CN114978580A - Network detection method and device, storage medium and electronic equipment - Google Patents

Network detection method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114978580A
CN114978580A CN202210370081.9A CN202210370081A CN114978580A CN 114978580 A CN114978580 A CN 114978580A CN 202210370081 A CN202210370081 A CN 202210370081A CN 114978580 A CN114978580 A CN 114978580A
Authority
CN
China
Prior art keywords
sdn
network
node
nodes
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210370081.9A
Other languages
Chinese (zh)
Other versions
CN114978580B (en
Inventor
孟阼君
张建宇
姚晓辉
王锦华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210370081.9A priority Critical patent/CN114978580B/en
Publication of CN114978580A publication Critical patent/CN114978580A/en
Application granted granted Critical
Publication of CN114978580B publication Critical patent/CN114978580B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a network detection method and device, a storage medium and electronic equipment, and relates to the technical field of communication. The method comprises the following steps: acquiring a connection relation and a flow direction of each SDN equipment node in a Software Defined Network (SDN); generating topological structure information among the SDN equipment nodes according to the connection relation and the flow direction of each SDN equipment node; obtaining a first SDN device node according to the topological structure information; and traversing, starting from a first SDN device node, SDN device nodes in topology information to detect abnormal traffic in the SDN network. The method can realize the detection of the network flow without changing the existing network architecture, and has higher safety and lower realization difficulty.

Description

Network detection method and device, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a network detection method and apparatus, a storage medium, and an electronic device.
Background
An open traffic (openflow) based Software Defined Network (SDN) Network is an implementation of Network virtualization. The core technology OpenFlow separates the control plane and the data plane of the network equipment, thereby realizing the flexible control of network flow, enabling the network to be more intelligent as a pipeline, and providing a good platform for the innovation of a core network and application.
However, due to the weak points and default configuration problems of the SDN network, the SDN network may cause tampering of the SDN switch flow table, and then various network security risks. How to improve the security of the SDN network is a technical problem to be solved urgently in the field.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure aims to provide a network detection method and apparatus, a storage medium, and an electronic device, which at least to some extent overcome the problem of poor security of an SDN network in the related art.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, there is provided a network detection method, including: acquiring a connection relation and a flow direction of each SDN equipment node in a Software Defined Network (SDN); generating topological structure information among the SDN equipment nodes according to the connection relation and the flow direction of each SDN equipment node; obtaining a first SDN device node according to the topological structure information; and traversing each SDN device node in the topology structure information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the present disclosure, the abnormal traffic comprises counterfeit nodes, and traversing the SDN device nodes starting from the first SDN device node to detect the abnormal traffic in the SDN network comprises: sequentially traversing the network addresses of the SDN equipment nodes from the first SDN equipment node based on a breadth-first algorithm so as to detect whether SDN equipment nodes with the same network addresses exist or not; if the SDN equipment nodes with the same network address exist, the SDN equipment nodes with the same network address are used as counterfeit nodes; and if the SDN equipment nodes with the same network addresses do not exist, determining that the network detection result is normal.
In some embodiments of the present disclosure, if the abnormal traffic includes a tampered path, traversing each SDN device node in the topology information from the first SDN device node to detect the abnormal traffic in the SDN network includes: detecting each path from a first SDN device node to each SDN device node in the topology structure information based on a vector analysis method to detect a tampered path in the SDN network.
In some embodiments of the present disclosure, detecting respective paths between a first SDN device node to respective SDN device nodes in the topology information based on vector analytics to detect a tampered path in the SDN network comprises: acquiring preset path information; traversing each path information between each SDN device node from the first SDN device node; comparing the path information with predetermined path information; if the comparison result is consistent, the network detection result is normal; and if the comparison results are not consistent, the path information is used as a tampered path.
In some embodiments of the disclosure, the method further comprises: and acquiring the counterfeit nodes and/or the tampered paths to judge the risk level, and starting corresponding emergency treatment according to the risk level.
In some embodiments of the disclosure, the method further comprises: acquiring feedback information aiming at emergency treatment; if the feedback information is legal flow, updating the preset path information; and if the feedback information is illegal flow, deleting the counterfeit node and/or the tampered path.
In some embodiments of the disclosure, the method comprises: acquiring a packet in message of an input data packet; the topology information is updated based on the PacketIn message.
According to still another aspect of the present disclosure, there is provided a network detection apparatus including: the system comprises an acquisition module, a flow direction module and a flow direction module, wherein the acquisition module is used for acquiring the connection relation and the flow direction of each SDN equipment node in a software defined network SDN; the topology generation module is used for generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes; the topology sequencing module is used for obtaining a first SDN equipment node according to the topology structure information; and a detection module, configured to traverse each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
According to yet another aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the network detection method described above via execution of the executable instructions.
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network detection method described above.
The network detection method provided by the embodiment of the disclosure brings at least the following beneficial effects:
the method can realize the detection of the network flow without changing the existing software-defined network SDN network architecture by acquiring and analyzing the real-time connection relation and the flow direction of each SDN equipment node, and has higher safety and lower realization difficulty.
