CN114978580B - Network detection method and device, storage medium and electronic equipment - Google Patents
Network detection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114978580B CN114978580B CN202210370081.9A CN202210370081A CN114978580B CN 114978580 B CN114978580 B CN 114978580B CN 202210370081 A CN202210370081 A CN 202210370081A CN 114978580 B CN114978580 B CN 114978580B
- Authority
- CN
- China
- Prior art keywords
- sdn
- network
- node
- nodes
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a network detection method and device, a storage medium and electronic equipment, and relates to the technical field of communication. The method comprises the following steps: acquiring connection relations and flow directions of all SDN equipment nodes in the software defined network SDN; generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes; obtaining a first SDN device node according to the topological structure information; and traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network. The method can realize the detection of the network traffic without changing the existing network architecture, and has higher safety and lower realization difficulty.
Description
Technical Field
The disclosure relates to the field of communication technologies, and in particular, to a network detection method and device, a storage medium, and an electronic device.
Background
An open flow (openflow) based software defined network (Software Defined Network, SDN) network is one implementation of network virtualization. The core technology OpenFlow separates the control surface from the data surface of the network equipment, so that flexible control of network flow is realized, the network becomes more intelligent as a pipeline, and a good platform is provided for innovation of the core network and application.
However, due to the weakness of the SDN network and the default configuration, the SDN switch flow table may be tampered, and then various network security risks may be incurred. How to improve the security of an SDN network is a technical problem that needs to be solved in the art.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure aims to provide a network detection method and device, a storage medium and an electronic device, which at least overcome the problem of poor safety of an SDN network in the related art to a certain extent.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a network detection method, including: acquiring connection relations and flow directions of all SDN equipment nodes in the software defined network SDN; generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes; obtaining a first SDN device node according to the topological structure information; and traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the present disclosure, the abnormal traffic comprises a spoofed node, and traversing each SDN device node from the first SDN device node to detect the abnormal traffic in the SDN network comprises: traversing network addresses of all SDN device nodes from a first SDN device node in sequence based on a breadth-first algorithm to detect whether SDN device nodes with the same network addresses exist; if SDN equipment nodes with the same network address exist, the SDN equipment nodes with the same network address are used as counterfeit nodes; and if the SDN equipment nodes with the same network address do not exist, determining that the network detection result is normal.
In some embodiments of the present disclosure, the abnormal traffic comprises a tampered path, and traversing each SDN device node in the topology information from the first SDN device node to detect the abnormal traffic in the SDN network comprises: each path from a first SDN device node to each SDN device node in the topology information is detected based on vector analysis to detect a tampered path in the SDN network.
In some embodiments of the present disclosure, detecting respective paths between a first SDN device node in topology information to respective SDN device nodes based on vector analysis to detect a tampered path in an SDN network includes: acquiring preset path information; traversing each path information among each SDN device node from the first SDN device node; comparing the path information with predetermined path information; if the comparison results are consistent, the network detection result is normal; and if the comparison results are inconsistent, taking the path information as a tampered path.
In some embodiments of the present disclosure, the method further comprises: and acquiring the counterfeit nodes and/or the tampered paths to judge the risk level, and starting corresponding emergency treatment according to the risk level.
In some embodiments of the present disclosure, the method further comprises: acquiring feedback information for emergency treatment; if the feedback information is legal flow, updating the preset path information; and if the feedback information is illegal traffic, deleting the counterfeit node and/or the tampered path.
In some embodiments of the present disclosure, the method comprises: acquiring an input data packet PacketIn message; topology information is updated based on the PacketIn message.
According to still another aspect of the present disclosure, there is provided a network detection apparatus including: the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring the connection relation and the flow direction of each SDN equipment node in a Software Defined Network (SDN); the topology generation module is used for generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes; the topology ordering module is used for obtaining a first SDN device node according to the topology structure information; and a detection module for traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
According to still another aspect of the present disclosure, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the network detection method described above via execution of the executable instructions.
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network detection method described above.
The network detection method provided by the embodiment of the disclosure has at least the following beneficial effects:
the method of the application can realize the detection of network traffic without changing the prior software defined network SDN network architecture by acquiring and analyzing the real-time connection relation and traffic flow direction of each SDN equipment node, and has higher security and lower realization difficulty.
Further, detection is performed based on the network topology structure information, so that the complexity of the network traffic condition can be effectively reduced, the scale of the network is simplified, and the calculated amount of detection is reduced.
Furthermore, the detection starting point is firstly determined in the network topology information, so that the speed of traversing all network nodes can be increased, and the efficiency of detecting the network nodes in the SDN network is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
Fig. 1A illustrates an architecture schematic of an SDN network in some embodiments of the present disclosure.
Fig. 1B illustrates an application scenario diagram of a network detection method in some embodiments of the present disclosure.
Fig. 2 illustrates a flow chart of a network detection method in some embodiments of the present disclosure.
Fig. 3 illustrates a method flow diagram for detecting a counterfeit node in a network detection method in some embodiments of the present disclosure.
Fig. 4A illustrates a schematic diagram of a scenario in which a counterfeit node is detected in a network detection method according to some embodiments of the present disclosure.
Fig. 4B illustrates a topology information diagram of the absence of a counterfeit node in a network detection method in some embodiments of the present disclosure.
Fig. 4C illustrates a topology information diagram of the presence of a counterfeit node in yet another network detection method in some embodiments of the present disclosure.
Fig. 5 illustrates a method flow diagram for detecting a tampered path in a network detection method in some embodiments of the present disclosure.
Fig. 6A illustrates a schematic view of a scenario in which a tampered path is detected in a network detection method in some embodiments of the present disclosure.
Fig. 6B illustrates a topology information graph with no tampered path in a network detection method in some embodiments of the present disclosure.
Fig. 6C illustrates a topology information graph of a tamper path present in yet another network detection method in some embodiments of the present disclosure.
Fig. 7 illustrates a method flow diagram of yet another network detection method in some embodiments of the present disclosure.
Fig. 8 shows a schematic diagram of a network detection device in an embodiment of the disclosure.
Fig. 9 shows a block diagram of a network detection computer device in an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present disclosure, the meaning of "a plurality" is at least two, such as two, three, etc., unless explicitly specified otherwise.
In view of the technical problems in the related art, embodiments of the present disclosure provide a network detection method for at least solving one or all of the technical problems.
As shown in fig. 1A, as can be seen from fig. 1A, the SDN network is based on a control layer 100b and a forwarding layer 100a of OpenFlow, a service layer 100c capable of calling the control layer 100b through an API interface is added to the SDN network, the service layer 100c is a platform of a network operating system, a user can develop and use a required application program in the service layer 100c, the application program calls the control layer 100b, the control layer 100b can issue an execution command of the application program to an SDN device (SDN switch) 110 in a flow table form, and the network device is controlled to specifically execute. That is, SDN is not a specific network protocol, but rather a network architecture. Various interface protocols may be included in such a framework, such as interactions of SDN controller 130 with SDN device 110 using a southbound interface protocol such as OpenFlow, and interactions of service applications with SDN controller 130 using northbound APIs. Therefore, the network architecture based on SDN is more systematic and has better sensing and management and control capabilities, so that the network is promoted to develop towards a new direction.
SDN controller 130 is an application in a Software Defined Network (SDN) that is responsible for flow control to ensure the intelligent network tells the switch where to send the packet by issuing a flow table. In fact, SDN controller 130 is a logically centralized entity that is primarily responsible for two tasks, one that converts SDN application layer requests to SDN Datapath and one that provides an abstract model of the underlying network (which may be state, event) for SDN applications. One SDN controller 130 contains the north interface agent, SDN control logic and control data plane interface driver three parts. The SDN controller 130 is only required to be logically complete, so it may be composed of multiple controller instances, or may be a hierarchical controller cluster; in terms of geographic location, all controller instances may be in the same location, or multiple instances may be dispersed in different locations.
The OpenFlow standard protocol allows the SDN controller 130 to directly access and operate the forwarding plane of the SDN device 110, where these devices may be physical devices, or may be virtual routers or switches, and the OpenFlow protocol may be used to complete the control function by integrating all control functions into a remote SDN controller, where the SDN device is only responsible for performing simple and high-speed data forwarding locally; in SDN devices 110 using the OpenFlow standard, the basis of data forwarding is a flow table.
The SDN controller 130 is used in connection with the SDN device 110, where the SDN device 110 is only responsible for forwarding services of the data packets, and all flow entries in the flow table are issued by the SDN controller 130 that controls the SDN controller. When SDN device 110 receives a packet, it will match its own fields in the locally stored flow table entry by priority and operate on the packet according to the corresponding instruction actions.
Based on the SDN technology described above, fig. 1B illustrates an application scenario schematic of a network detection method in some embodiments of the present disclosure. As shown in fig. 1B, the SDN network includes an SDN device 110, an SDN controller 130, and a Secure Channel (Secure Channel) between the SDN device 110 and the SDN controller 130.
SDN controller 130 is a virtual network control center that may generate and send flow tables to SDN devices 110 according to a user's configuration or dynamically running protocol.
The SDN device 110 is configured to receive a flow table issued by the SDN controller 130, process a message according to the flow table, and report a device state and an event, such as an event of an interface UP or an interface DOWN, to the SDN controller 130. Wherein the SDN device 110 may be an access controller (Access Point Controller, AC) or an AP.
The dashed lines in fig. 1B are secure channels for supporting communication between SDN controllers 130 and SDN devices 110.
Currently 1 AP may be configured on SDN device 110, such as server 120a; multiple APs, such as servers 120b, 120c, and 120d, may also be configured, and one SDN controller may connect to multiple SDN devices 110.
The steps of the network detection method in the present exemplary embodiment will be described in more detail with reference to the accompanying drawings and examples.
Fig. 2 shows a flowchart of a network detection method in an embodiment of the disclosure. The method provided by the embodiments of the present disclosure may be performed by any electronic device having computing processing capabilities, such as SDN controller 130 in fig. 1A and 1B. In the following illustration, SDN controller 130 is illustrated as the execution subject.
As shown in fig. 2, the network detection method 200 provided in some embodiments of the present disclosure may include the following steps:
In step S210, a connection relationship and a flow direction of each SDN device node in the software defined network SDN network are obtained.
The connection relation and the flow direction of each SDN device node are represented by source addresses and destination addresses of various SDN network devices in the SDN network, which are acquired by the SDN controller based on a link layer discovery protocol and a broadcast domain discovery protocol, wherein the addresses can be IP addresses or MAC addresses.
In step S220, topology information between the SDN device nodes is generated according to the connection relationship and the traffic flow direction of the SDN device nodes.
The topology structure information comprises directed connections of each SDN device node and connection relations thereof, wherein the directed connections are obtained based on source addresses and destination addresses of the SDN device nodes. For example, directed line segments connecting SDN devices 110 in fig. 1B.
In step S230, a first SDN device node is obtained from the topology information.
The first SDN device node is an SDN device node without data input, that is, a network address of an SDN device node that does not exist in a destination address of each SDN device node. The first SDN device node may be one or multiple.
In step S240, traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the present disclosure, abnormal traffic refers to traffic of attack events such as counterfeit nodes, tampered paths, etc. occurring in the SDN network.
In some embodiments of the present disclosure, if there are a plurality of first SDN device nodes, traversing SDN device nodes respectively connected to the plurality of first SDN device nodes from the plurality of first SDN device nodes to detect whether there is an attack event of a counterfeit node or a tampered path in the SDN network.
The method of the application can realize the detection of network traffic without changing the prior software defined network SDN network architecture by acquiring and analyzing the real-time connection relation and traffic flow direction of each SDN equipment node, and has higher security and lower realization difficulty.
Further, detection is performed based on the network topology structure information, so that the complexity of the network traffic condition can be effectively reduced, the scale of the network is simplified, and the calculated amount of detection is reduced.
Furthermore, the detection starting point is firstly determined in the network topology information, so that the speed of traversing all network nodes can be increased, and the efficiency of detecting the network nodes in the SDN network is improved.
When the abnormal traffic includes a counterfeit node, then step 240 may include a method flow diagram of a method 300 of detecting a counterfeit node in a network detection method in some embodiments of the present disclosure as shown in fig. 3. As shown in fig. 3, the method 300 may include the steps of:
in step S302, network addresses of respective SDN device nodes are traversed in turn from a first SDN device node based on a breadth-first algorithm to detect whether there are SDN device nodes with the same network address.
The method for detecting the topology structure information by using the Breadth-First Search (BFS) algorithm may include the following steps: other SDN equipment nodes connected with the first SDN equipment node are found in the topological structure information; firstly, detecting the SDN equipment nodes; then deleting the SDN equipment nodes in the topological structure information in turn; searching SDN equipment nodes without input in topology structure information after deleting; and then deleting … … and detecting … … until all SDN device nodes are deleted, namely SDN device node detection according to breadth priority is completed.
In some embodiments of the present disclosure, network addresses of each SDN device node are traversed in turn from a first SDN device node based on breadth-first order, and the traversed network addresses are saved in a data structure stack or queue to detect whether a rogue node is present.
In some embodiments of the present disclosure, if there are multiple first SDN devices, traversing one or more SDN device nodes connected to each first SDN device in turn in the multiple first SDN devices based on a breadth-first algorithm, and storing other SDN device nodes connected to each first SDN device in a data structure stack or in a queue to detect whether there are network nodes with the same network address in the SDN network.
In step S304, it is determined whether or not SDN device nodes with the same network address exist.
If there are one or more SDN device nodes with the same network address, step S306 is executed, where the SDN device nodes with the same network address are regarded as counterfeit nodes.
If the SDN device nodes with the same network address do not exist, step S308 is executed, and it is determined that the network detection result is normal.
A schematic diagram of a scenario for detecting a counterfeit node in a network detection method according to some embodiments of the present disclosure is shown in fig. 4A. As shown in fig. 4A, an SDN network includes SDN devices 410a, 410b, and 410c, and one or more APs configured by the SDN devices, e.g., SDN device 410a configures only one AP (server 420 a); for another example, SDN device 410c configures multiple APs (servers 420c and 420 d). In the scenario of fig. 4A, spoofed server 420e spoofs the network address of server 420d (192.178.2.2), configuring SDN device 410b to hijack traffic transmitted by server 420b to server 420 d.
In fig. 4A, there are two states including a normal network state before the appearance of the rogue server 420e and a network conflict state after the appearance of the rogue server 420 e.
In a normal state, SDN controller 430 obtains a connection relationship and a flow direction of a plurality of access points 420a-420d connected by respective SDN device nodes 410a and 410b and 410c in an SDN network.
For example, SDN controller obtains node 420a with a source address 192.178.1.1, destination addresses 192.178.1.2, 192.178.2.3, and 192.178.2.2; node 420b has a source address of 192.178.1.2 and destination addresses of 192.178.2.3 and 192.178.2.2; node 420c has a source address of 192.178.2.3 and a destination address of Null; node 420d has a source address of 192.178.2.2 and a destination address of Null.
