CN113938458A - Multi-attribute self-adjusting network transformation system and method based on SDN - Google Patents
Multi-attribute self-adjusting network transformation system and method based on SDN Download PDFInfo
- Publication number
- CN113938458A CN113938458A CN202111176670.5A CN202111176670A CN113938458A CN 113938458 A CN113938458 A CN 113938458A CN 202111176670 A CN202111176670 A CN 202111176670A CN 113938458 A CN113938458 A CN 113938458A
- Authority
- CN
- China
- Prior art keywords
- address
- scanning
- strategy
- data
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000009466 transformation Effects 0.000 title claims abstract description 12
- 238000009826 distribution Methods 0.000 claims abstract description 52
- 238000006243 chemical reaction Methods 0.000 claims abstract description 41
- 238000013519 translation Methods 0.000 claims abstract description 12
- 238000013508 migration Methods 0.000 claims abstract description 11
- 230000005012 migration Effects 0.000 claims abstract description 11
- 238000001514 detection method Methods 0.000 claims description 60
- 238000004458 analytical method Methods 0.000 claims description 34
- 238000013507 mapping Methods 0.000 claims description 17
- 238000005070 sampling Methods 0.000 claims description 14
- 230000006399 behavior Effects 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 11
- 238000012423 maintenance Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012790 confirmation Methods 0.000 claims description 6
- 238000011426 transformation method Methods 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008447 perception Effects 0.000 abstract description 4
- 239000003795 chemical substances by application Substances 0.000 description 22
- 230000006872 improvement Effects 0.000 description 8
- 230000007123 defense Effects 0.000 description 7
- 239000000523 sample Substances 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000009191 jumping Effects 0.000 description 2
- 230000035772 mutation Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2557—Translation policies or rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a multi-attribute self-adjusting network transformation system and method based on SDN, the method collects request data message, calculates and counts the distribution probability of request message source IP address and destination IP address; comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals, and determining a scanning attack target and a scanning strategy; generating different IP address conversion strategies according to different scanning strategies; and executing the IP address translation strategy to finish the active migration of the IP address and the port number. And triggering a hopping strategy based on threat perception, and improving the pertinence of network hopping strategy selection. And the moderate protection of the opposite end node is realized by adaptively adjusting the hopping terminal information and the hopping period.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a network transformation system and method based on an SDN.
Background
With the increasing intelligence and automation of attacks, an attacker has 95% of the time to collect target network information and plan attack methods. Therefore, the network scanning is used as a pilot technology and an initial stage of various attack means, and plays an irreplaceable role in the effective implementation of the network attack. Network scanning is a detection means for obtaining node information in a target network by sending a probe message to nodes within a selected range. The content of the scan includes both Internet Protocol (IP) address scan and port scan. 1) IP address scanning: the attacker detects the reachability and IP address of the end node in the unknown network by sending an ICMP echo request message. 2) Port scanning: when the attacker locks the IP address of the active end node, the open port of the target node will be probed through TCP scan and UDP scan. The method mainly comprises the steps that full TCP scanning is mainly utilized for scanning aiming at TCP, namely, complete TCP connection is established with a target node through TCP three-way handshake to determine whether a port is opened or not; or forge TCP message segment, such as forged SYN, FIN, Xmas, and NULL bit message to detect whether the destination port is open. The scanning of the UDP is mainly performed using ICMP messages.
The network scanning can be described by two attributes of scanning width and scanning frequency, and different scanning strategies are adopted for the network scanning according to the structural characteristics of the network and the acquired knowledge information so as to improve the effectiveness of the scanning. The method can be divided into two strategies of blind scanning and non-blind scanning according to the scanning width and the scanning frequency. (1) Blind scanning strategy: blind scanning is a strategy employed by an attacker to uniformly scan end information in the entire node space to detect active end nodes. Because the existing network architecture has a deterministic and static characteristic, an attacker can improve the detection rate by adopting a blind scanning strategy to realize non-repeated uniform scanning. (2) Non-blind scanning strategy: in non-blind scanning, an attacker conducts repeated non-uniform scanning on the node space in a selected range to detect the strategy adopted by the active end node. Since the distribution of the end nodes is known by an attacker, repeated non-uniform scanning is performed through non-blind scanning so as to improve the success rate of scanning.
SDNA converts the actual IP address into a virtual IP address by deploying a super management node in each subnet, thereby realizing virtual jumping of the opposite end node and preventing external attackers from scanning internal network nodes. The OF-RHM is an IP conversion mechanism based on OpenFlow, and realizes end address hopping by converting actual IP into virtual IP at each session. The method selects the IP address to jump by using a method of average probability or weight value on the basis of the constraint which needs to be met by selecting the IP through formal description. MacFarland et al propose an SDN-based end information obfuscation mechanism, where an SDN controller obtains a synthetic IP (synthesis IP sip) using the real IP and MAC address of an end node at each connection establishment, thereby preventing the end node real address from being revealed. Qiang et al proposes a redirection and hopping method based on OpenFlow, distinguishes trusted normal users from suspicious users by adding an additional exchange agent, and defends against DDoS attack through exchange agent dynamic migration on the basis. Debroy et al propose a low frequency hopping method based on SDN. The method utilizes the virtual machine as a hidden exchange agent to implement dynamic migration, and determines the hopping period by analyzing the security situation of a target network, thereby reducing the hopping cost. Wang et al propose a malicious detection defense method based on sniffing reflectors. The method constructs a shadow network based on the SDN, and puzzles an attacker by feeding back target network information generated randomly, so that malicious scanning attack is resisted. Jafarian et al proposed a space-time hybrid-Random Host Mutation (ST-RHM) mechanism that adds time-domain Random mutations based on address-space hopping based on SDN architecture to defend against cooperative scanning through time-space two-dimensional hybrid hopping.
The above prior art has the following problems:
1) for different scanning and sniffing methods, the effectiveness of the defense is difficult to guarantee by a single transformation: because network scanning can be divided into blind scanning and non-blind scanning, a single transformation mode is difficult to simultaneously meet the effectiveness and the economy of defense. In particular, for non-blind scanning attacks, as network scanning strategies become increasingly versatile and targeted, the "blind random" hopping strategy will greatly reduce the effectiveness of the defense. Therefore, how to specifically select the hopping strategy for different scanning strategies becomes a precondition for ensuring that the hopping is effective.
2) Due to the limited hop space and the fixed hop period, the hop defense effectiveness is poor: the limitation of dimension and value range of the selectable attack surface in network hopping causes the unpredictability of hopping to be reduced; meanwhile, the follow-up scanning strategy can realize end information tracking by changing scanning frequency, so that the jump timeliness is poor.
Disclosure of Invention
In view of this, the present invention provides a system and a method for multi-attribute self-adjusting network transformation based on SDN, and aims to improve unpredictability and timeliness of network hopping.
In order to solve the above technical problems, the present invention provides a multiple attribute self-adjusting network transformation system based on SDN, comprising: the detection agent is used for collecting the request data message, calculating and counting the distribution probability of the source IP address and the destination IP address of the request message; the controller comprises a detection analysis module and a conversion strategy generation module; the detection analysis module is used for comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals and determining a scanning attack target and a scanning strategy; the conversion strategy generation module is used for generating different IP address conversion strategies according to different scanning strategies; and the jump proxy executes the IP address conversion strategy to finish the active migration of the IP address and the port number.
As an improvement, the detection agent comprises an acquisition and data statistics module, a buffer queue and time window maintenance module, a scanning distribution calculation module and a suspicious data reporting module; the acquisition and data statistics module is used for acquiring request messages and generating flow statistics data in a time interval t; the cache queue and time window maintenance module is used for maintaining a local cache queue, storing statistical data and realizing a time sliding window mechanism; the scanning distribution calculation module is used for calculating the probability distribution of the source IP address and the destination IP address in the request data packet; the suspicious data reporting module is used for sending the calculated address probability statistical data to the controller detection and analysis module;
the jump proxy comprises an IP address mapping module and a data packet modifying module; the IP address mapping module is used for receiving the conversion strategy generated by the controller conversion strategy generating module, calculating a converted virtual IP address and constructing a virtual IP address and actual IP address mapping list; the data packet modification module is used for intercepting the data message sent in the subnet and modifying the header information of the data message.
The invention also provides a multi-attribute self-adjusting network transformation method based on the SDN, which is characterized by comprising the following steps: collecting request data messages, and calculating and counting the distribution probability of a source IP address and a destination IP address of the request messages; comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals, and determining a scanning attack target and a scanning strategy; generating different IP address conversion strategies according to different scanning strategies; and executing the IP address translation strategy to finish the active migration of the IP address and the port number.
As a further improvement, the collecting request data messages, calculating and counting the distribution probability of the source IP address and the destination IP address of the request message includes: the detection agent completes initialization of a local cache queue, sets a sliding window and reports confirmation information to the controller detection analysis module; the controller detection analysis module enters a monitoring stage after receiving the confirmation information and issues a time message and sampling configuration parameters to the detection agent; the detection agent completes a time synchronization starting timing mechanism after receiving the time message and the sampling configuration parameters, and collects request data packets in the subnet according to the configuration parameters; the detection agent analyzes and processes the acquired request data packet, calculates the distribution of the source IP address, the destination IP address and the port number in each time interval according to the statistical data in the sliding window, and reports the sampling distribution to the controller detection analysis module.
As another further improvement, the detection agent analyzes and processes the acquired request data packet to count the source IP address, the destination IP address and the destination port number in the request data packet received in each subnet within continuous time intervals at different time periods, allocates a new queue space to store statistical data, and adds the statistical data to the tail of the local cache queue; wherein, the statistical data of different sub-networks in the same time period is put on a queue node.
As an improvement, the comparing the similarity of the source IP address and the destination IP address distribution in adjacent time intervals, determining a scanning attack target and a scanning strategy, and generating an IP address translation strategy according to the scanning strategy includes: the controller detection analysis module receives the sampling distribution statistical data and stores the sampling distribution statistical data into a local data cache space; the controller detection analysis module calculates Sibson entropies of adjacent time intervals of the same IP address and the same port number in the sampled data to judge a malicious scanning attack strategy; the controller detects the reported information deleted in the data cache by the analysis module, and generates a scanning attack warning to generate attack information comprising an attack target and an attack strategy; and the controller detection analysis module sends the attack information to the controller conversion strategy generation module.
As an improvement, the controller detection analysis module calculates the Sibson entropy of the same IP address and port number in the sampled data at adjacent time intervals to judge the malicious scanning attack policy includes: if the Sibson entropy of the source IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a blind scanning strategy and stores the relevant information of the scanning attack strategy into an attack information cache space; and if the Sibson entropy of the target IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a non-blind scanning strategy and stores the relevant information of the scanning attack strategy into an attack information cache space.
As an improvement, the method for calculating Sibson entropy of adjacent time intervals of the same IP address and port number in the sample data comprises: setting a sliding window, wherein the period of the sliding window is greater than the end node information hopping period and less than the low-frequency time domain hopping period; calculating the average scanning frequency detected in the sliding window and the average standard deviation of the maximum value and the minimum value of the scanning frequency under the condition that only normal user scanning behaviors exist, analyzing whether the scanning frequency in the subnet exceeds a normal threshold value or not, and if the scanning frequency exceeds the threshold value, judging that abnormal scanning behaviors exist; judging a target node which is maliciously scanned; and counting the probability distribution of the request failure message by utilizing the Sibson entropy to judge the scanning strategy.
As an improvement, when an attacker implements attack by adopting a blind scanning strategy, an IP address conversion strategy based on a weight value is generated; and when the attacker implements the attack by adopting a non-blind scanning strategy, generating a reverse IP address conversion strategy based on the weight value.
As an improvement, the performing the IP address translation policy to accomplish the active migration of the IP address and the port number comprises: the jump proxy receives the address translation strategy, calculates the translation IP address in each subnet, and establishes a mapping list of the virtual IP address and the real IP address; the jump proxy receives a data packet sent by a real IP address in the subnet and intercepts a data message; and the jump proxy replaces the source IP address in the intercepted data message according to the mapping list and forwards the intercepted data message.
The invention has the advantages that:
(1) and triggering a hopping strategy based on threat perception, and improving the pertinence of network hopping strategy selection.
Aiming at the problem that the network hopping strategy selection is blind, a threat perception mechanism based on Sibson entropy is designed on the basis of constructing a security threat model. Aiming at the characteristics of blind scanning, semi-blind scanning and following scanning strategies, hypothesis testing analysis and judgment are utilized so as to guide the selection of the next step of hopping strategy.
(2) And the moderate protection of the opposite end node is realized by adaptively adjusting the hopping terminal information and the hopping period.
Aiming at the problem of limited network hopping space, by changing the variable of the transformation frequency, the unpredictability of the transformation is increased from two dimensions of time and space. Meanwhile, timeliness and pertinence of jump period stretching are guaranteed through a Sibson entropy result, and accordingly defense benefits are maximized.
Drawings
Fig. 1 is a schematic view of the topology of the present invention.
Fig. 2 is a schematic diagram of the present invention.
FIG. 3 is a flow chart of the present invention.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present invention, the present invention will be further described in detail with reference to the following embodiments.
As shown in fig. 1 and fig. 2, the present invention provides a multi-attribute self-adjusting network transformation system based on SDN, specifically including:
and the detection agent is used for collecting the request data message, calculating and counting the distribution probability of the source IP address and the destination IP address of the request message.
The controller comprises a detection analysis module, a conversion strategy generation module and a cache space maintenance module; the detection analysis module is used for comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals and determining a scanning attack target and a scanning strategy; the conversion strategy generation module is used for generating different IP address conversion strategies according to different scanning strategies; the cache space maintenance module is used for storing the reported collected data and the attack flow information.
And the jump proxy executes the IP address conversion strategy to finish the active migration of the IP address and the port number.
Specifically, the detection agent comprises an acquisition and data statistics module, a buffer queue and time window maintenance module, a scanning distribution calculation module and a suspicious data reporting module; the acquisition and data statistics module is used for acquiring request messages and generating flow statistics data in a time interval t; the cache queue and time window maintenance module is used for maintaining a local cache queue, storing statistical data and realizing a time sliding window mechanism; the scanning distribution calculation module is used for calculating the probability distribution of the source IP address and the destination IP address in the request data packet; and the suspicious data reporting module is used for sending the calculated address probability statistical data to the controller detection and analysis module.
The jump proxy comprises an IP address mapping module and a data packet modifying module; the IP address mapping module is used for receiving the conversion strategy generated by the controller conversion strategy generating module, calculating a converted virtual IP address and constructing a virtual IP address and actual IP address mapping list; the data packet modification module is used for intercepting the data message sent in the subnet and modifying the header information of the data message.
As shown in fig. 3, the present invention further provides a multi-attribute self-adjusting network transformation method based on SDN, which specifically includes the following steps:
s1, collecting request data message, calculating and counting the distribution probability of the source IP address and the destination IP address of the request message;
s2, comparing the distribution similarity of source IP addresses and destination IP addresses in adjacent time intervals, and determining a scanning attack target and a scanning strategy;
s3, generating different IP address conversion strategies according to different scanning strategies; when an attacker implements attack by adopting a blind scanning strategy, an IP address conversion strategy based on the weight is generated, and the address conversion strategy is sent to the jump agent; when the attacker implements attack by adopting a non-blind scanning strategy, a reverse IP address conversion strategy based on the weight is generated, and the address conversion strategy is sent to the jump proxy.
S4 executing IP address translation strategy to complete active migration of IP address and port number.
Wherein, step S1 includes the following steps:
s11, establishing a detection agent in each subnet of the SDN network, finishing initialization of a local cache queue by the detection agent, setting a sliding window, and reporting confirmation information to a controller detection analysis module;
the S12 controller detection analysis module enters a monitoring stage after receiving the confirmation information and sends a time message and sampling configuration parameters to the detection agent;
s13 detecting agent receiving time message and sampling configuration parameter to complete time synchronization start timing mechanism, and collecting request data packet in sub network according to configuration parameter;
s14, analyzing and processing the acquired request data packet by the detection agent, counting source IP addresses, destination IP addresses and destination port numbers in the request data packet received in continuous time intervals in each subnet in different time periods, allocating new queue space to store statistical data, and adding the statistical data to the tail of the local cache queue; wherein, the statistical data of different sub-networks in the same time period is put on a queue node.
And the S15 detection agent calculates the distribution of source IP addresses, destination IP addresses and port numbers in each time interval according to the statistical data in the sliding window, and reports the sampling distribution to the controller detection analysis module.
Before executing step S11, it is necessary to allocate a data buffer space and a scan attack information buffer space for the controller detection module, start the timing mechanism, and enter the waiting phase.
Step S2 includes the following steps:
the S21 detection analysis module of the controller receives the sampling distribution statistical data and stores the statistical data in the local data cache space;
the S22 detection and analysis module of the controller calculates Sibson entropies of adjacent time intervals of the same IP address and the same port number in the sampled data to judge a malicious scanning attack strategy; if the Sibson entropy of the source IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a blind scanning strategy and stores the relevant information of the scanning attack strategy into an attack information cache space; and if the Sibson entropy of the target IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a non-blind scanning strategy and stores the relevant information of the scanning attack strategy into an attack information cache space.
The S23 controller detects the report information in the data buffer deleted by the analysis module, and generates the scanning attack warning to generate the attack information including the attack target and the attack strategy;
s24 the controller detection analysis module sends the attack information to the controller conversion strategy generation module.
In order to improve the pertinence of jump defense, a malicious scanning target is determined by counting detection messages, different scanning strategies are sensed by analyzing behavior characteristics of the different scanning strategies through hypothesis and verification based on Sibson entropy, and then the generation of the jump strategy in the next step is guided.
The method for calculating the Sibson entropy of the time interval adjacent to the same IP address and port number in the sample data in step S22 includes:
s221, a sliding window is set, and the period of the sliding window is larger than the end node information jump period and smaller than the low-frequency time domain jump period;
s222, calculating the average scanning frequency and the average standard deviation of the maximum value and the minimum value of the scanning frequency detected in the sliding window only under the condition of normal user scanning behaviors, analyzing whether the scanning frequency in the subnet exceeds a normal threshold value, and if the scanning frequency exceeds the threshold value, determining that abnormal scanning behaviors exist;
and judging whether malicious scanning behaviors exist or not by analyzing the scanning frequency in the detection time window. Because there is only the detection behavior of the normal user in the detection time window, the scanning frequency interval of the normal user can be obtained, as shown in formula (1) and formula (2):
the average scanning frequency detected under the condition of normal user scanning behavior is calculated and calculated as shown in formula (1)
And the mean standard deviation of the maximum and minimum values of the sweep frequency
It is analyzed whether the scanning frequency within k sub-nets exceeds a normal threshold. If the threshold value is exceeded, the abnormal scanning behavior is indicated.
S223, judging the target node which is maliciously scanned; and (4) judging the target node which is maliciously scanned by using the formula (2). It calculates the average scanning frequency of the destination node only under the condition of normal user scanning behavior
And judging potential target nodes in the protected l-node nodes.
S224, the probability distribution of the request failure message is counted by utilizing the Sibson entropy to judge the scanning strategy.
Assuming that the total number of messages for request failure in the node information jump period t times is NfailThe number of messages with failed request in the node space divided by the ith block can be expressed as
The strategy perception method based on Sibson entropy firstly calculates the probability distribution P of the source address of the request failure message in each end node information jump period by the formula (3)i Src(π) and probability distribution P of destination addressesi Dst(π), where j ∈ { Src, Dst }, and π ∈ { hEI }. As shown in formula (4), by calculating the Sibson entropy of the source address probability distribution of the request failure message of the ith hop end node in two adjacent low-frequency time domain hop periods, the source address distribution of each end node scanned in the adjacent low-frequency time domain hop periods is analyzed to determine whether follow-up scanning exists. The reason why the adjacent low frequency time domain hopping periods are chosen is because, for each end node, the P of the adjacent low frequency time domain hopping periodsi Src(π) Sibson entropy compared to neighboring TEHPP ofi SrcThe (pi) Sibson entropy can effectively avoid misjudgment caused by network interference, so that the accuracy is higher. On the basis of the above, the following scanning strategy is judged by comparing with the set confidence interval. Wherein
If the following scanning does not exist, judging whether blind scanning exists or not by analyzing the distribution of the destination addresses of the end nodes scanned in the jump period of the end node information. Equation (5) utilizes the Xiaoweiler criterion to eliminate abnormal high-frequency jump address block mH. Because an attacker adopts a blind scanning strategy, the average scanning frequency of each divided node space in each node information jumping period under an ideal condition is Nfail/mBmL. However, since an attacker in the information jump period of the primary end node can not always complete random scanning of the whole network address space, the probability distribution and N of the destination address in the request failure message are directly calculatedfail/mBmLThe Sibson entropy of (a) will be larger. And the formula (6) calculates the Sibson entropy of the target address probability distribution and the corrected average probability distribution in the request failure message in the information jump period of the t-th end node on the basis of the formula (5). Thereby determining whether the attacker adopts a blind scanning strategy. Wherein the relative entropy is
m′Bm′LAnd dividing the number of the node spaces left after the abnormal node spaces are eliminated.
Step S4 specifically includes:
s41 the jump proxy receives the address conversion strategy, calculates the conversion IP address in each subnet, and establishes the mapping list of the virtual IP address and the real IP address;
s42 the jump proxy receives the data packet sent by the real IP address in the subnet, and intercepts the data message;
and S43, the jump proxy replaces the source IP address in the intercepted data message according to the mapping list and forwards the intercepted data message.
When an attacker scans the network IP address, a detection agent is deployed in each subnet and used for collecting request data messages and calculating and counting the distribution probability of the source IP address and the destination IP address of the request message. After the controller receives the reported information, the controller detection analysis module compares the distribution similarity of the source IP address and the target IP address in adjacent time intervals by using the Sibson entropy to determine a scanning attack target and a scanning strategy. And the controller conversion strategy generation module generates an IP address conversion strategy based on the scanning strategy and sends the IP address conversion strategy to the jump proxy. And a hopping agent is deployed in each subnet and used for receiving the IP address conversion strategy, when the hopping agent receives a data packet sent in the subnet, the data packet is intercepted, the source IP address information in the data header is modified according to the virtual IP address and the real IP address mapping list, and the data packet is forwarded. And forwarding the SDN switch according to the flow table information. When the jump proxy at the receiving end receives the data packet, the jump proxy intercepts the data packet, modifies the destination IP address information in the data header according to the virtual IP address and the real IP address mapping list, and forwards the data packet to the end node in the subnet.
The above is only a preferred embodiment of the present invention, and it should be noted that the above preferred embodiment should not be considered as limiting the present invention, and the protection scope of the present invention should be subject to the scope defined by the claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and these modifications and adaptations should be considered within the scope of the invention.
Claims (10)
1. A multi-attribute self-adjusting network transformation system based on SDN is characterized by comprising:
the detection agent is used for collecting the request data message, calculating and counting the distribution probability of the source IP address and the destination IP address of the request message;
the controller comprises a detection analysis module and a conversion strategy generation module; the detection analysis module is used for comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals and determining a scanning attack target and a scanning strategy; the conversion strategy generation module is used for generating different IP address conversion strategies according to different scanning strategies;
and the jump proxy executes the IP address conversion strategy to finish the active migration of the IP address and the port number.
2. The system of claim 1, wherein the system comprises:
the detection agent comprises an acquisition and data statistics module, a cache queue and time window maintenance module, a scanning distribution calculation module and a suspicious data reporting module; the acquisition and data statistics module is used for acquiring request messages and generating flow statistics data in a time interval t; the cache queue and time window maintenance module is used for maintaining a local cache queue, storing statistical data and realizing a time sliding window mechanism; the scanning distribution calculation module is used for calculating the probability distribution of the source IP address and the destination IP address in the request data packet; the suspicious data reporting module is used for sending the calculated address probability statistical data to the controller detection and analysis module;
the jump proxy comprises an IP address mapping module and a data packet modifying module; the IP address mapping module is used for receiving the conversion strategy generated by the controller conversion strategy generating module, calculating a converted virtual IP address and constructing a virtual IP address and actual IP address mapping list; the data packet modification module is used for intercepting the data message sent in the subnet and modifying the header information of the data message.
3. A multi-attribute self-adjusting network transformation method based on an SDN is characterized by comprising the following steps:
collecting request data messages, and calculating and counting the distribution probability of a source IP address and a destination IP address of the request messages;
comparing the distribution similarity of the source IP address and the destination IP address in adjacent time intervals, and determining a scanning attack target and a scanning strategy;
generating different IP address conversion strategies according to different scanning strategies;
and executing the IP address translation strategy to finish the active migration of the IP address and the port number.
4. The method of claim 3, wherein the collecting request data packets, calculating and counting the distribution probability of the source IP address and the destination IP address of the request packets comprises:
the detection agent completes initialization of a local cache queue, sets a sliding window and reports confirmation information to the controller detection analysis module;
the controller detection analysis module enters a monitoring stage after receiving the confirmation information and issues a time message and sampling configuration parameters to the detection agent;
the detection agent completes a time synchronization starting timing mechanism after receiving the time message and the sampling configuration parameters, and collects request data packets in the subnet according to the configuration parameters;
the detection agent analyzes and processes the acquired request data packet, calculates the distribution of the source IP address, the destination IP address and the port number in each time interval according to the statistical data in the sliding window, and reports the sampling distribution to the controller detection analysis module.
5. The SDN-based multi-attribute self-adjusting network transformation method of claim 4, wherein: the detection agent analyzes and processes the acquired request data packet to count the source IP address, the destination IP address and the destination port number in the request data packet received in each subnet within continuous time intervals at different time periods, allocates new queue space to store statistical data and adds the statistical data to the tail of a local cache queue; wherein, the statistical data of different sub-networks in the same time period is put on a queue node.
6. The method of claim 3, wherein the comparing similarity of source IP addresses and destination IP address distributions in adjacent time intervals, determining a scanning attack target and a scanning strategy, and generating an IP address conversion strategy according to the scanning strategy comprises:
the controller detection analysis module receives the sampling distribution statistical data and stores the sampling distribution statistical data into a local data cache space;
the controller detection analysis module calculates Sibson entropies of adjacent time intervals of the same IP address and the same port number in the sampled data to judge a malicious scanning attack strategy;
the controller detects the reported information deleted in the data cache by the analysis module, and generates a scanning attack warning to generate attack information comprising an attack target and an attack strategy;
and the controller detection analysis module sends the attack information to the controller conversion strategy generation module.
7. The SDN-based multi-attribute self-adjusting network transformation method of claim 6, wherein the step of calculating Sibson entropy judgment malicious scanning attack strategies of adjacent time intervals of the same IP address and the same port number in the sampled data by the controller detection analysis module comprises the following steps of:
if the Sibson entropy of the source IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a blind scanning strategy;
and if the Sibson entropy of the destination IP address in each subnet is smaller than the threshold value in two adjacent time intervals, the attacker adopts a non-blind scanning strategy.
8. The SDN-based multi-attribute self-adjusting network transformation method of claim 6, wherein the method for calculating Sibson entropy of adjacent time intervals of the same IP address and port number in the sampled data comprises:
setting a sliding window, wherein the period of the sliding window is greater than the end node information hopping period and less than the low-frequency time domain hopping period;
calculating the average scanning frequency detected in the sliding window and the average standard deviation of the maximum value and the minimum value of the scanning frequency under the condition that only normal user scanning behaviors exist, analyzing whether the scanning frequency in the subnet exceeds a normal threshold value or not, and if the scanning frequency exceeds the threshold value, judging that abnormal scanning behaviors exist;
judging a target node which is maliciously scanned;
and counting the probability distribution of the request failure message by utilizing the Sibson entropy to judge the scanning strategy.
9. The method of claim 3, wherein generating the IP address translation policy according to the scanning policy comprises:
when an attacker implements attack by adopting a blind scanning strategy, an IP address conversion strategy based on weight is generated;
and when the attacker implements the attack by adopting a non-blind scanning strategy, generating a reverse IP address conversion strategy based on the weight value.
10. The method of claim 3, wherein performing the IP address translation policy to perform active migration of IP addresses and port numbers comprises:
the jump proxy receives the address translation strategy, calculates the translation IP address in each subnet, and establishes a mapping list of the virtual IP address and the real IP address;
the jump proxy receives a data packet sent by a real IP address in the subnet and intercepts a data message;
and the jump proxy replaces the source IP address in the intercepted data message according to the mapping list and forwards the intercepted data message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111176670.5A CN113938458A (en) | 2021-10-09 | 2021-10-09 | Multi-attribute self-adjusting network transformation system and method based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111176670.5A CN113938458A (en) | 2021-10-09 | 2021-10-09 | Multi-attribute self-adjusting network transformation system and method based on SDN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113938458A true CN113938458A (en) | 2022-01-14 |
Family
ID=79277955
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111176670.5A Withdrawn CN113938458A (en) | 2021-10-09 | 2021-10-09 | Multi-attribute self-adjusting network transformation system and method based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113938458A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244632A (en) * | 2022-02-24 | 2022-03-25 | 上海观安信息技术股份有限公司 | Method, device, electronic equipment and medium for detecting network attack behavior of ICMP network scanning |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106982206A (en) * | 2017-03-10 | 2017-07-25 | 中国科学院信息工程研究所 | A kind of malice scanning defence method adaptively changed based on IP address and system |
-
2021
- 2021-10-09 CN CN202111176670.5A patent/CN113938458A/en not_active Withdrawn
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106982206A (en) * | 2017-03-10 | 2017-07-25 | 中国科学院信息工程研究所 | A kind of malice scanning defence method adaptively changed based on IP address and system |
Non-Patent Citations (1)
| Title |
|---|
| 雷程等: "基于网络攻击面自适应转换的移动目标防御技术", 《计算机学报》, vol. 41, no. 5, pages 1115 - 1116 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244632A (en) * | 2022-02-24 | 2022-03-25 | 上海观安信息技术股份有限公司 | Method, device, electronic equipment and medium for detecting network attack behavior of ICMP network scanning |
| CN114244632B (en) * | 2022-02-24 | 2022-05-03 | 上海观安信息技术股份有限公司 | Method, device, electronic equipment and medium for detecting network attack behavior of ICMP network scanning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhijun et al. | Low-rate DoS attacks, detection, defense, and challenges: A survey | |
| Jazi et al. | Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling | |
| Collins et al. | Using uncleanliness to predict future botnet addresses | |
| Masud et al. | Flow-based identification of botnet traffic by mining multiple log files | |
| US9413616B2 (en) | Detection of network address spoofing and false positive avoidance | |
| Tang et al. | Performance and features: Mitigating the low-rate TCP-targeted DoS attack via SDN | |
| Dabbagh et al. | Slow port scanning detection | |
| Thamilarasu et al. | A cross-layer approach to detect jamming attacks in wireless ad hoc networks | |
| Liu et al. | TrustGuard: A flow-level reputation-based DDoS defense system | |
| CN113938458A (en) | Multi-attribute self-adjusting network transformation system and method based on SDN | |
| Kang et al. | Distributed evasive scan techniques and countermeasures | |
| CN101997830B (en) | Distributed intrusion detection method, device and system | |
| Sokullu et al. | An investigation on IEEE 802.15. 4 MAC layer attacks | |
| Kim et al. | SWAT: Small world-based attacker traceback in ad-hoc networks | |
| Verma et al. | Addressing DAO insider attacks in IPv6-based low-power and lossy networks | |
| Jokar et al. | Spoofing prevention using received signal strength for ZigBee-based home area networks | |
| Lei et al. | Network moving target defense technique based on self-adaptive end-point hopping | |
| Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
| Li et al. | Synergetic denial-of-service attacks and defense in underwater named data networking | |
| Chhabra et al. | PISA: automatic extraction of traffic signatures | |
| Stone-Gross et al. | Malware in IEEE 802.11 wireless networks | |
| Verma et al. | A novel IoT-aware WLAN environment identification for efficient internet-wide port scan | |
| Thenmozhi et al. | Backtracking performance analysis of Internet protocol for DDoS flooding detection | |
| Muraleedharan et al. | ADRISYA: a flow based anomaly detection system for slow and fast scan | |
| Kavitha et al. | Advanced Random Time Queue Blocking with Traffic Prediction for Defense of Low-Rate DoS Attacks against Application Servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220114 |
|
| WW01 | Invention patent application withdrawn after publication |