Furthermore, the detection is executed based on the network topology structure information, and the complexity of the network flow condition can be effectively reduced, so that the scale of the network is simplified, and the calculation amount of the detection is reduced.
Furthermore, the detection starting point is determined in the network topology information firstly, so that the speed of traversing all network nodes can be increased, and the efficiency of detecting the network nodes in the SDN network is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Figure 1A illustrates an architectural schematic of an SDN network in some embodiments of the disclosure.
Fig. 1B illustrates an application scenario diagram of a network detection method in some embodiments of the present disclosure.
Fig. 2 illustrates a flow diagram of a network detection method in some embodiments of the present disclosure.
Fig. 3 illustrates a flow chart of a method for detecting a counterfeit node in a network detection method in some embodiments of the present disclosure.
Fig. 4A illustrates a scene diagram of detecting a counterfeit node in a network detection method in some embodiments of the present disclosure.
Fig. 4B illustrates a topology information diagram of the absence of a spoofed node in a method of network detection in some embodiments of the present disclosure.
Fig. 4C illustrates a topology information diagram of a presence of a mock node in yet another network detection method in some embodiments of the present disclosure.
Fig. 5 illustrates a flow chart of a method for detecting a tamper path in a network detection method in some embodiments of the present disclosure.
Fig. 6A illustrates a schematic view of a scenario for detecting a tamper path in a network detection method in some embodiments of the present disclosure.
Fig. 6B illustrates a topology information diagram of the absence of a tamper path in a network detection method in some embodiments of the present disclosure.
Fig. 6C illustrates a topology information diagram of a presence of a tamper path in yet another network detection method in some embodiments of the present disclosure.
Fig. 7 illustrates a method flow diagram of yet another network detection method in some embodiments of the present disclosure.
Fig. 8 shows a schematic diagram of a network detection device in an embodiment of the present disclosure.
Fig. 9 shows a block diagram of a network detection computer device in an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present disclosure, "a plurality" means at least two, e.g., two, three, etc., unless explicitly specifically limited otherwise.
In view of the above technical problems in the related art, embodiments of the present disclosure provide a network detection method for solving at least one or all of the above technical problems.
As shown in fig. 1A, it can be seen from fig. 1A that, in the SDN network, on the basis of a control layer 100b and a forwarding layer 100a of OpenFlow, a service layer 100c capable of calling the control layer 100b through an API interface is added, where the service layer 100c is a platform of a network operating system, a user can develop and use a required application program in the service layer 100c, the application program calls the control layer 100b, and the control layer 100b can issue an execution command of the application program to an SDN device (SDN switch) 110 in a flow table form to control specific execution of the network device. That is, SDN is not a specific network protocol, but a network architecture framework. Multiple interface protocols may be included in such a framework, such as a southbound interface protocol such as OpenFlow to enable interaction of the SDN controller 130 with the SDN device 110, and a northbound API to enable interaction of the service application with the SDN controller 130. Therefore, the SDN-based network architecture is more systematic, and has better sensing and control capability, so that the network is promoted to develop towards a new direction.
The SDN controller 130 is an application in a Software Defined Network (SDN) and is responsible for flow control to ensure an intelligent network, and tells a switch where to send a packet by issuing a flow table. In fact, the SDN controller 130 is a logically centralized entity that is mainly responsible for two tasks, one converting SDN application layer requests to SDN Datapath, and another providing an abstraction model (which may be state, event) of the underlying network for SDN applications. An SDN controller 130 contains northbound interface agents, SDN control logic, and control data plane interface drivers. The SDN controller 130 is only required to be logically complete, so it may be composed of multiple controller instances, or may be a hierarchical controller cluster; geographically speaking, all controller instances may be in the same location, or multiple instances may be dispersed in different locations.
The OpenFlow standard protocol allows the SDN controller 130 to directly access and operate a forwarding plane of the SDN device 110, the devices may be physical devices, or virtual routers or switches, control functions can be completely centralized on a remote SDN controller through the OpenFlow protocol, and the SDN device is only responsible for performing simple and high-speed data forwarding locally; in the SDN device 110 using the OpenFlow standard, the basis for data forwarding is a flow table.
The SDN controller 130 is connected and used in cooperation with the SDN device 110, the SDN device 110 is only responsible for forwarding services of data packets, and all flow entries in the flow table are issued by the SDN controller 130 controlling the flow table. When a data packet is received by the SDN device 110, the data packet is matched with each field in a locally stored flow table entry according to priority, and the data packet is operated according to a corresponding instruction action.
Based on the SDN technology, fig. 1B illustrates an application scenario diagram of a network detection method in some embodiments of the present disclosure. As shown in fig. 1B, the SDN network includes the SDN device 110, the SDN controller 130, and a security Channel (Secure Channel) between the SDN device 110 and the SDN controller 130.
SDN controller 130 is a virtual network control center, and may generate a flow table according to a configuration of a user or a dynamically operating protocol, and send the flow table to SDN device 110.
The SDN device 110 is configured to receive a flow table issued by the SDN controller 130, perform message processing according to the flow table, and report a device state and an event, such as an event of an interface UP or an interface DOWN, to the SDN controller 130. SDN device 110 may be an Access Controller (AC) or an AP.
The dashed line in fig. 1B is a secure channel for supporting communication between SDN controller 130 and SDN device 110.
Currently, 1 AP may be configured on SDN device 110, such as server 120 a; multiple APs, such as servers 120b, 120c, and 120d, may also be configured, and one SDN controller may connect multiple SDN devices 110.
Hereinafter, each step of the network detection method in the present exemplary embodiment will be described in more detail with reference to the drawings and the examples.
Fig. 2 shows a flow chart of a network detection method in an embodiment of the present disclosure. The method provided by the embodiments of the present disclosure may be performed by any electronic device with computing processing capability, such as the SDN controller 130 in fig. 1A and 1B. In the following description, the SDN controller 130 is used as an execution subject for illustration.
As shown in fig. 2, a network detection method 200 provided by some embodiments of the present disclosure may include the following steps:
in step S210, a connection relationship and a traffic flow of each SDN device node in the software defined network SDN network are acquired.
The connection relation and the traffic flow direction of each SDN device node are represented by source addresses and destination addresses of various SDN network devices in the SDN network, which are acquired by the SDN controller based on a link layer discovery protocol and a broadcast domain discovery protocol, wherein the addresses can be IP addresses or MAC addresses.
In step S220, topology information between SDN device nodes is generated according to the connection relationship and the traffic flow direction of each SDN device node.
The topological structure information comprises SDN equipment nodes and directed connection of connection relations of the SDN equipment nodes, wherein the SDN equipment nodes and the directed connection of the SDN equipment nodes are obtained based on source addresses and destination addresses of the SDN equipment nodes. For example, a directed line segment in fig. 1B connects SDN devices 110.
In step S230, a first SDN device node is obtained according to the topology information.
The first SDN device node is an SDN device node without data input, that is, a network address of the SDN device node does not appear in a destination address of each SDN device node. One or more first SDN device nodes may be provided.
In step S240, traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the present disclosure, abnormal traffic refers to traffic of an attack event such as a counterfeit node, a tampered path, or the like occurring in the SDN network.
In some embodiments of the present disclosure, if there are multiple first SDN device nodes, traversing SDN device nodes respectively connected thereto is started from the multiple first SDN device nodes respectively to detect whether there are attack events of counterfeit nodes and tampered paths in the SDN network.
The method can realize the detection of the network flow without changing the existing software-defined network SDN network architecture by acquiring and analyzing the real-time connection relation and the flow direction of each SDN equipment node, and has higher safety and lower realization difficulty.
Furthermore, the detection is executed based on the network topology structure information, and the complexity of the network flow condition can be effectively reduced, so that the scale of the network is simplified, and the calculation amount of the detection is reduced.
Furthermore, the detection starting point is determined in the network topology information firstly, so that the speed of traversing all network nodes can be increased, and the efficiency of detecting the network nodes in the SDN network is improved.
When the abnormal traffic includes a counterfeit node, step 240 may include a method flow diagram of a method 300 of detecting a counterfeit node in a network detection method in some embodiments of the present disclosure as shown in fig. 3. As shown in fig. 3, the method 300 may include the steps of:
in step S302, based on a breadth first algorithm, network addresses of the SDN device nodes are sequentially traversed from the first SDN device node to detect whether SDN device nodes with the same network address exist.
The method for detecting topological structure information by using a Breadth-First Search (BFS) algorithm may include the following steps: finding other SDN equipment nodes connected with the first SDN equipment node in the topological structure information; firstly, detecting the SDN equipment nodes; then deleting the SDN equipment nodes in the topological structure information in sequence; after deleting, searching SDN equipment nodes without input in the topological structure information; and then deleting … … and detecting … … until all SDN equipment nodes are deleted, namely, the SDN equipment node detection according to the breadth priority order is completed.
In some embodiments of the present disclosure, network addresses of each SDN device node are sequentially traversed from a first SDN device node based on a breadth-first order, and the traversed network addresses are stored in a form of a data structure stack or a queue, so as to detect whether a counterfeit node exists.
In some embodiments of the present disclosure, if there are multiple first SDN devices, based on a breadth first algorithm, sequentially performing traversal on one or more SDN device nodes connected to each first SDN device in the multiple first SDN devices, and storing other SDN device nodes connected to each first SDN device in a form of a data structure stack or a queue to detect whether there are network nodes with the same network address in the SDN network.
In step S304, it is determined whether SDN device nodes with the same network address exist.
If one or more SDN device nodes with the same network address exist, step S306 is executed to use the SDN device node with the same network address as a counterfeit node.
If there is no SDN device node with the same network address, step S308 is executed to determine that the network detection result is normal.