And obtaining the connection relation and the flow direction of each network node according to the source address and the destination address of each network node, and generating topology structure information between each SDN equipment node as shown in FIG. 4B. The network node address 420a of the 0 input is first found as the first SDN network device node. Traversing all SDN device nodes in the sequence of 420a-420b-420c-420d from 410a based on breadth-first algorithm, and not finding SDN network device nodes with the same network address, i.e. the network detection result is normal.
When the spoofing server 420e appears, the spoofing server 420e hijacking traffic from the node 420b to the node 420d, and detecting the spoofing node by the source address and the destination address of each SDN device node obtained by the controller.
Taking fig. 4A as an example, the SDN controller obtains a source address 192.178.1.1, destination addresses 192.178.1.2, 192.178.2.3, and 192.178.2.2 for node 420 a; the source address of the counterfeit node 420e is 192.178.2.2 and the destination address is Null; node 420b has a source address of 192.178.1.2 and destination addresses of 192.178.2.3 and 192.178.2.2; node 420c has a source address of 192.178.2.3 and a destination address of Null; node 420d has a source address of 192.178.2.2 and a destination address of Null.
And the SDN controller obtains the connection relation and the flow direction of each network node according to the source address and the destination address of each network node, and generates topology structure information between each SDN equipment node as shown in FIG. 4C. The network node address 420a of the 0 input is first found as the first SDN network device node. Traversing all SDN device nodes in the order 420a-420b-420e-420c-420d starting from 420a based on a breadth-first algorithm may result in network address 420e of 420d node being the same, determining that at least one of 420d and 420e is a rogue node, and determining SDN device nodes 420d and 420e as rogue nodes.
The imitation event in the SDN can be accurately and rapidly detected by constructing topological structure information and combining a breadth-first algorithm, and network conflicts can be found out immediately, so that the network conflicts can be avoided immediately, and the security of the network is improved.
In some embodiments of the present disclosure, if the abnormal traffic includes a tampered path, step 240 may further include detecting each path from the first SDN device node to each SDN device node in the topology information based on a vector analysis method to detect a tampered path in the SDN network, so as to detect a change in traffic trend by detecting a change in a directional connection edge in the topology information, thereby avoiding an event such as malicious eavesdropping, and improving network security.
The following will take fig. 5 as an example.
When the abnormal traffic includes a counterfeit node, then step 240 may include a method flowchart of detecting a tampered path in a network detection method in some embodiments of the present disclosure as shown in fig. 5. The method 500 may include the steps of:
in step S502, predetermined path information is acquired.
The predetermined path information is path information generated by the SDN controller according to an initialization configuration of the SDN device or a dynamically running protocol.
In step S504, each path information between each SDN device node is traversed from the first SDN device node.
In some embodiments of the present disclosure, DFS (Depth-First-Search) may be used to output all path information. For example, when DFS implements path searching, stacks are used to save the network node sequence for path searching; and ensures that all of its neighboring nodes have been stacked before a node is stacked.
In step S506, the path information is compared with the predetermined path information to determine whether the path information is identical to the predetermined path information.
In some embodiments of the present disclosure, the controller stores all the searched network paths, and sequentially compares the network paths with the predetermined path information, so as to obtain a comparison result of each path and the predetermined path information, so as to detect whether a tampered path exists.
If the comparison results are consistent, step S508 is executed, and the network detection result is normal.
If the comparison result is inconsistent, step S510 is executed, and the path information is used as a tampered path.
Wherein the tamper path may be one or more.
Fig. 6A illustrates a schematic diagram of a scenario in which a tampered path is detected in a network detection method according to some embodiments of the present disclosure. As shown in fig. 6A, SDN devices 610a, 610b, and 610c are included in an SDN network, and one or more APs configured by SDN devices, e.g., SDN device 610a configures only one AP (server 620 a); for another example, SDN device 610c configures multiple APs (servers 620c and 620 d). In the scenario of fig. 6A, server 620e intercepts traffic from server 620b to server 620d to change the traffic going from server 620b to server 620d, thereby eavesdropping on the traffic without being easily discovered.
In fig. 6A, there are two states: including normal network conditions before the presence of the eavesdropping server 620e and malicious eavesdropping conditions after the eavesdropping server 620e tampers with the path.
In a normal state, SDN controller 630 obtains a connection relationship and a flow direction of a plurality of access points 620a-620d connected by respective SDN device nodes 610a and 610b and 610c in an SDN network.
For example, SDN controller obtains node 620a with a source address 192.178.1.1, destination address 192.178.1.2, 192.178.2.3, and 192.178.2.2; node 620b has a source address of 192.178.1.2 and destination addresses of 192.178.2.3 and 192.178.2.2; node 620c has a source address of 192.178.2.3 and a destination address of Null; node 620d has a source address of 192.178.2.2 and a destination address of Null.
And obtaining the connection relation and the flow direction of each network node according to the source address and the target address of each network node, and generating topology structure information between each SDN equipment node as shown in FIG. 6B. The network node address 620a of the 0 input is first found as the first SDN network device node. Each path between each SDN device node in the topology information is detected based on vector analysis, including traversing path information between each SDN device node from node 620 a. For example, in fig. 6B, all path information may be obtained according to the DFS algorithm including: {620a-620b-620c } {620a-620b-620d } {620a-620c } {620a-620d }; comparing each path with predetermined path information (i.e., a predetermined path information base {620a-620b-620c } {620a-620b-620d } {620a-620c } {620a-620d }) in a normal state; if no path inconsistent with the preset path information is found, the network detection result is normal.
When the eavesdropping server 620e is inserted between the server 620b and the server 620d, after the eavesdropping server 620e hives the traffic from the node 620b to the node 620d, the tampered path can be detected by the source address and the destination address of each SDN device node acquired by the controller.
Taking fig. 6A as an example, the SDN controller obtains a source address 192.178.1.1, destination addresses 192.178.1.2, 192.178.2.3, and 192.178.2.2 for node 620 a; node 620b has a source address of 192.178.1.2 and destination addresses of 192.178.2.3 and 192.178.2.1; node 620c has a source address of 192.178.2.3 and a destination address of Null; node 620d has a source address of 192.178.2.2 and a destination address of Null; node 620e has a source address of 192.178.2.1 and a destination address of 192.178.2.2.
And obtaining the connection relation and the flow direction of each node according to the source address and the destination address of the node, and generating topology structure information between each SDN equipment node as shown in FIG. 6C. Traversing all paths from 620a based on vector analysis results in {620a-620b-620c } {620a-620b-620e-620d } {620a-620c } {620a-620d }; comparing with the preset path information; the path of the available paths 620a-620b-620e-620d does not coincide with the predetermined path 620a-620b-620d, the path 620a-620b-620e-620d is determined to be a tampered path.
The method detects the consistency of the paths in the topological structure information by a vector analysis method so as to realize detection of network flow direction tampering, avoid events such as network interception, man-in-the-middle attack and the like, effectively improve network security and reduce network detection complexity and calculation amount.
Fig. 7 illustrates a method flow diagram of yet another network detection method in some embodiments of the present disclosure. As shown in fig. 7, the method may include the steps of:
in step S702, a connection relationship and a flow direction of each SDN device node in the software defined network SDN network are obtained.
Step S702 is similar to step S210, and will not be described here again.
In step S704, topology information between the SDN device nodes is generated according to the connection relationship and the traffic flow direction of the SDN device nodes.
Step S704 is similar to step S220, and will not be described again.
In some embodiments of the present disclosure, the method further includes step S706, obtaining, by the SDN controller, an incoming packet, packetIn message sent by the SDN device.
In step S708, topology information is updated based on the PacketIn message.
The input data packet PacketIn message is a message sent to the SDN controller by the SDN device, the SDN device sends a data packet request to the controller through the PacketIn message so that the controller forwards the data packet request to SDN device nodes of a destination address, and the SDN controller updates network topology information among SDN device nodes based on the PacketIn while forwarding.
The method of the application updates the network topology information in real time according to the PacketIn message, and has the advantages of high accuracy, good instantaneity, low cost and the like.
In step S710, a first SDN device node is obtained from topology information.
In step S712, traversing each SDN device node in the topology information from the first SDN device node to detect a spoofed node and a tampered path in the SDN network.
Wherein, the method for detecting the counterfeit node can comprise the following steps: traversing network addresses of all SDN device nodes from a first SDN device node in sequence based on a breadth-first algorithm to detect whether SDN device nodes with the same network addresses exist; if SDN equipment nodes with the same network address exist, the SDN equipment nodes with the same network address are used as counterfeit nodes; and if the SDN equipment nodes with the same network address do not exist, determining that the network detection result is normal. The specific embodiment is similar to steps S310 to S330 in fig. 3, and will not be described here again.
Wherein, the method for detecting the tampered path can comprise the following steps: each path from a first SDN device node to each SDN device node in the topology information is detected based on vector analysis to detect a tampered path in the SDN network. Specifically, the method comprises the following steps: acquiring preset path information; traversing each path information among each SDN device node from the first SDN device node; comparing the path information with predetermined path information; if the comparison results are consistent, the network detection result is normal; and if the comparison results are inconsistent, taking the path information as a tampered path. The specific embodiment is similar to the steps S502 and steps S502a to S502e in fig. 5, and will not be described here again.
In step S714, it is determined whether a counterfeit node or a tampered path is detected.
If no counterfeit node or tampered path exists, step S716 is executed to determine that the network detection result is normal.
If the counterfeit node or the tampered path exists, in step S718, the counterfeit node and/or the tampered path is obtained to determine a risk level, and corresponding emergency processing is started according to the risk level.
In some embodiments of the present disclosure, the risk level may include a high level and a low level, and the emergency treatment methods corresponding to different risk levels are different. For example, the risk level may be judged based on the IP address classification of the discovered counterfeit node and/or the tampered path.
Taking fig. 4A as an example, if the address 192.178.2.2 of the counterfeit server 420d is a network address in the local area network, the risk is set to be high-level, and the flow of the counterfeit node is directly locked and the alarm information prompting the related personnel to immediately process is output; if the address is a network address in the external network, the risk is set to be low, and the traffic of the counterfeit node is not locked, and only alarm information for prompting relevant personnel to immediately process is output.
Taking fig. 6A as an example, if the detected tampered path 620a-620b-620e-620d is a lan path, setting the risk to be advanced, directly locking the flow of the tampered path, and outputting alarm information prompting relevant personnel to immediately process; if the tampered path is an external network path, setting the risk as low, and not locking the flow of the tampered path, and only outputting alarm information for prompting relevant personnel to immediately process.
Different grades are divided for abnormal flow so as to output different warning prompts, so that various abnormal conditions can be more flexibly dealt with, and the defending capability of the system is improved.
In step S720, feedback information for emergency processing is acquired.
The feedback information is information generated after the network abnormality is processed by a third party, wherein the third party can be related personnel for processing the network abnormality or equipment specially used for processing the network abnormality.
In step S722, it is determined whether the counterfeit node and/or the tampered path is legal traffic according to the feedback information.
Wherein legal traffic means that the above-mentioned counterfeit nodes and/or tampered paths detected by the controller are allowed.
If the feedback information indicates that the counterfeit node and/or the tampered path is legal, step S724 is executed to update the predetermined path information.
If the feedback information indicates that the counterfeit node and/or the tampered path is illegal, step S726 is performed to delete the counterfeit node and/or the tampered path.
By executing different processing modes according to different feedback information, the flexibility of processing abnormal conditions is improved, and the processing cost of network faults is reduced.
Fig. 8 shows a schematic diagram of a network detection device in an embodiment of the disclosure. As shown in fig. 8, the apparatus 800 includes:
an obtaining module 810, configured to obtain a connection relationship and a flow direction of each SDN device node in the software defined network SDN; a topology generation module 820, configured to generate topology structure information between the SDN device nodes according to the connection relationship and the traffic flow direction of the SDN device nodes; a topology ordering module 830, configured to obtain a first SDN device node according to topology structure information; and a detection module 840 for traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
In some embodiments of the present disclosure, the abnormal traffic includes a counterfeit node, and the detection module 840 further includes: the breadth first detection module is used for traversing network addresses of all SDN device nodes from the first SDN device node in sequence based on a breadth first algorithm so as to detect whether SDN device nodes with the same network address exist; a first comparison module, configured to take the SDN device node with the same network address as a counterfeit node if the SDN device node with the same network address exists; and if the SDN equipment nodes with the same network address do not exist, determining that the network detection result is normal.
In some embodiments of the present disclosure, where the abnormal traffic includes a tampered path, the detection module 840 further includes: the vector analysis detection module is used for detecting each path from the first SDN device node to each SDN device node in the topological structure information based on a vector analysis method so as to detect a tampered path in the SDN network.
In some embodiments of the present disclosure, the vector analysis detection module may specifically include: the preset path acquisition module is used for acquiring preset path information; a path traversing module, configured to traverse each path information between each SDN device node from a first SDN device node; a first comparison module comparing the path information with predetermined path information; if the comparison results are consistent, the network detection result is normal; and if the comparison results are inconsistent, taking the path information as a tampered path.
In some embodiments of the present disclosure, the apparatus further comprises: the grade determining module is used for acquiring the counterfeit nodes and/or the tampered paths to judge the risk grade, and starting corresponding emergency treatment according to the risk grade.
In some embodiments of the present disclosure, the apparatus further comprises: the feedback information acquisition module is used for acquiring feedback information aiming at emergency treatment; the legal flow processing module is used for executing updating the preset path information if the feedback information is legal flow; and the illegal flow processing module is used for deleting the counterfeit node and/or the tampered path if the feedback information is illegal flow.
In some embodiments of the present disclosure, the apparatus further comprises: the message acquisition module is used for acquiring an input data packet PacketIn message; and the topology structure updating module is used for updating the topology structure information based on the PacketIn message.
The specific manner in which the respective modules perform the operations of the network detection device in the above embodiment is described in detail in the embodiment related to the method, and will not be described in detail here.
It is noted that the above-described figures are only schematic illustrations of processes involved in a method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 900 according to such an embodiment of the invention is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: the at least one processing unit 910, the at least one storage unit 920, and a bus 930 connecting the different system components (including the storage unit 920 and the processing unit 910).
Wherein the storage unit stores program code that is executable by the processing unit 910 such that the processing unit 910 performs steps according to various exemplary embodiments of the present invention described in the above-described "exemplary methods" section of the present specification. For example, the processing unit 910 may perform S210 as shown in fig. 2, obtain a connection relationship and a traffic flow direction of each SDN device node in the SDN software defined network; s220, generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes; s230, obtaining a first SDN device node according to topology structure information; s240, traversing each SDN device node in the topology information from the first SDN device node to detect abnormal traffic in the SDN network.
The storage unit 920 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 9201 and/or cache memory 9202, and may further include Read Only Memory (ROM) 9203.
The storage unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 include, but are not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus 930 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 900, and/or with any device (e.g., router, modem, etc.) that enables the electronic device 900 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 950. Also, electronic device 900 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 960. As shown, the network adapter 960 communicates with other modules of the electronic device 900 over the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 900, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
A program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (10)
1. A network detection method, comprising:
acquiring connection relations and flow directions of all SDN equipment nodes in the software defined network SDN;
generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes;
acquiring a first SDN device node according to the topological structure information; and
traversing the respective SDN device nodes in the topology information from the first SDN device node to detect abnormal traffic in the SDN network, the abnormal traffic including a spoofed node, comprising: traversing network addresses of all SDN device nodes from the first SDN device node in sequence based on a breadth-first algorithm to detect whether SDN device nodes with the same network address exist;
And if the SDN equipment nodes with the same network address exist, taking the SDN equipment nodes with the same network address as the counterfeit nodes.
2. The network detection method of claim 1, wherein the method further comprises:
and if the SDN equipment nodes with the same network address do not exist, determining that the network detection result is normal.
3. The network detection method of claim 1, wherein the abnormal traffic comprises a tampered path, traversing the respective SDN device nodes in the topology information from the first SDN device node to detect the abnormal traffic in the SDN network comprises:
each path between the first SDN device node in the topology information to the respective SDN device node is detected based on vector analysis to detect the tampered path in the SDN network.
4. The network detection method of claim 3, wherein detecting respective paths between the first SDN device node to the respective SDN device nodes in the topology information based on vector analysis to detect the tampered path in the SDN network comprises:
Acquiring preset path information;
traversing each path information between each SDN device node from the first SDN device node;
comparing the path information with the predetermined path information; and
if the comparison results are consistent, the network detection result is normal;
and if the comparison results are inconsistent, taking the path information as a tampered path.
5. The network detection method according to any one of claims 2 to 4, characterized in that the method further comprises:
and acquiring the counterfeit node and/or the tampered path to judge the risk level, and starting corresponding emergency treatment according to the risk level.
6. The network detection method of claim 5, further comprising:
acquiring feedback information aiming at the emergency treatment;
if the feedback information is legal flow, updating the preset path information; and
and if the feedback information is illegal traffic, deleting the counterfeit node and/or the tampered path.
7. The network detection method according to claim 1, characterized in that the method comprises:
acquiring an input data packet PacketIn message;
and updating the topology information based on the PacketIn message.
8. A network detection device, comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring the connection relation and the flow direction of each SDN equipment node in a Software Defined Network (SDN);
the topology generation module is used for generating topology structure information among the SDN equipment nodes according to the connection relation and the flow direction of the SDN equipment nodes;
the topology ordering module is used for obtaining a first SDN device node according to the topology structure information; and
a detection module, configured to traverse each SDN device node in the topology structure information from the first SDN device node to detect abnormal traffic in the SDN network, where the abnormal traffic includes a counterfeit node, the detection module further includes: the breadth first detection module is used for traversing network addresses of all SDN device nodes from the first SDN device node in sequence based on a breadth first algorithm so as to detect whether SDN device nodes with the same network address exist; and the first comparison module is used for taking the SDN equipment nodes with the same network address as counterfeit nodes if the SDN equipment nodes with the same network address exist.
9. An electronic device, comprising:
A processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network detection method of any one of claims 1 to 7 via execution of the executable instructions.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the network detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210370081.9A CN114978580B (en) | 2022-04-08 | 2022-04-08 | Network detection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210370081.9A CN114978580B (en) | 2022-04-08 | 2022-04-08 | Network detection method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114978580A CN114978580A (en) | 2022-08-30 |
| CN114978580B true CN114978580B (en) | 2023-09-29 |
Family
ID=82978125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210370081.9A Active CN114978580B (en) | 2022-04-08 | 2022-04-08 | Network detection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114978580B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
| CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
| CN106357622A (en) * | 2016-08-29 | 2017-01-25 | 北京工业大学 | Network anomaly flow detection and defense system based on SDN (software defined networking) |
| CN106572107A (en) * | 2016-11-07 | 2017-04-19 | 北京科技大学 | Software defined network-oriented DDoS attack defense system and method |
| CN107196816A (en) * | 2016-03-14 | 2017-09-22 | 中国移动通信集团江西有限公司 | Anomalous traffic detection method, system and Network analyzing equipment |
| CN107992746A (en) * | 2017-12-14 | 2018-05-04 | 华中师范大学 | Malicious act method for digging and device |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| KR20190049323A (en) * | 2017-11-01 | 2019-05-09 | 숭실대학교산학협력단 | SDN for preventing malware attack and controller including the same |
| JP2019092039A (en) * | 2017-11-14 | 2019-06-13 | 日本電信電話株式会社 | Attack detection method, attack detection device, and communication system |
| CN111010362A (en) * | 2019-03-20 | 2020-04-14 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| US10860622B1 (en) * | 2015-04-06 | 2020-12-08 | EMC IP Holding Company LLC | Scalable recursive computation for pattern identification across distributed data processing nodes |
| CN112261052A (en) * | 2020-10-23 | 2021-01-22 | 中国人民解放军战略支援部队信息工程大学 | SDN data plane abnormal behavior detection method and system based on flow rule analysis |
| EP3772005A1 (en) * | 2019-08-02 | 2021-02-03 | CrowdStrike, Inc. | Visualization and control of remotely monitored hosts |
| CN112929200A (en) * | 2021-01-07 | 2021-06-08 | 浙江工商大学 | SDN multi-controller oriented anomaly detection method |
-
2022
- 2022-04-08 CN CN202210370081.9A patent/CN114978580B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683333A (en) * | 2015-02-10 | 2015-06-03 | 国都兴业信息审计系统技术(北京)有限公司 | Method for implementing abnormal traffic interception based on SDN |
| US10860622B1 (en) * | 2015-04-06 | 2020-12-08 | EMC IP Holding Company LLC | Scalable recursive computation for pattern identification across distributed data processing nodes |
| CN107196816A (en) * | 2016-03-14 | 2017-09-22 | 中国移动通信集团江西有限公司 | Anomalous traffic detection method, system and Network analyzing equipment |
| CN106131027A (en) * | 2016-07-19 | 2016-11-16 | 北京工业大学 | A kind of exception flow of network based on software defined network detection system of defense |
| CN106357622A (en) * | 2016-08-29 | 2017-01-25 | 北京工业大学 | Network anomaly flow detection and defense system based on SDN (software defined networking) |
| CN106572107A (en) * | 2016-11-07 | 2017-04-19 | 北京科技大学 | Software defined network-oriented DDoS attack defense system and method |
| KR20190049323A (en) * | 2017-11-01 | 2019-05-09 | 숭실대학교산학협력단 | SDN for preventing malware attack and controller including the same |
| JP2019092039A (en) * | 2017-11-14 | 2019-06-13 | 日本電信電話株式会社 | Attack detection method, attack detection device, and communication system |
| CN107992746A (en) * | 2017-12-14 | 2018-05-04 | 华中师范大学 | Malicious act method for digging and device |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| CN111010362A (en) * | 2019-03-20 | 2020-04-14 | 新华三技术有限公司 | Monitoring method and device for abnormal host |
| EP3772005A1 (en) * | 2019-08-02 | 2021-02-03 | CrowdStrike, Inc. | Visualization and control of remotely monitored hosts |
| CN112261052A (en) * | 2020-10-23 | 2021-01-22 | 中国人民解放军战略支援部队信息工程大学 | SDN data plane abnormal behavior detection method and system based on flow rule analysis |
| CN112929200A (en) * | 2021-01-07 | 2021-06-08 | 浙江工商大学 | SDN multi-controller oriented anomaly detection method |
Non-Patent Citations (2)
| Title |
|---|
| A slution for ARP attacks in software defined network;Xiaohan Zhang et al;《AIIPCC 2021》;全文 * |
| 一种SDN中基于熵值计算的异常流量检测方法;王铭鑫等;《研究与开发》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114978580A (en) | 2022-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11088944B2 (en) | Serverless packet processing service with isolated virtual network integration | |
| US20220239701A1 (en) | Control access to domains, servers, and content | |
| US7644168B2 (en) | SAS expander | |
| CN108322467B (en) | OVS-based virtual firewall configuration method, electronic equipment and storage medium | |
| US20130107881A1 (en) | Distributed Address Resolution Service for Virtualized Networks | |
| US10721166B2 (en) | Ensuring data locality for secure transmission of data | |
| US9009782B2 (en) | Steering traffic among multiple network services using a centralized dispatcher | |
| CN113225194B (en) | Routing abnormity detection method, device and system and computer storage medium | |
| WO2021047011A1 (en) | Data processing method and apparatus, and computer storage medium | |
| JP2019525604A (en) | Network function NF management method and NF management apparatus | |
| CN110855721A (en) | Method, equipment and storage medium for searching network logic path | |
| CN110311861B (en) | Method and device for guiding data flow | |
| CN113872951B (en) | Hybrid cloud security policy issuing method and device, electronic equipment and storage medium | |
| CN114978580B (en) | Network detection method and device, storage medium and electronic equipment | |
| CN106453367B (en) | SDN-based method and system for preventing address scanning attack | |
| CN112350939A (en) | Bypass blocking method, system, device, computer equipment and storage medium | |
| CN113114588B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111800340A (en) | Data packet forwarding method and device | |
| CN110266597B (en) | Flow control method, device, equipment and storage medium | |
| CN114301686B (en) | Security policy matching method and device and storage medium | |
| US12028240B2 (en) | Method, electronic device, and computer program product for cross-regional data searching | |
| CN113852572B (en) | Message processing method and device | |
| WO2023246535A1 (en) | Data transmission method and apparatus and system | |
| CN114363239B (en) | Routing information updating method, device, equipment and storage medium | |
| US20210243159A1 (en) | Persistent device identifier driven compromised device quarantine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |