDN centralized controller analyzes and processes abnormal data of the data in the database, can realize real-time control of network data, and can quickly find abnormal network flow, thereby improving network security performance.
Compared with the prior art, the invention has the beneficial effects that: the network data is controlled in real time, and abnormal network flow is found quickly, so that the network security performance is improved.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (10)

1. An SDN network monitoring method, comprising:
the SDN network equipment acquires flow data according to an acquisition strategy of the SDN centralized controller and sends the flow data to SDN acquisition data processing equipment;
the SDN data acquisition processing equipment analyzes and processes the acquired flow data and sends the flow data to a database;
and the SDN centralized controller analyzes and processes abnormal data of the data in the database.
2. The SDN network monitoring method of claim 1, wherein the SDN centralized controller performing abnormal data analysis processing on the data specifically includes: comparing with an abnormal flow database to confirm the type of the abnormal flow data, and packaging a specifically processed flow table according to an abnormal flow data message quintuple to generate an abnormal data flow table; and sending the abnormal data flow table to SDN network equipment.
3. The SDN network monitoring method of claim 2, further comprising: and the SDN network equipment rejects the data of the abnormal flow network element according to the abnormal data flow table.
4. The SDN network monitoring method according to claim 2, wherein the abnormal traffic library is a third-party abnormal traffic library, and includes any one of a DoS attack traffic library, a DDoS attack traffic library, a port scanning attack traffic library, a network scanning attack traffic library, and a network worm virus traffic library.
5. The SDN network monitoring method of claim 3, wherein the comparing with the abnormal traffic library confirms the type of the abnormal traffic data, specifically comprising: inputting network flow, extracting and analyzing characteristic values, detecting abnormal network flow, and determining abnormal network flow classification.
6. The SDN network monitoring method of claim 1, further comprising: and graphically displaying the flow data.
7. An SDN network monitoring system, comprising: SDN network equipment, an SDN centralized controller and SDN acquisition data processing equipment,
the SDN network equipment is used for acquiring flow data according to an acquisition strategy of the SDN centralized controller and sending the flow data to SDN acquisition data processing equipment;
the SDN collected data processing equipment is used for analyzing and processing the collected flow data and sending the flow data to a database;
the SDN centralized controller is used for sending an acquisition strategy to the SDN network equipment and analyzing and processing abnormal data of data in a database.
8. The SDN network monitoring system of claim 7, wherein the SDN centralized controller analyzes and processes abnormal data in a manner that: comparing with an abnormal flow database to confirm the type of the abnormal flow data, and packaging a specifically processed flow table according to an abnormal flow data message quintuple to generate an abnormal data flow table; and issuing the flow table to the SDN network device.
9. The SDN network monitoring system of claim 7, further comprising a presentation device configured to graphically present the traffic data.
10. The SDN network monitoring system of claim 7, wherein the SDN network device comprises any one of a switch, a bridge, a gateway, a network interface card, a router, a dedicated hub.
CN202010110505.9A 2020-02-24 2020-02-24 SDN network monitoring method and system Pending CN111277609A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010110505.9A CN111277609A (en) 2020-02-24 2020-02-24 SDN network monitoring method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010110505.9A CN111277609A (en) 2020-02-24 2020-02-24 SDN network monitoring method and system

Publications (1)

Publication Number Publication Date
CN111277609A true CN111277609A (en) 2020-06-12

Family

ID=71002269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010110505.9A Pending CN111277609A (en) 2020-02-24 2020-02-24 SDN network monitoring method and system

Country Status (1)

Country Link
CN (1) CN111277609A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333163A (en) * 2020-10-23 2021-02-05 中国联合网络通信集团有限公司 Inter-container flow monitoring method and flow monitoring management system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN107835199A (en) * 2014-12-17 2018-03-23 朱保生 Suitable for solving the method for work of the SDN systems of network security
CN110636059A (en) * 2019-09-18 2019-12-31 中盈优创资讯科技有限公司 Network attack defense system and method, SDN controller and router
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
CN107835199A (en) * 2014-12-17 2018-03-23 朱保生 Suitable for solving the method for work of the SDN systems of network security
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN110636059A (en) * 2019-09-18 2019-12-31 中盈优创资讯科技有限公司 Network attack defense system and method, SDN controller and router
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333163A (en) * 2020-10-23 2021-02-05 中国联合网络通信集团有限公司 Inter-container flow monitoring method and flow monitoring management system
CN112333163B (en) * 2020-10-23 2022-08-02 中国联合网络通信集团有限公司 Inter-container flow monitoring method and flow monitoring management system

Similar Documents

Publication Publication Date Title
US6263444B1 (en) Network unauthorized access analysis method, network unauthorized access analysis apparatus utilizing the method, and computer-readable recording medium having network unauthorized access analysis program recorded thereon
WO2020135233A1 (en) Botnet detection method and system, and storage medium
CN110855493B (en) Application topological graph drawing device for mixed environment
CN108600049B (en) Method and device for measuring performance of TCP connection of data center network and storage medium
CN107690776A (en) For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection
CN105790990B (en) A kind of method and its system for supervising adapted telecommunication business
CN105320585A (en) Method and device for achieving application fault diagnosis
CN111683097A (en) Cloud network flow monitoring system based on two-stage architecture
CN111654486A (en) Server equipment judgment and identification method
CN111294342A (en) Method and system for detecting DDos attack in software defined network
CN113364624A (en) Mixed cloud flow acquisition method and system based on edge computing
WO2020132949A1 (en) Industrial control system monitoring method, device and system, and computer-readable medium
CN104219100A (en) Information acquiring method and device
CN105959289A (en) Self-learning-based safety detection method for OPC Classic protocol
CN110266680B (en) Industrial communication anomaly detection method based on dual similarity measurement
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN111277609A (en) SDN network monitoring method and system
CN107733941A (en) A kind of realization method and system of the data acquisition platform based on big data
CN110768870B (en) Quality monitoring method and device for intelligent special line
CN111224891B (en) Flow application identification system and method based on dynamic learning triples
CN111614611B (en) Network security auditing method and device for power grid embedded terminal
CN111698168B (en) Message processing method, device, storage medium and processor
CN101478406A (en) Method for real-time monitoring network operation behavior of remote user
CN112910842A (en) Network attack event evidence obtaining method and device based on flow reduction
CN116360301B (en) Industrial control network flow acquisition and analysis system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200612

RJ01 Rejection of invention patent application after publication