CN111835725A - Network attack coping method for SDN controller cluster - Google Patents

Network attack coping method for SDN controller cluster Download PDF

Info

Publication number
CN111835725A
CN111835725A CN202010534017.0A CN202010534017A CN111835725A CN 111835725 A CN111835725 A CN 111835725A CN 202010534017 A CN202010534017 A CN 202010534017A CN 111835725 A CN111835725 A CN 111835725A
Authority
CN
China
Prior art keywords
sdn controller
load
abnormal
switching device
sdn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010534017.0A
Other languages
Chinese (zh)
Other versions
CN111835725B (en
Inventor
崔琪楣
顾晓阳
张雪菲
李娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202010534017.0A priority Critical patent/CN111835725B/en
Publication of CN111835725A publication Critical patent/CN111835725A/en
Application granted granted Critical
Publication of CN111835725B publication Critical patent/CN111835725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The network attack coping method for the SDN controller cluster is applied to a management device in the SDN controller cluster and used for receiving abnormal information of the SDN controller reported by the SDN controller; the abnormal information of any SDN controller is information which is obtained by monitoring the flow between the SDN controller and the corresponding switching equipment in real time through the SDN controller and is used for indicating abnormal flow, when the abnormal information is monitored, the SDN controller stops message interaction between the SDN controller and the switching equipment corresponding to the abnormal information, the switching equipment corresponding to the abnormal information is used as abnormal switching equipment, the abnormal switching equipment is moved out from the load of the SDN controller, and response to a routing request of the abnormal switching equipment is stopped. According to the scheme, the effect of improving the cluster security of the SDN controller can be achieved.

Description

Network attack coping method for SDN controller cluster
Technical Field
The invention relates to the technical field of software defined networking, in particular to a network attack coping method for an SDN controller cluster.
Background
SDN (Software Defined Network) implements a novel Network architecture that is Software-based and programmable. In a network system based on an SDN, an SDN controller is a core module and is responsible for bearing the service requirement of upper-layer application, and a southbound interface of the SDN controller exchanges a large amount of control and request messages with a switch and other switching equipment connected with the southbound interface, so that the aim of controlling the data forwarding of an underlying network topology is fulfilled. Once an SDN controller fails or is attacked, a control plane of a network is paralyzed, and finally, problems of network service interruption, network resource consumption and the like are caused, which also makes an SDN controller cluster easily become a main target of network attack.
At present, many mainstream solutions of SDN controllers, such as Open dataright (a controller platform, which may be an SDN management plane), FloodLight (an SDN controller developed based on Java), and ONOS (an SDN controller facing service providers and enterprise backbone), all support coexistence of SDN controllers in a cluster form, and clustering may reduce network system failures caused by single-point failures of a single SDN controller to some extent, and improve reliability and security of a network system. However, the deployment mode of the clustered SDN controller cannot cope with a large network attack caused by a large-scale abnormal switching device, such as: an attacker can control the abnormal switching equipment, launch a large-scale attack aiming at a single controller, lead the controller to be paralyzed, and even directly consume the network resources of the whole controller cluster.
Therefore, how to improve the security of the SDN controller cluster is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention aims to provide a network attack coping method for an SDN controller cluster, so as to achieve the effect of improving the security of the SDN controller cluster. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a network attack handling method for an SDN controller cluster, which is applied to a management device in the SDN controller cluster, and the SDN controller cluster further includes: a plurality of SDN controllers, and for each SDN controller, as a switching device that the SDN controller loads, the method comprising:
receiving abnormal information of the SDN controller reported by the SDN controller; the abnormal information of any SDN controller is information which is obtained by monitoring the flow between the SDN controller and the corresponding switching equipment in real time by the SDN controller and is used for indicating abnormal flow, and when the abnormal information is monitored, the SDN controller stops message interaction between the switching equipment corresponding to the abnormal information;
taking the switching equipment corresponding to the abnormal information as abnormal switching equipment, migrating the switching equipment from the load of the SDN controller corresponding to the abnormal information, and stopping responding to the routing request of the abnormal switching equipment.
In a second aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; a memory for storing a computer program; a processor, configured to implement the network attack coping method for the SDN controller cluster provided in the first aspect when executing the computer program stored in the memory.
In the scheme provided by the invention, the SDN controller cluster comprises: the management device receives abnormal information of the SDN controller reported by the SDN controller. The abnormal information of any SDN controller is information which is obtained by monitoring the SDN controller on the traffic between the SDN controller and the corresponding switching device in real time and is used for indicating the abnormal traffic, and the abnormal traffic generally indicates that a network attack is suffered. Therefore, the switching device corresponding to the abnormal information is taken as the abnormal switching device and is migrated from the load of the SDN controller corresponding to the abnormal information; and stopping the response to the routing request of the abnormal switching equipment, the security threat of the network attack indicated by the abnormal flow to the whole SDN controller cluster can be reduced, and the security of the SDN controller cluster is improved. Therefore, the effect of improving the cluster security of the SDN controller can be achieved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a schematic structural diagram of an SDN controller cluster in a network attack coping method for the SDN controller cluster according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a network attack handling method for an SDN controller cluster according to an embodiment of the present invention;
fig. 3 is another schematic structural diagram of an SDN controller cluster in a network attack handling method for the SDN controller cluster according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a network attack handling method for an SDN controller cluster according to an embodiment of the present invention, where an SDN controller obtains abnormal information;
fig. 5 is a flowchart of a load balancing process in a network attack handling method for an SDN controller cluster according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
First, a network attack coping method for an SDN controller cluster according to an embodiment of the present invention is described below.
The network attack coping method for the SDN controller cluster provided by the embodiment of the present invention can be applied to the management device for the SDN controller cluster shown in fig. 1 of the present invention.
As shown in fig. 1, in a network attack coping method for an SDN controller cluster according to an embodiment of the present invention, a structure of the SDN controller cluster may include:
the SDN management system includes a management apparatus 101, a plurality of SDN controllers 102, and a switching device 103 that serves as a load of each SDN controller 102.
The SDN controller can be guaranteed to exist in a software form due to the software and programmable characteristics of the SDN controller, and accordingly, the SDN controller cluster can be various. Illustratively, multiple SDN controllers 102 may be deployed on one electronic device. Alternatively, multiple SDN controllers 102 may be deployed on different electronic devices, respectively, for example. The management device 101 may be a hardware control device, or the management device 101 may be a software module, for example, the management device 101 may be a super controller having control authority over a controller cluster, or a management application in an SDN controller application layer.
In a specific application, the SDN controller cluster may specifically be a cloud computing, a cloud data storage system, an all-IP backbone network system, an ISP network, a controller platform supporting controller cluster deployment, and the like. For example, the controller platform supporting controller cluster deployment may be specifically an Open dataright and FloodLight, ONOS, and so on platform. In addition, the above specified number may be zero, one or more. For an SDN controller with zero number of switching devices, the switching devices may be migrated to the SDN controller through a subsequent load balancing process. Each SDN controller may have a monitoring module deployed therein, so as to monitor traffic between the SDN controller and the corresponding switching device in real time by using the monitoring module. The monitoring module may be deployed at a southbound interface of the SDN controller in the form of a software interface, or the monitoring module may be deployed at an application layer of the SDN controller in the form of an application, and so on.
As shown in fig. 2, a flow of a network attack coping method for an SDN controller cluster according to an embodiment of the present invention may include:
s201, receiving abnormal information of the SDN controller reported by the SDN controller.
The abnormal information of any SDN controller is information which is obtained by monitoring the flow between the SDN controller and the corresponding switching equipment in real time through the SDN controller and is used for indicating abnormal flow, and when the abnormal information is monitored, the SDN controller stops message interaction between the SDN controller and the switching equipment corresponding to the abnormal information.
In a specific application, a monitoring module configured inside the SDN controller may monitor various southbound interface message interactions in the SDN controller cluster in real time, and the supported southbound interface protocols may include OpenFlow, OF-Config, NETCONF, OVSDB, XMPP, PCEP, I2RS, OpFlex, and other protocols.
Also, the abnormality information for indicating the traffic abnormality may be various. For example, the abnormal information may include message interaction data between the switching device and the corresponding SDN controller, for example, data such as time interval or frequency of message interaction, and device information of the abnormal switching device. Or, for example, the abnormal information may include a score of message interaction between the switching device and the corresponding SDN controller, and device information of the abnormal switching device. For ease of understanding and reasonable layout, the second exemplary illustration is described in detail below in the fig. 2 embodiment of the present invention.
And S202, taking the switching equipment corresponding to the abnormal information as abnormal switching equipment, migrating the switching equipment from the load of the SDN controller corresponding to the abnormal information, and stopping responding to the routing request of the abnormal switching equipment.
In a specific application, the switching device corresponding to the abnormal information is taken as an abnormal switching device, and the load of the SDN controller corresponding to the abnormal information is migrated, which may be various. Exemplarily, as shown in fig. 3, when the SDN controller cluster includes: management apparatus 301, SDN controllers 302, one or more of SDN controllers 302 exception handling controllers 302 ″ for taking over an exception switching device, and for each SDN controller 302, a switching device 303 as a load of the SDN controller 302. In this regard, the exception switching device 303 ″ may be migrated to the exception handling controller 302 ″ from the load of the SDN controller corresponding to the exception information. Wherein the dashed lines represent the migration of switching devices 303 and exception switching devices 303 "between SDN controllers. Or, for example, as shown in fig. 1, when an exception handling controller 302 ″ for taking over an exception switching device is not set in the SDN controller cluster, the exception switching device may be directly migrated from a load of the SDN controller corresponding to the exception information, and the management apparatus itself takes over the exception switching device. In addition, for the above two exemplary descriptions, the network security manager or the firewall may confirm the specific abnormality of the abnormal switching device and perform abnormality resolution by taking over the abnormal processing controller 302 ″ or the management apparatus of the abnormal switching device.
In the scheme provided by the invention, the SDN controller cluster comprises: the management device receives abnormal information of the SDN controller reported by the SDN controller. The abnormal information of any SDN controller is information which is obtained by the SDN controller through real-time monitoring of the traffic between the SDN controller and the corresponding switching device and is used for indicating traffic abnormality. Also, traffic anomalies typically indicate a network attack. Therefore, the switching device corresponding to the abnormal information is taken as the abnormal switching device and is migrated from the load of the SDN controller corresponding to the abnormal information; and stopping the response to the routing request of the abnormal switching equipment, the security threat of the network attack indicated by the abnormal flow to the whole SDN controller cluster can be reduced, and the security of the SDN controller cluster is improved. Therefore, the effect of improving the cluster security of the SDN controller can be achieved.
As shown in fig. 4, in a network attack coping method for an SDN controller cluster according to an embodiment of the present invention, a flow of an SDN controller acquiring abnormal information may include the following steps:
s401, record a time interval of an incoming message and a time interval of an outgoing message between the SDN controller and the switching device corresponding to the SDN controller.
For example, the time interval of the incoming message between a certain SDN controller and the corresponding switching device may include: at time point t1, the message s1 forwarded by the switching device to the SDN controller is received by the SDN controller, and at time point t2, the message s2 forwarded by the switching device to the SDN controller is received by the SDN controller, so the time interval of the incoming message is t2-t 1. The time interval of outgoing messages between a certain SDN controller and a corresponding switching device may include: at time point t3, a message s3 sent by the SDN controller to the switching device is received by the switching device, and at time point t4, a message s4 sent by the SDN controller to the switching device is received by the switching device, and the time interval of outgoing messages is t4-t 3.
S402, inputting the time interval of the incoming message and the time interval of the outgoing message into a preset scoring formula respectively to obtain the incoming score and the outgoing score of the exchange equipment.
Wherein, the scoring formula is a formula capable of calculating the interaction frequency of any message.
In an optional implementation manner, the preset scoring formula may specifically include:
score=persistent+transistent·e-λΔt
where score is a score, persistence, transactional, λ are constants, Δ t is a parameter related to the interaction time interval of the message, including the time interval Δ t of the incoming messageIOr time interval Δ t of outgoing messagesO. For example, when calculating the inbound score, Δ t is the time interval Δ t of the inbound messageI(ii) a When calculating the outgoing score, Δ t is the time interval Δ t of the outgoing messageO. In addition, in specific application, the constants ersistent, transistent and λ can be assigned by operation and maintenance personnel according to the specific operation condition of the network.
And S403, if any one of the inflow score and the outflow score is larger than or equal to a preset score threshold, determining that abnormal information is monitored, and taking the inflow score, the outflow score and the corresponding equipment information of the exchange equipment as the abnormal information.
Since the scoring formula is a formula capable of calculating the interaction frequency of any message, and any one of the inflow score and the outflow score is greater than or equal to the preset scoring threshold, it indicates that the smaller the time interval Δ t between the message interactions, the higher the frequency of the message interaction, and the abnormal interaction is, and therefore, it can be determined that abnormal information is monitored.
In an optional implementation manner, after the switching device corresponding to the abnormal information is taken as an abnormal switching device, migrated from a load of the SDN controller corresponding to the abnormal information, and stops responding to a routing request of the abnormal switching device, the method for handling a network attack by an SDN controller cluster provided in the embodiment of the present invention may further include the following steps:
and outputting the abnormal information of the abnormal switching equipment.
In a specific application, the output exception information of the exception switching device may be various. For example, the abnormal information of the abnormal switching device may be output to a network security manager, so that the network security manager confirms the specific abnormality of the abnormal switching device and removes the abnormal condition based on the abnormal information. Or, for example, the abnormal information of the abnormal switching device may be output to the network security firewall, so that the network security firewall confirms the specific abnormality of the abnormal switching device and removes the abnormal condition based on the abnormal information. Any method of outputting the abnormal information of the abnormal switching device to release the abnormal condition of the abnormal switching device can be used in the present invention, and this embodiment does not limit this. The output of the abnormal information of the abnormal switching device can enable a network security manager or a network firewall to confirm and eliminate the network abnormality, so that the security of the SDN controller cluster is further improved.
In an optional implementation manner, after the outputting the abnormal information of the abnormal switching device, the method for handling a network attack of an SDN controller cluster provided in the embodiment of the present invention may further include the following steps:
receiving a notification that the network exception corresponding to the exception information is resolved;
when the abnormal switching devices are migrated to the load of the SDN controller corresponding to the abnormal devices when the abnormal information is monitored, and load balancing processing is performed on all the switching devices in the SDN controller cluster.
The notification that the network anomaly corresponding to the anomaly information is resolved may indicate that the network anomaly of the anomalous switching device is resolved, so that when the anomaly information is monitored, the anomalous switching device may be migrated to a load of an SDN controller corresponding to the anomalous device, and load balancing processing may be performed on all switching devices in the SDN controller cluster. Therefore, the post-processing can be realized aiming at the network attack suffered by the SDN controller cluster, and the normal operation of the SDN controller cluster is ensured.
In addition, when the abnormal switching device is migrated to the SDN controller corresponding to the abnormal device when the abnormal information is monitored, the load of the SDN controller may be various. For example, when the abnormal switching device is taken over by the management apparatus itself, the notification that the network abnormality corresponding to the abnormal information is resolved may be sent to the management apparatus by a network security person or a network security firewall, and the management apparatus may directly migrate the abnormal switching device into a load of an SDN controller corresponding to the abnormal device when the abnormal switching device monitors the abnormal information. Or, for example, when the abnormal switching device is taken over by the abnormal processing controller, the notification that the network abnormality corresponding to the abnormal information is resolved may be that a network security person or a network security firewall sends the notification to the abnormal processing controller, and the notification is forwarded by the abnormal processing controller to the management device, and the management device may send the notification about migrating back the abnormal switching device to the abnormal processing controller, so that the abnormal switching device is migrated to a load of the SDN controller corresponding to the abnormal device when the abnormal switching device is monitored by the abnormal processing controller.
In an optional implementation manner, after the switching device corresponding to the abnormal information is taken as an abnormal switching device, migrated from a load of the SDN controller corresponding to the abnormal information, and stops responding to a routing request of the abnormal switching device, the method for handling a network attack by an SDN controller cluster provided in the embodiment of the present invention may further include the following steps:
and carrying out load balancing processing on the switching devices except the abnormal switching device in the SDN controller cluster.
In this optional embodiment, load balancing is performed on the switching devices in the controller cluster except the abnormal switching device, so that normal operation of the SDN controller cluster can be ensured when the abnormal switching device is migrated, and the network attack coping capability of the SDN controller cluster is improved.
In an optional implementation manner, the load balancing processing performed on the switching devices in the SDN controller cluster except for the abnormal switching device specifically includes the following steps:
receiving a load evaluation result uploaded by an SDN controller; the load evaluation result of any SDN controller is an evaluation result obtained by the SDN controller based on a message cache queue in the SDN controller obtained by monitoring according to a preset period;
calculating the mean value of the received load evaluation results, and sequencing the SDN controllers according to the size of the load evaluation results;
if the mean value is larger than a preset mean value upper threshold value, adding a SDN controller with zero load for the SDN controller cluster;
according to the sequencing results of the SDN controllers, randomly selecting one switching device from the switching devices corresponding to the SDN controller with the highest load, and migrating the selected switching device to the SDN controller with the zero load to obtain a migrated SDN controller with the zero load;
if the load evaluation result of the migrated zero-load SDN controller is smaller than the average value, the steps of randomly selecting one switching device from the switching devices corresponding to the SDN controller with the highest load and migrating the selected switching device to the SDN controller with the zero load are executed in a circulating mode until the load evaluation result of the migrated zero-load SDN controller is larger than or equal to the average value.
In an optional implementation manner, after the above respectively calculating the mean and the standard deviation of the received load evaluation results, and sorting the SDN controllers in the order from high to low according to the load evaluation results, the network attack coping method for the SDN controller cluster provided by the embodiment of the present invention may further include the following steps:
if the mean value is smaller than the preset mean value upper threshold value, judging whether the mean value is smaller than a preset mean value lower threshold value;
if the mean value is smaller than a preset mean value lower threshold value, randomly selecting one switching device from the switching devices corresponding to the SDN controllers with the lowest load according to the sequencing results of the SDN controllers, and migrating the selected switching device to the SDN controller cluster, except the SDN controller corresponding to the selected switching device, and the SDN controller with the lowest load in the rest SDN controllers to obtain a first migrated SDN controller cluster;
acquiring load evaluation results of SDN controllers in the first migrated SDN controller cluster, and sequencing according to the load evaluation results;
if switching equipment exists in the SDN controller with the lowest load according to the sequencing result of the first migrated SDN controller cluster, circularly executing to randomly select one switching equipment from the switching equipment corresponding to the SDN controller with the lowest load, migrating the selected switching equipment to the SDN controller with the lowest load in the SDN controller cluster except the SDN controller corresponding to the selected switching equipment, and obtaining the first migrated SDN controller cluster until no switching equipment exists in the SDN controller with the lowest load according to the sequencing result of the first migrated SDN controller cluster;
and converting the SDN controller without the switching equipment into a zero load controller, and deleting the zero load controller obtained by conversion.
In an optional implementation manner, after receiving a load evaluation result of a corresponding SDN controller uploaded by an SDN controller, the method for handling a network attack by an SDN controller cluster provided in an embodiment of the present invention may further include the following steps:
calculating a standard deviation of each received load evaluation result;
after determining whether the mean value is smaller than a preset mean value lower threshold, the network attack coping method for the SDN controller cluster provided by the embodiment of the present invention may further include the following steps:
if the mean value is larger than a preset mean value lower threshold value and the standard deviation is larger than a preset standard deviation threshold value, according to a load sorting result, randomly selecting one switching device under the SDN controller with the highest load occupation to be migrated to the SDN controller with the lowest load occupation, and obtaining a second migrated SDN controller cluster;
calculating a standard deviation of each load evaluation result of the SDN controller cluster after the second migration;
and if the standard deviation of each load evaluation result of the second migrated SDN controller cluster is larger than a preset standard deviation threshold value, circularly executing the random selection of one switching device under the SDN controller with the highest load occupation to migrate to the SDN controller with the lowest load occupation to obtain the second migrated SDN controller cluster until the standard deviation of each load evaluation result of the second migrated SDN controller cluster is smaller than the preset standard deviation threshold value.
For convenience of understanding, in the following, in an exemplary description, the foregoing various alternative embodiments regarding load balancing processing for switching devices in an SDN controller cluster except for an abnormal switching device are explained in an integrated manner.
Illustratively, as shown in fig. 5. The load balancing processing is performed on the switching devices in the SDN controller cluster except the abnormal switching device, and specifically includes the following steps:
s501, starting a load balancing process;
s502, a monitoring module configured inside the SDN controller monitors a message buffer queue of each controller message flow buffer according to a period T: counting the capacity of the buffer memory occupied by the input and output messages of the controller;
s503, a monitoring module configured in the SDN controller obtains load evaluation results of each controller and submits the load evaluation results to a management device;
s504, the management device calculates the mean value and the standard deviation of the load evaluation results of the controllers, and sorts the controllers from high to low according to the load evaluation results;
s505, the management device judges whether the load mean value is higher than an upper threshold value; if yes, executing steps S506 to S507, if no, executing step S508;
s506, the management device creates a zero load controller;
s507, the management device carries out a process of migrating the switch to the zero load controller;
s508, the management device judges whether the load mean value is lower than a lower threshold value; if yes, executing steps S509 to S510, if no, executing step S511;
s509, the management device performs a process of migrating the switch to other controllers according to a principle from low to high;
s510, deleting the controller with zero load after the management device completes the migration;
s511, the management device judges whether the load standard deviation exceeds a preset standard deviation threshold value; if yes, go to step S512, if no, go to step S513;
s512, the management device carries out the process of migrating the switch to other controllers on the principle of from high to low;
s513, the process of load balancing ends.
In step S501, a load balancing process is started, specifically, the process may be triggered by the step "taking the switching device corresponding to the abnormal information as the abnormal switching device, migrating the switching device from the load of the SDN controller corresponding to the abnormal information, and stopping the response to the routing request of the abnormal switching device". In the present exemplary description, each step is similar to each of the above-mentioned optional embodiments regarding performing load balancing processing on a switch device in the SDN controller cluster except for the abnormal switch device, except that a different expression is adopted in the present exemplary description for simplicity of illustration. For the same part, the description of each optional embodiment for performing load balancing processing on the switching devices in the SDN controller cluster except the abnormal switching device is described in detail above, and details are not repeated here.
In an optional implementation manner, the SDN controller obtains a load evaluation result of the corresponding SDN controller by using the following steps:
counting the capacity C of the input message of the corresponding SDN controller in the cache according to a preset periodICapacity of buffer occupied by output message CO
Calculating an average value of the inflow scores of corresponding SDN controllers in a preset period to obtain an average inflow dynamic score
Figure BDA0002536412150000111
And an average of the outflow scores of the respective SDN controllers, resulting in an average outflow dynamics score
Figure BDA0002536412150000112
The capacity C is measuredIThe capacity COThe average inflow dynamics score
Figure BDA0002536412150000113
And the average outflow dynamic score
Figure BDA0002536412150000114
Inputting a preset load evaluation formula to obtain a load evaluation result of the SDN controller;
the preset load evaluation formula is as follows:
Figure BDA0002536412150000115
WL is the load assessment result of SDN controller, q1、q2、q3And q is4Respectively, a first weight, a second weight, a third weight, and a fourth weight.
In a specific application, each weight may be adjusted and set according to an application effect or an experimental effect.
Corresponding to the above embodiment, an embodiment of the present invention further provides an electronic device, as shown in fig. 6, which may include:
the system comprises a processor 601, a communication interface 602, a memory 603 and a communication bus 604, wherein the processor 601, the communication interface 602 and the memory complete mutual communication through the communication bus 604 through the 603;
a memory 603 for storing a computer program;
the processor 601 is configured to implement the following steps when executing the computer program stored in the memory 603:
receiving abnormal information of the SDN controller reported by the SDN controller; the abnormal information of any SDN controller is information which is obtained by monitoring the flow between the SDN controller and the corresponding switching equipment in real time by the SDN controller and is used for indicating abnormal flow, and when the abnormal information is monitored, the SDN controller stops message interaction between the switching equipment corresponding to the abnormal information;
taking the switching equipment corresponding to the abnormal information as abnormal switching equipment, migrating the switching equipment from the load of the SDN controller corresponding to the abnormal information, and stopping responding to the routing request of the abnormal switching equipment.
In a specific application, the electronic device in this embodiment may specifically be a management device in an SDN controller cluster.
In the scheme provided by the invention, the SDN controller cluster comprises: the management device receives abnormal information of the SDN controller reported by the SDN controller. The abnormal information of any SDN controller is information which is obtained by monitoring the SDN controller on the traffic between the SDN controller and the corresponding switching device in real time and is used for indicating the abnormal traffic, and the abnormal traffic generally indicates that a network attack is suffered. Therefore, the switching device corresponding to the abnormal information is taken as the abnormal switching device and is migrated from the load of the SDN controller corresponding to the abnormal information; and stopping the response to the routing request of the abnormal switching equipment, the security threat of the network attack indicated by the abnormal flow to the whole SDN controller cluster can be reduced, and the security of the SDN controller cluster is improved. Therefore, the effect of improving the cluster security of the SDN controller can be achieved.
The Memory may include a RAM (Random Access Memory) or an NVM (Non-Volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The computer-readable storage medium provided by an embodiment of the present invention stores therein a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the network attack coping method for the SDN controller cluster in any of the above embodiments.
In the scheme provided by the invention, the SDN controller cluster comprises: the management device receives abnormal information of the SDN controller reported by the SDN controller. The abnormal information of any SDN controller is information which is obtained by monitoring the SDN controller on the traffic between the SDN controller and the corresponding switching device in real time and is used for indicating the abnormal traffic, and the abnormal traffic generally indicates that a network attack is suffered. Therefore, the switching device corresponding to the abnormal information is taken as the abnormal switching device and is migrated from the load of the SDN controller corresponding to the abnormal information; and stopping the response to the routing request of the abnormal switching equipment, the security threat of the network attack indicated by the abnormal flow to the whole SDN controller cluster can be reduced, and the security of the SDN controller cluster is improved. Therefore, the effect of improving the cluster security of the SDN controller can be achieved.
In yet another embodiment of the present invention, a computer program product containing instructions is further provided, which when run on a computer causes the computer to execute the network attack coping method for the SDN controller cluster according to any one of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber, DSL (Digital Subscriber Line), or wireless (e.g., infrared, radio, microwave, etc.), the computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, etc., the available medium may be magnetic medium (e.g., floppy disk, hard disk, tape), optical medium (e.g., DVD (Digital Versatile Disc, digital versatile disc)), or a semiconductor medium (e.g.: SSD (Solid state disk)), etc.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiment of the electronic device, since it is substantially similar to the embodiment of the method, the description is simple, and for the relevant points, reference may be made to part of the description of the embodiment of the method.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A network attack coping method for an SDN controller cluster is applied to a management device in the SDN controller cluster, and the SDN controller cluster further comprises the following steps: a plurality of SDN controllers, and for each SDN controller, as a switching device that the SDN controller loads, the method comprising:
receiving abnormal information of the SDN controller reported by the SDN controller; the abnormal information of any SDN controller is information which is obtained by monitoring the flow between the SDN controller and the corresponding switching equipment in real time by the SDN controller and is used for indicating abnormal flow, and when the abnormal information is monitored, the SDN controller stops message interaction between the switching equipment corresponding to the abnormal information;
taking the switching equipment corresponding to the abnormal information as abnormal switching equipment, migrating the switching equipment from the load of the SDN controller corresponding to the abnormal information, and stopping responding to the routing request of the abnormal switching equipment.
2. The method of claim 1, wherein the SDN controller monitors traffic between the SDN controller and the corresponding switching device in real time, and comprises:
recording time intervals of incoming messages and time intervals of outgoing messages between the SDN controller and a switching device corresponding to the SDN controller;
inputting the time interval of the inflow message and the time interval of the outflow message into a preset scoring formula respectively to obtain an inflow score and an outflow score of the exchange equipment; the scoring formula is a formula capable of calculating the interaction frequency of any message;
and if any one of the inflow score and the outflow score is larger than or equal to a preset score threshold value, determining that abnormal information is monitored, and taking the inflow score, the outflow score and the corresponding equipment information of the exchange equipment as the abnormal information.
3. The method according to any one of claims 1-2, wherein the predetermined scoring formula comprises:
score=persistent+transistent·e-λΔt
wherein the score is a score, the persistence, the transient, the λ are constants, the Δ t is a parameter related to an interaction time interval of a message, including a time interval Δ t of the incoming messageIOr the time interval at of the outgoing messageo
4. The method according to any one of claims 1-2, wherein after the switching device corresponding to the abnormal information is taken as an abnormal switching device, migrated from a load of the SDN controller corresponding to the abnormal information, and stops responding to the routing request of the abnormal switching device, the method further comprises:
and outputting the abnormal information of the abnormal switching equipment.
5. The method of claim 4, wherein after said outputting the exception information for the exception switching device, the method further comprises:
receiving a notification that the network exception corresponding to the exception information is resolved;
migrating the abnormal switching device to the load of the SDN controller corresponding to the abnormal device when the abnormal information is monitored, and performing load balancing processing on all switching devices in the SDN controller cluster.
6. The method according to any one of claims 1-2, wherein after the switching device corresponding to the abnormal information is taken as an abnormal switching device, migrated from a load of the SDN controller corresponding to the abnormal information, and stops responding to the routing request of the abnormal switching device, the method further comprises:
and performing load balancing processing on the switching devices in the SDN controller cluster except the abnormal switching device.
7. The method of claim 6, wherein the performing load balancing processing for the switching devices in the SDN controller cluster other than the abnormal switching device comprises:
receiving a load evaluation result uploaded by the SDN controller; the load evaluation result of any SDN controller is an evaluation result obtained by the SDN controller based on a message cache queue in the SDN controller monitored according to a preset period;
calculating an average value of the received load evaluation results, and sequencing the SDN controllers according to the size of the load evaluation results;
if the mean value is larger than a preset mean value upper threshold value, adding a SDN controller with zero load for the SDN controller cluster;
according to the sequencing results of the SDN controllers, randomly selecting one switching device from the switching devices corresponding to the SDN controller with the highest load, and migrating the selected switching device to the SDN controller with the zero load to obtain a migrated SDN controller with the zero load;
if the load evaluation result of the migrated zero-load SDN controller is smaller than the average value, the step of randomly selecting one switching device from the switching devices corresponding to the SDN controller with the highest load and migrating the selected switching device to the zero-load SDN controller is executed in a circulating mode until the load evaluation result of the migrated zero-load SDN controller is larger than or equal to the average value.
8. The method of claim 7, wherein after the separately calculating the mean and standard deviation of the received load evaluations and sorting the plurality of SDN controllers in order of the load evaluations from high to low, the method further comprises:
if the mean value is smaller than the preset mean value upper threshold value, judging whether the mean value is smaller than a preset mean value lower threshold value;
if the mean value is smaller than the preset mean value lower threshold value, according to the sequencing results of the SDN controllers, randomly selecting one switching device from the switching devices corresponding to the SDN controller with the lowest load, and migrating the selected switching device to the SDN controller cluster, except the SDN controller corresponding to the selected switching device, and the SDN controller with the lowest load in the rest SDN controllers to obtain a first migrated SDN controller cluster;
acquiring load evaluation results of SDN controllers in the first migrated SDN controller cluster, and sorting according to the size of the load evaluation results;
if switching equipment exists in the SDN controller with the lowest load according to the first migrated SDN controller cluster sequencing result, circularly executing the random selection of one switching equipment from the switching equipment corresponding to the SDN controller with the lowest load, migrating the selected switching equipment to the SDN controller with the lowest load in the SDN controller cluster except the SDN controller corresponding to the selected switching equipment to obtain a first migrated SDN controller cluster, and until no switching equipment exists in the SDN controller with the lowest load according to the first migrated SDN controller cluster sequencing result;
and converting the SDN controller without the switching equipment into a zero load controller, and deleting the zero load controller obtained by conversion.
9. The method of claim 8, wherein after the receiving the load assessment results uploaded by the SDN controllers for the respective SDN controllers, the method further comprises:
calculating a standard deviation of each received load evaluation result;
after the determining whether the mean value is smaller than a preset mean value lower threshold, the method further includes:
if the mean value is larger than the preset mean value lower threshold value and the standard deviation is larger than the preset standard deviation threshold value, according to the load sorting result, randomly selecting one switching device under the SDN controller with the highest load occupation to migrate to the SDN controller with the lowest load occupation, and obtaining a second migrated SDN controller cluster;
calculating a standard deviation of each load evaluation result of the second migrated SDN controller cluster;
if the standard deviation of each load evaluation result of the second migrated SDN controller cluster is greater than the preset standard deviation threshold, circularly executing the randomly selected switching device under the SDN controller with the highest load occupation to migrate to the SDN controller with the lowest load occupation, so as to obtain the second migrated SDN controller cluster, until the standard deviation of each load evaluation result of the second migrated SDN controller cluster is less than the preset standard deviation threshold.
10. The method according to any one of claims 7 to 9, wherein the SDN controller obtains the load evaluation result of the corresponding SDN controller by adopting the following steps:
counting the capacity of the input message of the corresponding SDN controller in the cache according to the preset periodCICapacity of buffer occupied by output message CO
Calculating an average value of the inflow scores of corresponding SDN controllers in the preset period to obtain an average inflow dynamic score
Figure FDA0002536412140000041
And an average of the outflow scores of the respective SDN controllers, resulting in an average outflow dynamics score
Figure FDA0002536412140000042
The capacity C is measuredIThe capacity COThe average inflow dynamics score
Figure FDA0002536412140000043
And the average outflow dynamic score
Figure FDA0002536412140000044
Inputting a preset load evaluation formula to obtain a load evaluation result of the SDN controller;
wherein the preset load evaluation formula is as follows:
Figure FDA0002536412140000045
Figure FDA0002536412140000046
the WL is a load evaluation result of an SDN controller, the q1、q2、q3And q is4Respectively, a first weight, a second weight, a third weight, and a fourth weight.
CN202010534017.0A 2020-06-12 2020-06-12 Network attack coping method for SDN controller cluster Active CN111835725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010534017.0A CN111835725B (en) 2020-06-12 2020-06-12 Network attack coping method for SDN controller cluster

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010534017.0A CN111835725B (en) 2020-06-12 2020-06-12 Network attack coping method for SDN controller cluster

Publications (2)

Publication Number Publication Date
CN111835725A true CN111835725A (en) 2020-10-27
CN111835725B CN111835725B (en) 2021-08-13

Family

ID=72898643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010534017.0A Active CN111835725B (en) 2020-06-12 2020-06-12 Network attack coping method for SDN controller cluster

Country Status (1)

Country Link
CN (1) CN111835725B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN105162759A (en) * 2015-07-17 2015-12-16 哈尔滨工程大学 SDN network DDoS attack detecting method based on network layer flow abnormity
CN106230650A (en) * 2016-09-30 2016-12-14 赛特斯信息科技股份有限公司 SDN Overlay network fault positioning system and method
CN106559407A (en) * 2015-11-19 2017-04-05 国网智能电网研究院 A kind of Network traffic anomaly monitor system based on SDN
KR20170090161A (en) * 2016-01-28 2017-08-07 동서대학교산학협력단 Mitigating System for DoS Attacks in SDN
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN108900428A (en) * 2018-06-26 2018-11-27 南京邮电大学 Controller load-balancing method based on interchanger dynamic migration
US20190149573A1 (en) * 2017-11-10 2019-05-16 Korea University Research And Business Foundation System of defending against http ddos attack based on sdn and method thereof

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN105162759A (en) * 2015-07-17 2015-12-16 哈尔滨工程大学 SDN network DDoS attack detecting method based on network layer flow abnormity
CN106559407A (en) * 2015-11-19 2017-04-05 国网智能电网研究院 A kind of Network traffic anomaly monitor system based on SDN
KR20170090161A (en) * 2016-01-28 2017-08-07 동서대학교산학협력단 Mitigating System for DoS Attacks in SDN
CN106230650A (en) * 2016-09-30 2016-12-14 赛特斯信息科技股份有限公司 SDN Overlay network fault positioning system and method
US20190149573A1 (en) * 2017-11-10 2019-05-16 Korea University Research And Business Foundation System of defending against http ddos attack based on sdn and method thereof
CN108111542A (en) * 2018-01-30 2018-06-01 深圳大学 Internet of Things ddos attack defence method, device, equipment and medium based on SDN
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN108900428A (en) * 2018-06-26 2018-11-27 南京邮电大学 Controller load-balancing method based on interchanger dynamic migration

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
WENWEN SUN,YI LI: "An Improved Method of DDoS Attack Detection for Controller of SDN", 《2019 IEEE 2ND INTERNATIONAL CONFERENCE ON COMPUTER AND COMMUNICATION ENGINEERING TECHNOLOGY-CCET》 *
李传煌,吴艳,钱正哲,孙正君,王伟明: "SDN下基于深度学习混合模型的DDoS攻击检测与防御", 《通信学报》 *
楼恒越、窦军: "一种针对基于OpenFlow的SDN网络中控制层面的DoS攻击研究", 《计算机科学》 *

Also Published As

Publication number Publication date
CN111835725B (en) 2021-08-13

Similar Documents

Publication Publication Date Title
EP2972855B1 (en) Automatic configuration of external services based upon network activity
JP6724095B2 (en) Centralized network configuration in distributed system
US20170155560A1 (en) Management systems for managing resources of servers and management methods thereof
US20160013990A1 (en) Network traffic management using heat maps with actual and planned /estimated metrics
JP5914245B2 (en) Load balancing method considering each node of multiple layers
US8305911B2 (en) System and method for identifying and managing service disruptions using network and systems data
US9705977B2 (en) Load balancing for network devices
US10182033B1 (en) Integration of service scaling and service discovery systems
US10764165B1 (en) Event-driven framework for filtering and processing network flows
US9417949B1 (en) Generic alarm correlation by means of normalized alarm codes
US20220224586A1 (en) Intent-based distributed alarm service
CN111064802A (en) Network request processing method and device, electronic equipment and storage medium
CN111835725B (en) Network attack coping method for SDN controller cluster
JP2010231293A (en) Monitoring device
US11314559B2 (en) Method for balanced scale out of resources in distributed and collaborative container platform environment
US10135916B1 (en) Integration of service scaling and external health checking systems
CN113326100A (en) Cluster management method, device and equipment and computer storage medium
US20240039813A1 (en) Health analytics for easier health monitoring of a network
CN109831385B (en) Message processing method and device and electronic equipment
JP5483784B1 (en) CONTROL DEVICE, COMPUTER RESOURCE MANAGEMENT METHOD, AND COMPUTER RESOURCE MANAGEMENT PROGRAM
CN113254245A (en) Fault detection method and system for storage cluster
EP3662695A1 (en) A network aware element and a method for using same
US11750489B1 (en) Modifying health monitoring through user interface
US20240037475A1 (en) Health analytics for easier health monitoring of logical networks
US20240039824A1 (en) Health analytics for easier health monitoring of logical forwarding elements

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant