CN111327628B - Anonymous communication system based on SDN - Google Patents
Anonymous communication system based on SDN Download PDFInfo
- Publication number
- CN111327628B CN111327628B CN202010142108.XA CN202010142108A CN111327628B CN 111327628 B CN111327628 B CN 111327628B CN 202010142108 A CN202010142108 A CN 202010142108A CN 111327628 B CN111327628 B CN 111327628B
- Authority
- CN
- China
- Prior art keywords
- node
- cluster
- administrator
- communication
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The invention relates to an anonymous communication system based on an SDN (software defined network), and belongs to the technical field of information security. The invention designs a new anonymous communication system by combining the cluster idea and the SDN network centralized control idea, thereby ensuring that the anonymous communication service is safer and more reliable. The network system architecture based on the SDN improves the difficulty of attackers in obtaining user privacy and the response rate of network requests; by adopting a cluster mode and a node selection limiting strategy, safety threats such as malicious node injection, flow analysis and single-point attack are avoided to a great extent, and the defense capability of the system is improved.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an anonymous communication system based on an SDN (software defined network).
Background
With the rapid development of internet technology, networks have been integrated into various fields such as military, politics, economy, society, daily life, and the like. The network provides convenience for users, and meanwhile, a large amount of sensitive privacy data such as user identity information, credit information, fund information and the like are stolen by lawbreakers. Although the problems of data security and reliability generated in the user communication process can be solved well through the encryption technology, the encryption technology can only encrypt the information content in the confusion network, but can hardly and effectively hide the IP address of the user, and once the network address is stolen, more personal privacy information can be easily exposed. Thus, there is a need for anonymous communication techniques to protect the user's private information during use of the network.
The existing anonymous communication schemes can be mainly classified into a proxy-based anonymous communication system, a Mix-based anonymous communication system, a broadcast and multicast technology-based anonymous communication system, and a P2P-based anonymous communication system according to different design ideas. These anonymous communication systems, while each having advantages, have certain limitations and can only be used in certain scenarios. To date, the most popular anonymous system is mainly the second generation onion routing anonymous system Tor (onion routing network), with more than seventy percent of the services in the darknet employing Tor networks. The Tor network prevents privacy disclosure to a certain extent due to perfect forward encryption, directory service, congestion control and other mechanisms. Tor has problems in application, for example, when a user client randomly selects a network route, blindness and uncertainty exist, so that the problem of increasing and exposing attack surfaces is easily encountered; the Tor network can cause the network delay to be obviously increased due to the complicated encryption and decryption processes involved in the data transmission process, and brings bad experience to users. Maximizing the anonymity and security of the network while not significantly impacting network performance is therefore a major goal of anonymous communication framework design.
There are nodes in the network that are controlled by attackers, and once such malicious nodes join the communication system, the security and anonymity of the system are destroyed. The method is characterized in that a host in a network is divided into a plurality of clusters by combining a cluster idea, and one host in each cluster is used as an administrator to control the access of nodes in the cluster so as to avoid the injection of malicious nodes. In addition, hosts from different clusters, especially relay nodes in different countries and regions are selected in the same communication path, so that traffic analysis is difficult to perform, and the threat of single-point attack can be avoided.
The birth of the OpenFlow Network protocol pushes Software Defined Networking (SDN) technology to people. The SDN separates a control plane and a forwarding plane of the network, and a control center issues a control instruction to the network, so that the network resource utilization rate is improved, and the network architecture has higher controllability and flexibility.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to design a new anonymous communication system so as to ensure that the anonymous communication service is safer and more reliable.
(II) technical scheme
In order to solve the technical problem, the invention provides an SDN-based anonymous communication system, which is an overlay network organized by an SDN controller and a plurality of hosts, wherein the hosts in the network are divided into a plurality of clusters, and one host in each cluster is used as an administrator node of the cluster.
Preferably, the SDN controller is configured to maintain mapping relationships between administrator nodes in the network and communication state information of all hosts, establish a routing forwarding table, and direct forwarding of data packets in the network;
the administrator node of each cluster is used for maintaining the mapping relation of the common members in the cluster, requesting and establishing anonymous communication for the common members in the cluster, judging whether a target node exists in the cluster and selecting an optimal forwarding node in the cluster.
The invention also provides a communication method based on the system, which comprises the following steps: request and establishment of anonymous communication: the method comprises the steps that a client Alice serving as a common node sends an anonymous communication request with a server Bob serving as the common node to an administrator node A of a cluster where the client Alice is located, the administrator node A puts forward a request for anonymous communication with the Bob to an SDN controller, the SDN controller inquires whether the Bob is in the cluster or not from the administrator node of each cluster, and if yes, the corresponding administrator node returns an IP address of the Bob to the SDN controller; if not, each administrator node selects an optimal node in the cluster as a standby forwarding node according to indexes such as node bandwidth utilization rate and credibility, and returns the IP address of the optimal node to the SDN controller; then the SDN controller selects N nodes to calculate a routing forwarding table by using a routing algorithm, so that a routing path to Bob is established for the administrator node A, and an anonymous communication link between the administrator node A and the Bob is established.
Preferably, after the anonymous communication link between the administrator node a and Bob is established, the administrator node a will forward the relay information to and from Alice and Bob.
Preferably, after the routing forwarding table is established, the SDN controller notifies each host in the routing forwarding table of a next hop forwarding node of the data packet, and the hosts only forward the data packet simply.
Preferably, the method further comprises the step of updating the node IP address during the communication, and the node IP address in the network is updated aperiodically.
Preferably, N > 1.
Preferably, in the step of updating the node IP address, an administrator node in the cluster sends a cluster internal host IP update request to the SDN controller, the SDN controller checks whether a host in the cluster is in a communication state, if the host is in the communication state, the host is not updated for the moment, and the administrator node initiates the request again after a period of time; if no host is in communication, a set of IP addresses is sent to the administrator node, and the administrator node randomly distributes the IP addresses to the hosts in the cluster.
(III) advantageous effects
The invention designs a new anonymous communication system by combining the cluster idea and the SDN network centralized control idea, thereby ensuring that the anonymous communication service is safer and more reliable. The network system architecture based on the SDN improves the difficulty of attackers in obtaining user privacy and the response rate of network requests; by adopting a cluster mode and a node selection limiting strategy, safety threats such as malicious node injection, flow analysis and single-point attack are avoided to a great extent, and the defense capability of the system is improved.
Drawings
FIG. 1 is a schematic diagram of the basic framework for anonymous communication according to the present invention;
FIG. 2 is a topological diagram of an anonymous communications network architecture in accordance with the present invention;
FIG. 3 is a timing diagram illustrating the updating of IP addresses of nodes in the network according to the present invention;
FIG. 4 is a timing diagram illustrating the request and establishment of anonymous communication in accordance with the present invention;
fig. 5 is a diagram illustrating an example of anonymous communication process according to the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The communication framework of the invention mainly comprises two processes of node IP address updating and anonymous communication requesting and establishing, which are shown in figure 1.
The anonymous communication system based on the SDN of the present invention can be regarded as an overlay network organized by an SDN controller and a plurality of hosts, and the network structure of the system is shown in fig. 2, wherein the hosts in the network are divided into a plurality of clusters, and one host in each cluster is used as an administrator node of the cluster.
The SDN controller is used for maintaining the mapping relation of an administrator node in a network and the communication state information of all hosts, establishing a routing forwarding table and commanding the forwarding of data packets in the network;
the administrator node of each cluster is used for maintaining the mapping relation of the common members in the cluster, requesting and establishing anonymous communication for the common members in the cluster, judging whether a target node exists in the cluster and selecting an optimal forwarding node in the cluster.
The communication method of the anonymous communication system based on the SDN comprises the following steps:
node IP address update
An attacker wants to acquire a communication relationship in a network, and mainly utilizes identification information such as an IP address in the network. Therefore, when designing a new anonymous communication system, how to increase the difficulty of attackers in acquiring real communication relationships and personal information of users needs to be considered. Therefore, a uniform control center is added in the network to perform aperiodic update on the IP addresses of all nodes in the network. Secondly, the existence of the control center can reduce the communication overhead among the network nodes and improve the network speed.
A specific IP address updating process is shown in fig. 3, where an administrator node in a cluster sends a cluster internal host IP update request to an SDN controller, the SDN controller checks whether a host in the cluster is in a communication state, if the host is in the communication state, the host is not updated temporarily, and after a period of time, the administrator node initiates a request again; if no host is in communication, a set of IP addresses is sent to the administrator node, and the administrator node randomly distributes the IP addresses to the hosts in the cluster.
Request and establishment of anonymous communication
The execution of the request and establishment of anonymous communication involves the SDN controller, the administrator node, the client (information sender Alice), the intermediate node and the server side (information receiver Bob). The administrator node, the intermediate node, the client and the server are all peer-to-peer nodes, and the process is as follows: the client Alice (common node) sends an anonymous communication request with a server Bob (common node) to an administrator node A of a cluster where the client Alice is located, and the administrator node A makes a request for anonymous communication with the Bob to an SDN controller. The SDN controller inquires whether Bob is in the cluster or not from the administrator node of each cluster, and if so, the corresponding administrator node returns the IP address of Bob to the SDN controller; if not, each administrator node selects an optimal node in the cluster as a standby forwarding node according to indexes such as node bandwidth utilization rate and credibility, and returns the IP address of the optimal node to the SDN controller. Then the SDN controller selects N (N is more than 1) nodes to calculate a route forwarding table by using a routing algorithm, so that a route path leading to Bob is established for the administrator node A. After the anonymous communication link between the administrator node A and Bob is established, the administrator node A forwards the relay information between Alice and Bob. The request and establishment procedure for Alice to initiate anonymous communication to Bob is shown in fig. 4.
In order to ensure the anonymity of the communication process, after the SDN controller establishes the routing forwarding table, the SDN controller notifies each host in the routing forwarding table of a next hop forwarding node of a data packet, and the hosts only forward the data packet. This ensures that each host on the communication link only knows the IP address of the previous-hop node of the packet and the IP address of the next-hop node to which the packet is to be sent, but cannot determine whether the previous-hop route is the sender or the next-hop route is the receiver.
A specific anonymous communication process is shown in fig. 5, where a dotted line indicates that the SDN controller notifies the host of the next hop forwarding node of the data packet, and a solid line indicates an actual forwarding path of the data packet. The SDN controller selects the intermediate node 1 and the intermediate node 2 as forwarding nodes and establishes an anonymous communication path. The SDN controller notifies the administrator node a to send the packet to the intermediate node with IP address 10.0.0.1, notifies the intermediate node 1 to forward the packet from IP address 10.0.0.0 to the node with IP address 10.0.0.2, and notifies the intermediate node 2 to forward the packet from IP address 10.0.0.1 to the node with IP address 10.0.0.3. After the anonymous communication link is established, the administrator node A communicates with Bob through the anonymous path, and data packets transmitted between Alice and Bob are relayed and forwarded through the administrator node A. At this time, Bob does not know who the sender of the information is, and Alice and Bob cannot acquire the real IP address of the other party, so that the anonymous effect is achieved.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (6)
1. A communication method implemented by an SDN-based anonymous communication system is characterized in that the system is an overlay network organized by an SDN controller and a plurality of hosts, the hosts in the network are divided into a plurality of clusters, and one host in each cluster is used as an administrator node of the cluster;
the SDN controller is used for maintaining the mapping relation of an administrator node in a network and the communication state information of all hosts, establishing a routing forwarding table and commanding the forwarding of data packets in the network;
the administrator node of each cluster is used for maintaining the mapping relation of the common members in the cluster, requesting and establishing anonymous communication for the common members in the cluster, judging whether a target node exists in the cluster and selecting an optimal forwarding node in the cluster;
the communication method comprises the following steps: request and establishment of anonymous communication: the method comprises the steps that a client Alice serving as a common node sends an anonymous communication request with a server Bob serving as the common node to an administrator node A of a cluster where the client Alice is located, the administrator node A puts forward a request for anonymous communication with the Bob to an SDN controller, the SDN controller inquires whether the Bob is in the cluster or not from the administrator node of each cluster, and if yes, the corresponding administrator node returns an IP address of the Bob to the SDN controller; if not, each administrator node selects an optimal node in the cluster as a standby forwarding node according to the node bandwidth utilization rate and the credibility index, and returns the IP address of the optimal node to the SDN controller; then the SDN controller selects N nodes to calculate a routing forwarding table by using a routing algorithm, so that a routing path to Bob is established for the administrator node A, and an anonymous communication link between the administrator node A and the Bob is established.
2. The communication method of claim 1, wherein after the anonymous communication link between the administrator node a and Bob is established, the administrator node a forwards relay information to and from Alice and Bob.
3. The communication method of claim 1, wherein the SDN controller notifies each host in the routing forwarding table of a next hop forwarding node of the data packet after the routing forwarding table is established, and the hosts only forward the data packet simply.
4. The communication method according to claim 1, further comprising the step of updating the node IP address during communication, wherein the IP address of each node in the network is updated aperiodically.
5. The communication method of claim 1, wherein N > 1.
6. The communication method according to claim 4, wherein in the step of updating the node IP address, an administrator node in the cluster sends a cluster internal host IP update request to the SDN controller, the SDN controller checks whether any host in the cluster is in a communication state, if any host is in the communication state, the host is not updated for the moment, and the administrator node initiates the request again after a period of time; if no host is in communication, a set of IP addresses is sent to the administrator node, and the administrator node randomly distributes the IP addresses to the hosts in the cluster.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010142108.XA CN111327628B (en) | 2020-03-04 | 2020-03-04 | Anonymous communication system based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010142108.XA CN111327628B (en) | 2020-03-04 | 2020-03-04 | Anonymous communication system based on SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111327628A CN111327628A (en) | 2020-06-23 |
| CN111327628B true CN111327628B (en) | 2022-04-05 |
Family
ID=71173151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010142108.XA Active CN111327628B (en) | 2020-03-04 | 2020-03-04 | Anonymous communication system based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111327628B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935018B (en) * | 2020-07-23 | 2022-03-08 | 北京华云安信息技术有限公司 | Springboard network path generation method capable of configuring networking rules autonomously |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027527A (en) * | 2016-05-23 | 2016-10-12 | 华中科技大学 | Anonymous communication method based on software defined network (SDN) environment |
| CN108293009A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | Scheduling and the flux monitoring method of a kind of software definition data center and service cluster therein |
| CN108293001A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | A kind of dispositions method of software definition data center and service cluster therein |
| CN108365979A (en) * | 2018-01-31 | 2018-08-03 | 深信服科技股份有限公司 | Across the controller management method of cluster, SDN controllers and storage medium |
| CN110753054A (en) * | 2019-10-25 | 2020-02-04 | 电子科技大学 | Anonymous communication method based on SDN |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10084756B2 (en) * | 2015-12-30 | 2018-09-25 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | Anonymous communications in software-defined networks via route hopping and IP address randomization |
-
2020
- 2020-03-04 CN CN202010142108.XA patent/CN111327628B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108293009A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | Scheduling and the flux monitoring method of a kind of software definition data center and service cluster therein |
| CN108293001A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | A kind of dispositions method of software definition data center and service cluster therein |
| CN106027527A (en) * | 2016-05-23 | 2016-10-12 | 华中科技大学 | Anonymous communication method based on software defined network (SDN) environment |
| CN108365979A (en) * | 2018-01-31 | 2018-08-03 | 深信服科技股份有限公司 | Across the controller management method of cluster, SDN controllers and storage medium |
| CN110753054A (en) * | 2019-10-25 | 2020-02-04 | 电子科技大学 | Anonymous communication method based on SDN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111327628A (en) | 2020-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| El-Khatib et al. | Secure dynamic distributed routing algorithm for ad hoc wireless networks | |
| US7120792B1 (en) | System and method for secure communication of routing messages | |
| Ling et al. | Protocol-level hidden server discovery | |
| JPH1195658A (en) | Method and system for safely distributing cryptographic key to multicast network | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| Ma et al. | APCN: A scalable architecture for balancing accountability and privacy in large-scale content-based networks | |
| US20090141713A1 (en) | Remote Message Routing Device and Methods Thereof | |
| US7539191B1 (en) | System and method for securing route processors against attack | |
| US11088996B1 (en) | Secure network protocol and transit system to protect communications deliverability and attribution | |
| US20230209345A1 (en) | Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network | |
| US8688077B2 (en) | Communication system and method for providing a mobile communications service | |
| CN111194541B (en) | Apparatus and method for data transmission | |
| CN111327628B (en) | Anonymous communication system based on SDN | |
| Kaur et al. | Countermeasures for covert channel-internal control protocols | |
| US20070174485A1 (en) | Content distribution via keys | |
| Pradhan et al. | Blockchain based security framework for P2P filesharing system | |
| Kambhampati et al. | Epiphany: A location hiding architecture for protecting critical services from ddos attacks | |
| US11582201B1 (en) | Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers | |
| US20220399995A1 (en) | Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network | |
| US20220400011A1 (en) | Anti-replay protection based on hashing encrypted temporal key in a secure peer-to-peer data network | |
| WO2019004942A1 (en) | Algorithms for peer-to-peer messaging system | |
| Al-Muhtadi et al. | Routing through the mist: design and implementation | |
| Saboori et al. | Anonymous communication in peer-to-peer networks for providing more privacy and security | |
| Ambrosin et al. | Security and privacy analysis of nsf future internet architectures | |
| Podolanko et al. | LiLAC: Lightweight low-latency anonymous chat |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |