CN112565186B - Distributed industrial control honey net flow acquisition system and method based on buffer pool - Google Patents

Distributed industrial control honey net flow acquisition system and method based on buffer pool Download PDF

Info

Publication number
CN112565186B
CN112565186B CN202011204956.5A CN202011204956A CN112565186B CN 112565186 B CN112565186 B CN 112565186B CN 202011204956 A CN202011204956 A CN 202011204956A CN 112565186 B CN112565186 B CN 112565186B
Authority
CN
China
Prior art keywords
data
component
buffer pool
packet
meeting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011204956.5A
Other languages
Chinese (zh)
Other versions
CN112565186A (en
Inventor
姚羽
盛川
安红娜
李东彪
苏文兴
杨巍
刘莹
黄仓健
林小李
韩玮石
李文轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN202011204956.5A priority Critical patent/CN112565186B/en
Publication of CN112565186A publication Critical patent/CN112565186A/en
Application granted granted Critical
Publication of CN112565186B publication Critical patent/CN112565186B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention belongs to the technical field of network security, and relates to a buffer pool-based distributed industrial control honey net flow acquisition system and method. The system comprises: the device comprises an input buffer pool, a conversion buffer pool, an output buffer pool, an input component, a resolution component, a conversion component and an output component. The system provides different operation modes for different application scenes and purposes, not only can collect and store network traffic, but also can analyze the network traffic into readable data and convert the readable data into a required format. The method not only can be operated in different input and output modes in a combined mode, but also can analyze and convert the captured network flow into various formats, thereby meeting the requirements of network administrators and security defense methods.

Description

Distributed industrial control honey net flow acquisition system and method based on buffer pool
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a distributed industrial control honey net flow acquisition system and a distributed industrial control honey net flow acquisition method based on a buffer pool technology.
Background
With the rapid development of industrial internet, the connection of industrial control systems to external networks including the internet is increasing, and industrial control systems face unprecedented network security threats that can circumvent traditional network defense and intrusion detection methods and cause serious damage to industrial control devices.
As an important security resource, honeynets are increasingly used in the industrial field for detecting, analyzing and preventing network attacks against industrial control systems. Unlike passive defense, honeypots and honeynets tend to attract attackers to access, exploit, and even destroy them in order to collect and analyze attackers' attack patterns and tools. In order to cope with attacks against industrial control systems, some integrated circuits, even large-scale or distributed honeynets, are proposed, which can effectively simulate industrial control devices and networks. Industrial control honey nets are of increasing interest because their deployment and operation is independent of the industrial scenario, with little impact on the industrial process.
Besides the existing customized data collection methods proposed by the honey network, some well-known network traffic capturing and analyzing tools are widely used, such as Tcpdump, WinDump, Wireshark, etc. While the above-described methods and tools provide rich data capture and analysis capabilities, they are difficult to use directly in other distributed honeynets. Currently, no network traffic collection framework is available that can be applied in various distributed industrial control honeynets and is independent of them.
Disclosure of Invention
The invention aims to provide a buffer pool-based distributed industrial control honey net flow acquisition system and method, which provide different operation modes for different application scenes and purposes, can collect and store network flow, can analyze the network flow into readable data, and converts the readable data into a required format.
The technical scheme of the invention is as follows:
a distributed industrial control honey net flow collection system based on buffer pool comprises three data buffer pools and four components: an input buffer pool, a translation buffer pool, an output buffer pool, an input component, a parsing component, a translation component, and an output component (as shown in FIG. 1).
Three data types, namely packets, Packet Meeting and JSON, are used in the three data cache pools.
The packet is for storing protocol information corresponding to the captured raw binary data according to a protocol specification. It has two states, "complete" and "incomplete". "complete" means that the data has been completely parsed. "incomplete" means that part of the data is not parsed, and specifically means data of the application layer protocol.
Packet Meeting is a set of packets, defined by a timeout threshold TmeetingAnd a separation, Packet Meeting is considered inactive and switched off when no data is received beyond this threshold. It is obvious that Packet Meeting is only composed of TmeetingAnd (6) determining.
JSON is a lightweight data exchange format, is not only easy for people to read and write, but also easy for a machine to generate and analyze data, and enables the efficiency of data storage and transmission to be higher.
The input buffer pool is used for temporarily storing complete and incomplete data packets analyzed by the TCP/IP analyzer.
The input component provides two input modes of loading and capturing.
The loading mode takes the PCAP file as input. PCAP files are data files created using Libpcap or winpcap-based programs (e.g., Tcpdump, WinDump, and Wireshark). Currently PCAP files have become the most popular type of file for storing and analyzing network traffic, so the input component of the present invention includes a load mode to provide offline data collection functionality.
The capture mode is responsible for capturing network traffic received by the target host in real time according to some filtering conditions. The screening conditions include source host, destination host, source port, destination port, specific protocol, etc.
The purpose of the parsing component is to parse the original binary data from the input component for storage into the package. Because the ultimate goal of the present invention is to be able to be deployed across platforms, it is implemented in the Java programming language. However, currently no Java project supports parsing all popular industrial control protocols. By analyzing the characteristics of the industrial control honey network flow, the flow without the application layer data in the TCP/IP flow accounts for most of the network flow. Therefore, in order to improve parsing efficiency, parsing components are divided into a TCP/IP parser and an application parserA device. The TCP/IP parser is implemented based on Pcap4J for parsing transport layer and below protocols. The application resolver is used for resolving an application layer protocol supported by the Tschark-based industrial control honeypot. Tsharp may resolve more protocols including those supported by Pcap 4J; and Pcap4J is implemented in Java, so the efficiency of processing data is much higher than Tshark. Time for parsing n data packets by parsing component
Figure BDA0002756692930000021
Expressed as:
Figure BDA0002756692930000031
wherein
Figure BDA0002756692930000032
Represents the time it takes Pcap4J to parse n original binary packets;
Figure BDA0002756692930000033
represents the time taken by Tsharp to resolve m of n outstanding packets, from the system call time TEAnd analysis time
Figure BDA0002756692930000034
The composition, can be expressed as:
Figure BDA0002756692930000035
Figure BDA0002756692930000036
PCAP files, while widely used to store network traffic, are rarely used directly to analyze network characteristics and behavior. Most researchers tend to convert raw binary data in a PCAP file into some more abstract and readable types, such as IP streams and sessions, etc. Converting data has three advantages:
1) converting data generally provides more comprehensive and understandable information;
2) many intrusion detection systems take as input the converted data;
3) the converted data usually occupies less space than the original binary data and is more suitable for transmission and processing.
The conversion assembly provides four conversion modes: raw data, packets, flows and sessions, where the flow and session patterns are consistent with the IP flows and sessions mentioned above. The raw data pattern retains the raw input data in binary type, consistent with the data in the PCAP file. For both primitive and packet modes, the conversion component need only convert the data to JSON format and transfer it to the output buffer pool. In the streaming and session modes, the conversion component needs to extract the data packet as a target type according to the specification of the corresponding mode, and in addition, the conversion mode of the component can be expanded according to actual needs by adding a corresponding converter.
The output component provides two output modes of storage and transmission.
The storage mode is to store the converted data locally. In this way, the framework can be used as a network traffic analyzer, such as Wireshark.
The transmission mode is to transmit the converted data to a data center of an industrial control honey net, and relates to two aspects of research contents: firstly, the transmitted data is kept secret; the second is to prevent data loss when data is transmitted at the fastest speed possible. In order to meet the requirements, an asynchronous event-driven network application framework Netty is introduced into the assembly for data transmission, and the framework is mainly used for rapidly developing maintainable high-performance protocol servers and clients. In the output component of the present invention, Netty uses TCP protocol to transfer data and uses secure socket layer techniques to ensure confidentiality of the data.
Unlike the input component, the two output modes of the output component can run in parallel. In this way, the framework may further prevent data loss through local backup. The time at which the output component transmits n data packets can be expressed as:
Figure BDA0002756692930000041
wherein, TTiIndicating the time at which the output component transmitted the ith packet.
The method of the distributed industrial control honey net flow acquisition system based on the buffer pool comprises the following steps: the specific process is shown in fig. 2: firstly, when data enters an input component, a Packet Meeting is formed by data packets in an input buffer pool, a system judges whether a time threshold is met, if not, the data is returned to the input component and sent to a TCP/IP (transmission control protocol/Internet protocol) analyzer for analysis; if the data packet is not complete, the application resolver resolves all incomplete data packets into complete data packets. Packet Meeting is then stored in the conversion buffer pool and the input buffer pool is cleared. Meanwhile, the conversion component monitors the state of the conversion buffer pool in real time. Once Packet Meeting is present in the translation buffer pool, the translation component will translate it to JSON format according to a particular translation schema. The converted data is stored in an output buffer pool, and is monitored by an output assembly and output in real time. Obviously, by using the buffer pool technique, the components are decoupled from each other, so that modifications and extensions to one component do not affect the other components.
The invention has the beneficial effects that: the buffer pool-based distributed industrial control honey net flow acquisition system and method provided by the invention can not only operate in different input and output modes in a combined mode, but also analyze and convert the captured network flow into various formats, thereby meeting the requirements of network administrators and security defense methods. Through a large number of experiments, the system and the method are proved to be superior to the existing tools and methods in the aspects of resolution, conversion rate, transmission rate and the like.
Drawings
Fig. 1 is an overall architecture diagram of the distributed industrial control honey net flow collection system based on the buffer pool technology of the invention.
Fig. 2 is a flow chart of the distributed industrial control honey net flow acquisition system based on the buffer pool technology.
Fig. 3(a) and (b) are data packet distribution diagrams of two data sets in the first embodiment, respectively.
FIGS. 4(a) and (b) show different T values in the first embodimentmeetingPacket Meeting profiles of the two data sets.
FIG. 5 shows a different T in the first embodimentmeetingMaximum duration result of Packet Meeting of (1).
FIG. 6 shows a difference T in the second embodimentmeetingThe result of Packet Meeting analysis time of (1).
FIG. 7 shows the resolution time and corresponding T in the second embodimentmeetingResults plot of the ratios between.
Fig. 8 is a graph of the results of comparing Honeyeye and Tshark over two data sets in example two.
FIG. 9 shows a different T in the third embodimentmeetingTraffic results map of the two data sets.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments, but the present invention is not limited thereto.
The first embodiment is as follows: characteristics of ICS honey network flow
The data packet distribution of the two honey net data sets in the invention is shown in figure 3. It can be seen that most of the two sets of data are TCP packets, and Modbus packets account for 31% and 19%, respectively. And other application layer data packets aiming at the Modbus port, such as DNP 3.0, Bitcoin, HTTP and the like, are also detected.
FIGS. 3 and 4 show that these two data sets have different T' smeetingSome statistics of Packet Meeting of (1). Some characteristics of the two data sets with respect to Packet Meeting were obtained as follows:
(1) the maximum Packet Meeting in 1 second contains more than 4000 packets.
(2) The size of the maximum Packet Meeting with TmeetingIncreasing and slowly increasing.
(3) The first 10 largest Packet Meeting indicates when T ismeetingLess than 10s, the size of Packet Meeting is sensitive to it, when T ismeetingAbove 10s, the size of Packet Meeting is not sensitive to it.
(4) When T ismeetingEqual to 1 second, Packet Meeting has a maximum duration of 200 seconds more.
And the maximum duration will follow TmeetingMay be increased, which may degrade the real-time performance of the framework.
Example two: resolution ratio
This example compares the resolution of the honeyye framework with Tshark in capture mode and load mode, respectively. The resolution of Tsharp was evaluated for different numbers of packets and is expressed by the following definitions.
Figure BDA0002756692930000061
TABLE 1 table of Tschark resolution results with different number of packets
Figure BDA0002756692930000062
As shown in table 1, the maximum system call time is 269 ms, far exceeding the maximum resolution time of a single packet by 0.5 ms. Clearly, the fewer times Tschark is invoked, the less total resolution time is spent. In the worst case, Tsharp is invoked each time a packet is parsed, so it can only parse 3.7 packets per second, which is much slower than the capture rate. Thus, Tsharp is not suitable for real-time parsing of network traffic in this framework, which is one of the reasons for using Packet Meeting and caching techniques in the present invention.
In capture mode, the parse component must parse TmeetingAll packets in a certain Packet Meeting so as not to affect the resolution of the subsequent Packet Meeting. The shorter the parsing time, the shorter the delay in collecting Packet Meeting. According to ICS honey network trafficFeatures that two data sets T are chosenmeetingIs 1 second, TmeetingIs 2 seconds and TmeetingThe effectiveness of the parsing component is analyzed for the first 5 largest Packet Meeting of 5 seconds. FIG. 5 shows that the parsing component can parse the correspondence TmeetingAll 30 Packet Meeting in time. By analyzing the resolution time and corresponding T in FIG. 6meetingIt can be seen that as Packet Meeting decreases and TmeetingIncrease of (2), analysis time and correspondence TmeetingThe ratio of (a) to (b) tends to decrease. Therefore, the parsing component in this embodiment is an effective tool for parsing network traffic in near real-time.
This example compares the effectiveness of the analytical component in Tsharp and load modes through analysis of the two data sets. Honeyye and Tschark take these two data sets as input and the resolution time is shown in FIG. 6. It is clear that the Honeyeye framework of the present invention performs better than Tshark, especially in the case of fewer application layer packets.
Example three: conversion rate
The present embodiment studies the conversion rate of captured raw binary data according to the number of items and the byte size using the IP stream. In the present embodiment, according to different TmeetingThe two data sets are converted into different sets of streams. As shown in FIG. 8, in the most extreme case, the CHN data set is divided into 14535 streams within 1 second, much smaller than the number of packets 111944, and the number of streams varies with TmeetingIs increased and decreased. Furthermore, when T ismeetingAbove 100 seconds, the number of streams remains nearly constant according to the log trend line. Obviously, the above results apply equally to the data set in the United states, T, according to the definition of IP flowsmeetingThe larger the stream contains more information and the fewer the number of streams. However, TmeetingThe larger the collection delay. FIG. 8 shows T meeting100 seconds may be the best choice to meet the above requirements. Since the byte size of an IP stream is determined by the number and type of its characteristics, it is difficult to draw a uniform conclusion on the byte size.
Example four: transmission rate
This embodiment uses T in two datasetsmeetingThe transmission rate of the transmission component on the local area network is estimated for the maximum Packet Meeting of 1 second, 2 seconds, and 5 seconds. Table ii shows that in the worst case, the transmission component takes up to 4.233 seconds to transmit all the original binary data in the largest packet without packet loss. The component can transmit 1356.4 pieces of data on average per second, and only 0.737 milliseconds is required to transmit one piece of data. According to
Figure BDA0002756692930000071
And
Figure BDA0002756692930000072
when T ismeetingWhen the time is more than 5 seconds, the Honeyye frame in the invention can meet the quasi-real-time requirement. For other types of data, such as IP streams, the conversion rate is typically less than 1, which means that less data needs to be transmitted. Thus, it can be seen that the transmission component of the present embodiment is effective in transmitting data in near real time in most cases.

Claims (4)

1. A distributed industrial control honey net flow collection system based on buffer pool is characterized in that the system comprises three data buffer pools and four components: the device comprises an input buffer pool, a conversion buffer pool, an output buffer pool, an input component, an analysis component, a conversion component and an output component;
three data types, namely Packet, Packet Meeting and JSON, are used in the three data buffer pools;
a packet is a packet used to store protocol information corresponding to captured raw binary data according to a protocol specification, which has two states, "complete" and "incomplete"; "complete" means that the data has been completely parsed; "incomplete" means that part of the data has not been parsed;
packet Meeting is a set of packets, defined by a timeout threshold TmeetingA separation, Packet Meeting being considered inactive and switched off when no data is received beyond this threshold;
JSON is a lightweight data exchange format;
the input buffer pool is used for temporarily storing complete and incomplete data packets analyzed by the TCP/IP analyzer;
the input component provides two input modes of loading and capturing; the loading mode takes a PCAP file as input; the PCAP file is a data file created by using Libpcap or a winpcap program; the capture mode is responsible for capturing the network traffic received by the target host in real time according to the screening condition;
the analysis component is divided into a TCP/IP analyzer and an application analyzer; the TCP/IP analyzer is realized on the basis of Pcap4J and is used for analyzing protocols of a transport layer and the following layers; the application resolver is used for resolving an application layer protocol supported by the Tschark-based industrial control honeypot; time for parsing n data packets by parsing component
Figure FDA0003239375840000011
Expressed as:
Figure FDA0003239375840000012
wherein
Figure FDA0003239375840000013
Represents the time it takes Pcap4J to parse n original binary packets;
Figure FDA0003239375840000014
represents the time taken by Tsharp to resolve m of n outstanding packets, from the system call time TEAnd analysis time
Figure FDA0003239375840000015
Composition, expressed as:
Figure FDA0003239375840000016
Figure FDA0003239375840000017
the conversion component comprises four conversion modes: the method comprises the steps of original data, packets, streams and sessions, wherein in the stream and session modes, a conversion component extracts data packets into target types according to specifications of corresponding modes; the original data mode keeps the original input data of binary type, which is consistent with the data in the PCAP file; for the original mode and the packet mode, the conversion component only needs to convert the data into a JSON format and transfer the JSON format to an output cache pool;
the output component provides two output modes of storage and transmission; the storage mode is to store the converted data locally; in this way, the framework acts as a network traffic analyzer; the transmission mode is that the converted data is transmitted to a data center of an industrial control honey network, an asynchronous event-driven network application framework Netty is introduced into the component for data transmission, and the network application framework Netty is used for rapidly developing a maintainable high-performance protocol server and a client;
the two output modes of the output assembly can run in parallel; the framework further prevents data loss through local backup; the time at which the output component transmits n data packets can be expressed as:
Figure FDA0003239375840000021
wherein the content of the first and second substances,
Figure FDA0003239375840000022
indicating the time at which the output component transmitted the ith packet.
2. The buffer-pool-based distributed industrial control honey net traffic collection system of claim 1, characterized in that the screening conditions of the capture mode in the input component comprise source host, target host, source port, target port, specific protocol.
3. The distributed industrial control honey net traffic collection system based on buffer pool of claim 1, characterized in that, in the output component, Netty uses TCP protocol to transmit data, and uses encrypted socket protocol layer technology to ensure data confidentiality.
4. A method for using the distributed industrial control honey net flow collection system based on the buffer pool according to any one of claims 1-3, characterized in that, firstly, when data enters the input component, the data Packet in the input buffer pool forms a Packet Meeting, the system judges whether the Packet Meeting meets the time threshold, if not, the Packet Meeting the time threshold is returned to the input component and sent to the TCP/IP analyzer for analysis; if the data packet is not complete, the application analyzer analyzes all incomplete data packets into complete data packets;
then, storing the Packet Meeting in a conversion buffer pool, and cleaning an input buffer pool; meanwhile, the conversion component monitors the state of the conversion buffer pool in real time; once Packet Meeting appears in the conversion buffer pool, the conversion component converts the Packet Meeting into a JSON format according to a specific conversion mode; the converted data is stored in an output buffer pool, and is monitored by an output assembly and output in real time.
CN202011204956.5A 2020-11-02 2020-11-02 Distributed industrial control honey net flow acquisition system and method based on buffer pool Active CN112565186B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011204956.5A CN112565186B (en) 2020-11-02 2020-11-02 Distributed industrial control honey net flow acquisition system and method based on buffer pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011204956.5A CN112565186B (en) 2020-11-02 2020-11-02 Distributed industrial control honey net flow acquisition system and method based on buffer pool

Publications (2)

Publication Number Publication Date
CN112565186A CN112565186A (en) 2021-03-26
CN112565186B true CN112565186B (en) 2022-03-08

Family

ID=75042533

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011204956.5A Active CN112565186B (en) 2020-11-02 2020-11-02 Distributed industrial control honey net flow acquisition system and method based on buffer pool

Country Status (1)

Country Link
CN (1) CN112565186B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051615A (en) * 2012-12-14 2013-04-17 陈晶 Dynamic defense system capable of resisting large flow attack in honey farm system
CN109218327A (en) * 2018-10-15 2019-01-15 西安电子科技大学 Initiative type safeguard technology based on cloud container

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10248673B2 (en) * 2016-03-23 2019-04-02 International Business Machines Corporation Allocating free space in a database

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051615A (en) * 2012-12-14 2013-04-17 陈晶 Dynamic defense system capable of resisting large flow attack in honey farm system
CN109218327A (en) * 2018-10-15 2019-01-15 西安电子科技大学 Initiative type safeguard technology based on cloud container

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于虚拟蜜网的入侵检测系统的研究》;崇劼人;《万方数据库》;20121108;全文 *

Also Published As

Publication number Publication date
CN112565186A (en) 2021-03-26

Similar Documents

Publication Publication Date Title
Lima Filho et al. Smart detection: an online approach for DoS/DDoS attack detection using machine learning
US7623466B2 (en) Symmetric connection detection
EP2974144B1 (en) System and method for extracting and preserving metadata for analyzing network communications
US8065722B2 (en) Semantically-aware network intrusion signature generator
US8848528B1 (en) Network data flow collection and processing
US8149705B2 (en) Packet communications unit
CN107018084B (en) DDOS attack defense network security method based on SDN framework
US8806189B2 (en) Apparatus for analyzing traffic
Inacio et al. {YAF}: Yet another flowmeter
US20140086102A1 (en) Intelligent feedback loop to iteratively reduce incoming network data for analysis
KR101602189B1 (en) traffic analysis and network monitoring system by packet capturing of 10-giga bit data
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
Kaushik et al. Network forensic system for ICMP attacks
CN112565186B (en) Distributed industrial control honey net flow acquisition system and method based on buffer pool
Campbell et al. Intrusion detection at 100G
KR101615587B1 (en) System for implementing Deep Packet Inspection Simulation for detecting and analyzing cyber attack in electronic warfare and Method thereof
CN109936557A (en) A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks
Ghosh et al. A Multi-Stage Detection Technique for DNS-Tunneled Botnets.
Sheng et al. Honeyeye: A network traffic collection framework for distributed ICS honeynets
Cui et al. LNAD: Towards Lightweight Network Anomaly Detection in Software-Defined Networking
Ahad et al. DPIDNS: A Deep Packet Inspection Based IPS for Security Of P4 Network Data Plane
Muraleedharan et al. A flow-based anomaly detection system for slow DDoS attack on HTTP
Nie Attack Fingerprints based on the Activity and Event Network (AEN) Model
CN113507395B (en) State tracking device for network data flow
Zheng et al. Research on distributed high speed network intrusion prevention system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20210326

Assignee: Liaoning Hesheng Yida Technology Co.,Ltd.

Assignor: Northeastern University

Contract record no.: X2023210000208

Denomination of invention: A Distributed Industrial Control Honeynet Traffic Collection System and Method Based on Buffer Pools

Granted publication date: 20220308

License type: Common License

Record date: 20231127

EE01 Entry into force of recordation of patent licensing contract