Fig. 4A is a schematic view of a scenario of detecting a counterfeit node in a network detection method in some embodiments of the present disclosure. As shown in fig. 4A, the SDN network includes SDN devices 410a, 410b, and 410c, and one or more APs configured by the SDN devices, for example, the SDN device 410a configures only one AP (server 420 a); further example, a plurality of APs ( servers 420c and 420d) configured by SDN device 410 c. In the scenario of fig. 4A, spoofing server 420e spoofs the network address of server 420d (192.178.2.2), configured at SDN device 410b to hijack traffic transmitted by server 420b to server 420 d.
In FIG. 4A, there are two states including a normal network state before the presence of the mock server 420e and a network conflict state after the presence of the mock server 420 e.
In a normal state, the SDN controller 430 acquires connection relationships and traffic flows of a plurality of access points 420a-420d connected to the SDN device nodes 410a, 410b, and 410c in the SDN network.
For example, the SDN controller acquires that the source address of the node 420a is 192.178.1.1, and the destination addresses are 192.178.1.2, 192.178.2.3, and 192.178.2.2; the source address of node 420b is 192.178.1.2, the destination addresses are 192.178.2.3 and 192.178.2.2; node 420c has a source address of 192.178.2.3 and a destination address of Null; the source address of node 420d is 192.178.2.2 and the destination address is Null.
The connection relationship and the traffic flow direction of each network node are obtained according to the source address and the destination address of each network node, and the topology structure information between each SDN device node shown in fig. 4B is generated. The 0-in network node address 420a is first found as the first SDN network device node. Based on the breadth first algorithm, all SDN device nodes are traversed from 410a according to the sequence of 420a-420b-420c-420d, and no SDN device node with the same network address exists, that is, the network detection result is normal.
When the counterfeit server 420e appears, the counterfeit server 420e hijacks traffic from the node 420b to the node 420d, and the counterfeit node may be detected through the source address and the destination address of each SDN device node acquired by the controller.
Taking fig. 4A as an example, the SDN controller obtains that the source address of the node 420a is 192.178.1.1, and the destination addresses are 192.178.1.2, 192.178.2.3, and 192.178.2.2; the source address of the mock node 420e is 192.178.2.2, the destination address is Null; node 420b has a source address of 192.178.1.2, destination addresses of 192.178.2.3 and 192.178.2.2; the source address of the node 420c is 192.178.2.3, the destination address is Null; the source address of node 420d is 192.178.2.2 and the destination address is Null.
The SDN controller obtains the connection relationship and the traffic flow direction of each network node according to the source address and the destination address of each network node, and generates topology information between SDN device nodes as shown in fig. 4C. The 0-input network node address 420a is first found as the first SDN network device node. Traversing all SDN device nodes in the order of 420a-420b-420e-420c-420d from 420a based on a breadth first algorithm may result in the network address of 420d node being the same for network address 420e, determining at least one of 420d and 420e as a mock node, and determining SDN device nodes 420d and 420e as mock nodes.
By constructing topological structure information and combining with a breadth first algorithm, counterfeit events in the SDN can be accurately and quickly detected, and network conflicts can be found immediately, so that the network conflicts can be avoided immediately, and the network security is improved.
In some embodiments of the present disclosure, if the abnormal traffic includes a tampered path, step 240 may further include detecting, based on a vector analysis method, each path from a first SDN device node to each SDN device node in the topology information to detect the tampered path in the SDN network, so as to detect a change of a directed connection edge in the topology information, thereby detecting a change of a traffic trend, avoiding an event such as malicious eavesdropping, and improving network security.
The following description will be given by taking fig. 5 as an example.
When the abnormal traffic includes a counterfeit node, step 240 may include a method flowchart of detecting a tampered path in a network detection method in some embodiments of the present disclosure as illustrated in fig. 5. The method 500 may include the steps of:
in step S502, predetermined path information is acquired.
The predetermined path information is generated by the SDN controller according to an initialized configuration of the SDN device or a dynamically running protocol.
In step S504, traversal of the respective path information between the respective SDN device nodes is started from the first SDN device node.
In some embodiments of the present disclosure, all path information may be output using DFS (Depth-First-Search). For example, when the path search is realized by the DFS, the network node sequence of the path search is saved by using a stack; and ensures that all its neighbors have been pushed before a node is pushed.
In step S506, the path information is compared with the predetermined path information to determine whether the path information coincides with the predetermined path information.
In some embodiments of the present disclosure, the controller stores all searched network paths, compares all network paths with the predetermined path information in turn, and may obtain a comparison result between each network path and the predetermined path information to detect whether a tampered network path exists.
If the comparison result is consistent, step S508 is executed, and the network detection result is normal.
If the comparison result is not consistent, step S510 is executed to use the path information as a tampered path.
Wherein, the tamper path can be one or more.
Fig. 6A is a schematic diagram illustrating a scenario of detecting a tamper path in a network detection method in some embodiments of the disclosure. As shown in fig. 6A, SDN devices 610a, 610b, and 610c and one or more APs configured by the SDN devices are included in the SDN network, for example, SDN device 610a configures only one AP (server 620 a); for example, multiple APs ( servers 620c and 620d) configured by SDN device 610 c. In the scenario of fig. 6A, server 620e intercepts traffic from server 620b to server 620d to change the traffic trend from server 620b to server 620d, eavesdropping on the traffic without being easily discovered.
In fig. 6A, there are two states: including normal network states before the eavesdropping server 620e appears and malicious eavesdropping states after the eavesdropping server 620e has tampered with the path.
In a normal state, the SDN controller 630 acquires connection relationships and traffic flow directions of a plurality of access points 620a-620d connected to respective SDN device nodes 610a, 610b, and 610c in the SDN network.
For example, the SDN controller acquires that the source address of the node 620a is 192.178.1.1, and the destination addresses are 192.178.1.2, 192.178.2.3, and 192.178.2.2; node 620b has a source address of 192.178.1.2, and destination addresses of 192.178.2.3 and 192.178.2.2; the source address of the node 620c is 192.178.2.3, the destination address is Null; node 620d has a source address of 192.178.2.2 and a destination address of Null.
The connection relationship and the traffic flow direction of each network node are obtained according to the source address and the target address of each network node, and the topology structure information between each SDN device node shown in fig. 6B is generated. First find 0 the incoming network node address 620a as the first SDN network device node. Each path between SDN device nodes in the topology information is detected based on a vector analysis method, which includes traversing path information between SDN device nodes from node 620 a. For example, in fig. 6B, all path information that can be obtained according to the DFS algorithm includes: {620a-620b-620c } {620a-620b-620d } {620a-620c } {620a-620d }; comparing each path with predetermined path information (i.e., predetermined path information base 620a-620b-620c, 620a-620b-620d, 620a-620c, 620a-620d in normal state); if the path inconsistent with the preset path information is not found, the network detection result is normal.
When the interception server 620e is inserted between the server 620b and the server 620d, after the interception server 620e hijacks traffic from the node 620b to the node 620d, the source address and the destination address of each SDN device node acquired by the controller may detect a tampered path.
Taking fig. 6A as an example, the SDN controller obtains that the source address of the node 620a is 192.178.1.1, and the destination addresses are 192.178.1.2, 192.178.2.3, and 192.178.2.2; node 620b has a source address of 192.178.1.2, and destination addresses of 192.178.2.3 and 192.178.2.1; the source address of the node 620c is 192.178.2.3, the destination address is Null; the source address of the node 620d is 192.178.2.2, the destination address is Null; the source address of node 620e is 192.178.2.1, and the destination address is 192.178.2.2.
Therefore, the connection relationship and the traffic flow direction of each node are obtained according to the source address and the destination address of the node, and the topology structure information between SDN device nodes as shown in fig. 6C is generated. Based on a vector analysis method, traversing all paths from 620a to obtain {620a-620b-620c } {620a-620b-620e-620d } {620a-620c } {620a-620d }; comparing with the preset path information; the paths from which the paths 620a-620b-620e-620d are available do not coincide with the predetermined paths 620a-620b-620d, then the paths 620a-620b-620e-620d are determined to be tampered paths.
The method detects the consistency of the paths in the topological structure information by a vector analysis method so as to realize the detection of the network flow direction tampering, avoid the events of network eavesdropping, man-in-the-middle attacks and the like, effectively improve the network security and reduce the complexity and the calculated amount of network detection.
Fig. 7 illustrates a method flow diagram of yet another network detection method in some embodiments of the present disclosure. As shown in fig. 7, the method may include the steps of:
in step S702, a connection relationship and a traffic flow of each SDN device node in the software defined network SDN network are acquired.
Step S702 is similar to step S210 and will not be described herein.
In step S704, topology information between SDN device nodes is generated according to the connection relationship and the traffic flow of each SDN device node.
Step S704 is similar to step S220, and is not described herein again.
In some embodiments of the present disclosure, the method further includes step S706, acquiring, by the SDN controller, an incoming data packet PacketIn message sent by the SDN device.
In step S708, topology information is updated based on the PacketIn message.
The SDN device sends a data packet request to the controller through the PacketIn message so as to enable the controller to forward the data packet request to an SDN device node of a destination address, and the SDN controller updates network topology structure information among the SDN device nodes based on the PacketIn while forwarding.
The method updates the network topology information in real time according to the PacketIn message, and has the advantages of high accuracy, good real-time performance, low cost and the like.
In step S710, a first SDN device node is obtained according to the topology information.
In step S712, traversing each SDN device node in the topology information from the first SDN device node to detect counterfeit nodes and tampered paths in the SDN network.
The method for detecting the counterfeit node can comprise the following steps: sequentially traversing the network addresses of the SDN equipment nodes from the first SDN equipment node based on a breadth-first algorithm so as to detect whether SDN equipment nodes with the same network addresses exist or not; if the SDN equipment nodes with the same network address exist, the SDN equipment nodes with the same network address are used as counterfeit nodes; and if the SDN equipment nodes with the same network addresses do not exist, determining that the network detection result is normal. The detailed implementation is similar to steps S310 to S330 in fig. 3, and is not described herein again.
The method for detecting the tampered path can comprise the following steps: detecting each path from a first SDN device node to each SDN device node in the topology structure information based on a vector analysis method to detect a tampered path in the SDN network. The method specifically comprises the following steps: acquiring preset path information; traversing each path information between each SDN device node from the first SDN device node; comparing the path information with predetermined path information; if the comparison result is consistent, the network detection result is normal; and if the comparison results are not consistent, the path information is used as a tampered path. The specific implementation is similar to step S502 and steps S502a to S502e in fig. 5, and will not be described herein again.
In step S714, it is determined whether a counterfeit node or a falsified path is detected.
If no counterfeit node or tampered path exists, step S716 is performed to determine that the network detection result is normal.
If the counterfeit node or the tampered path exists, step S718 is executed to acquire the counterfeit node and/or the tampered path to determine a risk level, and start corresponding emergency processing according to the risk level.
In some embodiments of the present disclosure, the risk levels may include high and low levels, with different risk levels corresponding to different emergency treatment methods. For example, the risk level may be determined based on the IP address classification of the discovered counterfeit nodes and/or tampered paths.
Taking fig. 4A as an example, if the address 192.178.2.2 of the counterfeit server 420d is a network address in the local area network, the risk is set to high level, and the traffic of the counterfeit node is directly locked and an alarm message prompting the relevant person to immediately perform processing is output; if the address is a network address in the external network, the risk is set to be low, the flow of the counterfeit node cannot be locked, and only alarm information for prompting relevant personnel to immediately process the flow is output.
Taking fig. 6A as an example, if the detected tampered paths 620a-620b-620e-620d are local area network paths, setting the risk to high level, directly locking the flow of the tampered paths, and outputting alarm information prompting relevant personnel to immediately process; if the tampered path is an external network path, setting the risk to be low level, and only outputting alarm information for prompting relevant personnel to immediately process the flow without locking the tampered path.
Different levels are classified for abnormal flow to output different alarm prompts, so that various abnormal conditions can be more flexibly dealt with, and the defense capability of the system is improved.
In step S720, feedback information for emergency processing is acquired.
The feedback information is information generated after a third party handles the network abnormality, wherein the third party may be a related person handling the network abnormality or a device specially used for handling the network abnormality.
In step S722, it is determined whether the counterfeit node and/or the tampered path is legitimate traffic according to the feedback information.
Wherein, the legal flow means that the counterfeit node and/or the tampered path detected by the controller are allowed.
If the feedback information indicates that the counterfeit node and/or the tampered path is legal traffic, step S724 is executed to update the predetermined path information.
If the feedback information indicates that the counterfeit node and/or the tampered path is illegal traffic, step S726 is executed to delete the counterfeit node and/or the tampered path.
By executing different processing modes according to different feedback information, the flexibility of processing the abnormal condition is improved, and the processing cost of the network fault is reduced.
Fig. 8 shows a schematic diagram of a network detection device in an embodiment of the present disclosure. As shown in fig. 8, the apparatus 800 includes:
an obtaining module 810, configured to obtain a connection relationship and a traffic flow direction of each SDN device node in a software defined network SDN network; a topology generating module 820, configured to generate topology structure information between SDN device nodes according to a connection relationship and a flow direction of each SDN device node; a topology ranking module 830, configured to obtain a first SDN device node according to the topology structure information; and a detection module 840, configured to traverse each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the disclosure, if the abnormal traffic includes a counterfeit node, the detecting module 840 further includes: the breadth-first detection module is used for sequentially traversing the network addresses of the SDN equipment nodes from the first SDN equipment node based on a breadth-first algorithm so as to detect whether SDN equipment nodes with the same network addresses exist or not; a first comparing module, configured to, if the SDN device nodes with the same network address exist, take the SDN device nodes with the same network address as counterfeit nodes; and if the SDN equipment nodes with the same network addresses do not exist, determining that the network detection result is normal.
In some embodiments of the disclosure, if the abnormal traffic includes a tampered path, the detecting module 840 further includes: the vector analysis detection module is used for detecting each path from the first SDN device node to each SDN device node in the topology structure information based on a vector analysis method so as to detect a tampered path in the SDN network.
In some embodiments of the present disclosure, the vector analysis detection module may specifically include: the predetermined path acquisition module is used for acquiring predetermined path information; a path traversal module, configured to traverse, from a first SDN device node, each path information between each SDN device node; the first comparison module compares the path information with the preset path information; if the comparison result is consistent, the network detection result is normal; and if the comparison results are not consistent, the path information is used as a tampered path.
In some embodiments of the present disclosure, the apparatus further comprises: and the grade determining module is used for acquiring the counterfeit nodes and/or the tampered paths to judge the risk grade and starting corresponding emergency treatment according to the risk grade.
In some embodiments of the disclosure, the apparatus further comprises: the feedback information acquisition module is used for acquiring feedback information aiming at emergency treatment; the legal flow processing module is used for updating the preset path information if the feedback information is legal flow; and the illegal flow processing module is used for deleting the counterfeit node and/or the tampered path if the feedback information is illegal flow.
In some embodiments of the present disclosure, the apparatus further comprises: the message acquisition module is used for acquiring a packet in message of an input data packet; and the topological structure updating module is used for updating the topological structure information based on the PacketIn message.
With regard to the network detection apparatus in the foregoing embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.
It is to be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 900 according to this embodiment of the invention is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: the at least one processing unit 910, the at least one memory unit 920, and a bus 930 that couples various system components including the memory unit 920 and the processing unit 910.
Wherein the storage unit stores program code that is executable by the processing unit 910 to cause the processing unit 910 to perform steps according to various exemplary embodiments of the present invention described in the above section "exemplary methods" of the present specification. For example, the processing unit 910 may execute S210 shown in fig. 2, and acquire a connection relationship and a traffic flow direction of each SDN device node in the SDN software defined network; s220, generating topological structure information among the SDN equipment nodes according to the connection relation and the flow direction of each SDN equipment node; s230, obtaining a first SDN device node according to the topological structure information; s240, traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
The storage unit 920 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM)9201 and/or a cache memory unit 9202, and may further include a read only memory unit (ROM) 9203.
Storage unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
Bus 930 can be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 900, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 900 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interface 950. Also, the electronic device 900 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) via the network adapter 960. As shown, the network adapter 960 communicates with the other modules of the electronic device 900 via the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
According to the program product for realizing the method, the portable compact disc read only memory (CD-ROM) can be adopted, the program code is included, and the program product can be operated on terminal equipment, such as a personal computer. However, the program product of the present invention is not limited in this respect, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. A method for network detection, comprising:
acquiring a connection relation and a flow direction of each SDN equipment node in a Software Defined Network (SDN);
generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of each SDN equipment node;
obtaining a first SDN device node according to the topological structure information; and
traversing the respective SDN device nodes in the topology information starting from the first SDN device node to detect abnormal traffic in the SDN network.
2. The method of claim 1, wherein the abnormal traffic comprises counterfeit nodes, and traversing the SDN device nodes from the first SDN device node to detect the abnormal traffic in the SDN network comprises:
sequentially traversing the network addresses of the SDN equipment nodes from the first SDN equipment node based on a breadth first algorithm so as to detect whether SDN equipment nodes with the same network addresses exist or not;
if the SDN equipment nodes with the same network address exist, the SDN equipment nodes with the same network address are used as counterfeit nodes; and
and if the SDN equipment nodes with the same network addresses do not exist, determining that the network detection result is normal.
3. The method of claim 1, wherein the abnormal traffic comprises a tampered path, traversing the SDN device nodes in the topology information from the first SDN device node to detect abnormal traffic in the SDN network comprises:
detecting respective paths between the first SDN device node to the respective SDN device nodes in the topology information based on vector analysis to detect the tampered paths in the SDN network.
4. The method of claim 3, wherein detecting the respective paths between the first SDN device node to the respective SDN device nodes in the topology information based on vector analysis to detect the tampered paths in the SDN network comprises:
acquiring preset path information;
traversing respective path information between the respective SDN device nodes starting from the first SDN device node;
comparing the path information with the predetermined path information; and
if the comparison result is consistent, the network detection result is normal;
and if the comparison result is inconsistent, taking the path information as a tampered path.
5. The network detection method according to any one of claims 2 to 4, characterized in that the method further comprises:
and acquiring the counterfeit nodes and/or the tampered paths to judge the risk level, and starting corresponding emergency treatment according to the risk level.
6. The network detection method of claim 5, further comprising:
acquiring feedback information aiming at the emergency treatment;
if the feedback information is legal flow, updating the preset path information; and
and if the feedback information is illegal flow, deleting the counterfeit node and/or the tampered path.
7. The network detection method of claim 1, wherein the method comprises:
acquiring a packet in message of an input data packet;
updating the topology information based on the packetIn message.
8. A network sensing apparatus, comprising:
the system comprises an acquisition module, a flow direction module and a flow direction module, wherein the acquisition module is used for acquiring the connection relation and the flow direction of each SDN equipment node in a software defined network SDN;
a topology generation module, configured to generate topology structure information between the SDN device nodes according to a connection relationship and a traffic flow direction of each SDN device node;
a topology sequencing module, configured to obtain a first SDN device node according to the topology structure information; and
a detection module configured to traverse the SDN device nodes in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
9. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network detection method of any one of claims 1-7 via execution of the executable instructions.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the network detection method according to any one of claims 1 to 7.
CN202210370081.9A 2022-04-08 2022-04-08 Network detection method and device, storage medium and electronic equipment Active CN114978580B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210370081.9A CN114978580B (en) 2022-04-08 2022-04-08 Network detection method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210370081.9A CN114978580B (en) 2022-04-08 2022-04-08 Network detection method and device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN114978580A true CN114978580A (en) 2022-08-30
CN114978580B CN114978580B (en) 2023-09-29

Family

ID=82978125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210370081.9A Active CN114978580B (en) 2022-04-08 2022-04-08 Network detection method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114978580B (en)

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN106357622A (en) * 2016-08-29 2017-01-25 北京工业大学 Network anomaly flow detection and defense system based on SDN (software defined networking)
CN106572107A (en) * 2016-11-07 2017-04-19 北京科技大学 Software defined network-oriented DDoS attack defense system and method
CN107196816A (en) * 2016-03-14 2017-09-22 中国移动通信集团江西有限公司 Anomalous traffic detection method, system and Network analyzing equipment
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
KR20190049323A (en) * 2017-11-01 2019-05-09 숭실대학교산학협력단 SDN for preventing malware attack and controller including the same
JP2019092039A (en) * 2017-11-14 2019-06-13 日本電信電話株式会社 Attack detection method, attack detection device, and communication system
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host
US10860622B1 (en) * 2015-04-06 2020-12-08 EMC IP Holding Company LLC Scalable recursive computation for pattern identification across distributed data processing nodes
CN112261052A (en) * 2020-10-23 2021-01-22 中国人民解放军战略支援部队信息工程大学 SDN data plane abnormal behavior detection method and system based on flow rule analysis
EP3772005A1 (en) * 2019-08-02 2021-02-03 CrowdStrike, Inc. Visualization and control of remotely monitored hosts
CN112929200A (en) * 2021-01-07 2021-06-08 浙江工商大学 SDN multi-controller oriented anomaly detection method

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计系统技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
US10860622B1 (en) * 2015-04-06 2020-12-08 EMC IP Holding Company LLC Scalable recursive computation for pattern identification across distributed data processing nodes
CN107196816A (en) * 2016-03-14 2017-09-22 中国移动通信集团江西有限公司 Anomalous traffic detection method, system and Network analyzing equipment
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN106357622A (en) * 2016-08-29 2017-01-25 北京工业大学 Network anomaly flow detection and defense system based on SDN (software defined networking)
CN106572107A (en) * 2016-11-07 2017-04-19 北京科技大学 Software defined network-oriented DDoS attack defense system and method
KR20190049323A (en) * 2017-11-01 2019-05-09 숭실대학교산학협력단 SDN for preventing malware attack and controller including the same
JP2019092039A (en) * 2017-11-14 2019-06-13 日本電信電話株式会社 Attack detection method, attack detection device, and communication system
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host
EP3772005A1 (en) * 2019-08-02 2021-02-03 CrowdStrike, Inc. Visualization and control of remotely monitored hosts
CN112261052A (en) * 2020-10-23 2021-01-22 中国人民解放军战略支援部队信息工程大学 SDN data plane abnormal behavior detection method and system based on flow rule analysis
CN112929200A (en) * 2021-01-07 2021-06-08 浙江工商大学 SDN multi-controller oriented anomaly detection method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
XIAOHAN ZHANG ET AL: "A slution for ARP attacks in software defined network", 《AIIPCC 2021》 *
王铭鑫等: "一种SDN中基于熵值计算的异常流量检测方法", 《研究与开发》 *

Also Published As

Publication number Publication date
CN114978580B (en) 2023-09-29

Similar Documents

Publication Publication Date Title
US8484336B2 (en) Root cause analysis in a communication network
US7359393B1 (en) Method and apparatus for border gateway protocol convergence using update groups
EP3675419A1 (en) Method and apparatus for detecting network fault
CN110855721B (en) Method, equipment and storage medium for searching network logic path
US9009782B2 (en) Steering traffic among multiple network services using a centralized dispatcher
WO2021047011A1 (en) Data processing method and apparatus, and computer storage medium
CN112261172A (en) Service addressing access method, device, system, equipment and medium
US20040199647A1 (en) Method and system for preventing unauthorized action in an application and network management software environment
CN113225194B (en) Routing abnormity detection method, device and system and computer storage medium
CN113364804B (en) Method and device for processing flow data
CN115225634A (en) Data forwarding method and device under virtual network and computer program product
CN112350939B (en) Bypass blocking method, system, device, computer equipment and storage medium
CN106453367B (en) SDN-based method and system for preventing address scanning attack
CN114978580B (en) Network detection method and device, storage medium and electronic equipment
CN113114588B (en) Data processing method and device, electronic equipment and storage medium
KR20230059429A (en) System for Detecting Anomaly Computing Based on Artificial Intelligence
CN116032762A (en) Processing method, system and gateway equipment of network service
CN114338525B (en) Automatic route aggregation method and device, electronic equipment and storage medium
US20240348505A1 (en) Network system, network packet processing method and apparatus, and storage medium
CN118353832B (en) Stream table processing method, stream table processing device, stream table processing computer, stream table processing storage medium and stream table processing program product
US20220255958A1 (en) Systems and methods for dynamic zone protection of networks
WO2023246535A1 (en) Data transmission method and apparatus and system
US11836382B2 (en) Data read method, data storage method, electronic device, and computer program product
CN118200215B (en) Networking automation detection method, device, equipment and storage medium
CN114301786B (en) Method, device and storage medium for detecting policy conflict of flow table in SDN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant