CN115776406A - Safety protection method and device, electronic equipment and storage medium - Google Patents

Safety protection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115776406A
CN115776406A CN202211531304.1A CN202211531304A CN115776406A CN 115776406 A CN115776406 A CN 115776406A CN 202211531304 A CN202211531304 A CN 202211531304A CN 115776406 A CN115776406 A CN 115776406A
Authority
CN
China
Prior art keywords
flow
threat
information
service flow
access router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211531304.1A
Other languages
Chinese (zh)
Other versions
CN115776406B (en
Inventor
陈吉宁
周飞
谈超洪
李森
梁少灵
彭凌华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Zhuang Autonomous Region Information Center
Original Assignee
Guangxi Zhuang Autonomous Region Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Zhuang Autonomous Region Information Center filed Critical Guangxi Zhuang Autonomous Region Information Center
Priority to CN202211531304.1A priority Critical patent/CN115776406B/en
Publication of CN115776406A publication Critical patent/CN115776406A/en
Application granted granted Critical
Publication of CN115776406B publication Critical patent/CN115776406B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium. The method is applied to safety protection equipment, the safety protection equipment is positioned in a safety protection framework, and the safety protection framework comprises the following steps: the method comprises the following steps that the safety protection equipment is connected with the boundary access router, and the method comprises the following steps: acquiring a service flow for accessing a target server, and analyzing the service flow to obtain an analyzed service flow; wherein, the service flow is accessed from the border access router; if the threat flow exists in the service flow according to the analyzed service flow, extracting N-tuple information of the threat flow; generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, and the routing information comprises filtering rule information and blocking instruction information. According to the method and the device, the threat flow can be blocked as required, and the safety and the reliability of the network are improved.

Description

Safety protection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security protection method and apparatus, an electronic device, and a storage medium.
Background
The government affair extranet is an important public infrastructure of electronic government affairs in China, and is a public government affair network which serves all levels of government affair departments and meets the requirements of economic regulation, market supervision, social management, public service and the like. According to the equal protection requirements of the government affair outer network, a corresponding access control mechanism and a safety threat protection network element need to be deployed at the network boundary.
In the prior art, all border access routers of a government affair extranet are provided with firewalls, so that all border access routers support routing and safety protection capabilities, thereby ensuring network safety. However, since each access point is provided with a firewall, the network construction cost is too high, and the management is inconvenient. That is, the security protection scheme in the prior art is not the optimal scheme.
Therefore, there is a need for improvement of security measures for the government affairs extranet to effectively prevent the network resources of the government affairs extranet from being maliciously destroyed or illegally used.
Disclosure of Invention
The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium, which are used for solving the problems that a safety protection scheme in the prior art is not an optimal scheme and needs to be improved by one step.
In one aspect, the present application provides a safety protection method, where the method is applied to a safety protection device, the safety protection device is located in a safety protection architecture, and the safety protection architecture includes: the safety protection device is connected with the boundary access router, and the method comprises the following steps:
acquiring a service flow for accessing a target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router;
if the threat flow exists in the service flow according to the analyzed service flow, extracting the N-tuple information of the threat flow; the threat flow is a service flow which has security threat or attack on the target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer;
generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Optionally, the parsed service flow includes detailed information of the service flow; the determining that a threat flow exists in the service flow according to the analyzed service flow includes:
and according to the detailed information, if the service flow is determined to accord with the characteristics of the DoS/DDoS attack, determining that the threat flow exists in the service flow.
Optionally, the routing information further includes: counting instruction information; wherein the statistical instruction information is used for instructing the border access router to determine the packet number and the total byte number of the blocked threat flow.
Optionally, the method further comprises:
receiving statistical data sent by the border access router; the statistical data comprises the packet number and the total byte number of the blocked threat flow;
if it is determined that no threat flow exists in the service flow according to the statistical data, revocation information is sent to the border access router through the preset protocol; the revocation information is used for instructing the border access router to stop executing the blocking instruction information.
Optionally, the method further comprises:
and if the packet number and the total byte number of the blocked threat flow are determined not to be increased in the preset time, determining that the threat flow does not exist in the service flow.
Optionally, the safety device includes a first server and a second server, where the first server is connected to the second server, and the second server is connected to the border access router.
Optionally, the preset protocol further comprises one or more of: path computation element communication protocol, BGP SR protocol, BGP control protocol, telemetry technology.
On the other hand, this application provides a safety device, the device is applied to safety equipment, safety equipment is located the safety protection framework, the safety protection framework includes: the safety protection device and the border access router are connected, and the device comprises:
the acquisition unit is used for acquiring the service flow accessing the target server and analyzing the service flow to obtain the analyzed service flow; wherein the traffic flow is accessed from the border access router;
an extracting unit, configured to extract N-tuple information of the threat flow if it is determined that the threat flow exists in the service flow according to the analyzed service flow; the threat flow is a service flow which has security threat or attack on the target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer;
the control unit is used for generating routing information according to the N-tuple information of the threat flow and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Optionally, the parsed service flow includes detailed information of the service flow; the extraction unit comprises a determination module;
and the determining module is used for determining that the threat flow exists in the service flow if the service flow is determined to accord with the characteristics of the DoS/DDoS attack according to the detailed information.
Optionally, the routing information further includes: counting instruction information; wherein the statistical instruction information is used for instructing the border access router to determine the packet number and the total byte number of the blocked threat flow.
Optionally, the apparatus further comprises a receiving unit, wherein the receiving unit comprises a receiving module and a revocation module;
the receiving module is used for receiving the statistical data sent by the border access router; the statistical data comprises the packet number and the total byte number of the blocked threat flow;
the revocation module is configured to send revocation information to the border access router through the preset protocol if it is determined that the service flow does not have the threat flow according to the statistical data; the revocation information is used for instructing the border access router to stop executing the blocking instruction information.
Optionally, the receiving unit further comprises a determining module;
the determining module is configured to determine that the threat flow does not exist in the service flow if it is determined that the packet number and the total byte number of the blocked threat flow do not increase within a preset time.
Optionally, the safety protection device includes a first server and a second server, where the first server is connected to the second server, and the second server is connected to the border access router.
Optionally, the preset protocol further comprises one or more of: path computation element communication protocol, BGP SR protocol, BGP control protocol, telemetry technology.
In another aspect, the present application provides an electronic device comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer execution instructions;
the processor executes computer-executable instructions stored by the memory to implement any of the methods described above.
In another aspect, the present application provides a computer-readable storage medium having stored thereon computer-executable instructions for implementing any of the methods described above when executed by a processor.
In another aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements any of the methods described above.
The application provides a safety protection method, a safety protection device, electronic equipment and a storage medium, wherein the method is applied to safety protection equipment, the safety protection equipment is positioned in a safety protection framework, and the safety protection framework comprises the following steps: the safety protection device is connected with the boundary access router, and the method comprises the following steps: acquiring a service flow accessing a target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router; if the threat flow exists in the service flow according to the analyzed service flow, extracting N-tuple information of the threat flow; the threat flow is a service flow which has a security threat or attack on the target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer; generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information. According to the scheme, threat flow blocking is achieved as required, and residual configuration cannot be formed in the border access router; the problem that residual configuration is easily formed due to poor reliability when the QoS strategy of the complex stream class is blocked by the static command line to threaten the service stream is solved; and the command lines of different manufacturers do not need to be adapted and converted during safety protection, so that the management complexity is reduced, and the safety and the reliability are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and, together with the description, serve to explain the principles of the application.
Fig. 1 is a protection architecture diagram for deploying a firewall in an architecture for a commission office to access a government cloud according to an embodiment of the present application;
fig. 2 is a protection architecture diagram for deploying a firewall in an architecture for a commission office to access a government cloud according to an embodiment of the present application;
fig. 3 is a safety protection architecture diagram corresponding to an application scenario of a safety protection method according to an embodiment of the present application;
fig. 4 is a schematic flow chart of a safety protection method provided in an embodiment of the present application;
fig. 5 is a signaling diagram of a method for a convergence server and an edge access router to complete security protection according to the embodiment of the present application;
fig. 6 is a signaling diagram of a method for completing security protection by a probe server, a security resource pool server, and a border access router according to an embodiment of the present application;
FIG. 7 is a schematic view of a safety shield apparatus according to an embodiment of the present disclosure;
FIG. 8 is a schematic structural diagram of yet another safety shield apparatus provided in accordance with an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The government affair outer network supports cross-region and cross-department service application, information sharing and service cooperation, and services which do not need to run on the government affair inner network. Network security protection of the government affair outer network is particularly important based on the importance of the government affair outer network. The network security problem of the government affair extranet is a key problem for supporting further development of various network services and applications of the government affair extranet at present.
Illustratively, fig. 1 is a protection architecture diagram for deploying a firewall in an architecture for a commission office to access a government affairs cloud according to an embodiment of the present application. As shown in fig. 1, each of the sponsoring offices 20 accesses a traffic flow through the border access router 12, and forwards the traffic flow through the aggregation router 14 and the core router 13 to access the government affair cloud 30. When forwarding a service flow, L3VPN (Virtual Private Network) is used for the forwarding.
Among the traffic flows accessed through the border access router 12, there may be a threat flow, which may occupy network resources of the border access router 12, the aggregation router 14, and the core router 13, and may even cause security threat and attack to the government affair cloud 30, and therefore, network security protection is required.
In one example, all border access routers of the government affairs extranet support routing and safety protection capabilities by deploying firewalls in all border access routers, so as to guarantee network safety. As shown in fig. 1, a firewall 121 is deployed adjacent to the border access router 12, a firewall 131 is deployed adjacent to the core router 13, and a firewall is also deployed adjacent to a router that enters the government wide area network. Although all boundary nodes support threat identification, nearby blocking can be achieved; however, since each access point is provided with a firewall, the network construction cost is too high, and the management is inconvenient.
In one example, a firewall is hung only at a convergence router or a core router of a government affair extranet, so that all traffic flow accessing a government affair cloud server is guided to the firewall, and the identification and blocking of threat flows are intensively completed. Illustratively, fig. 2 is a diagram of a protection architecture for deploying a firewall in an architecture for a commission office to access a government cloud according to an embodiment of the present application. As shown in fig. 2, the firewall 131 is deployed only beside the core router 13. The method can intensively identify and block the threat flow, the deployment cost is relatively low, and the management and control are relatively convenient; however, when the committee offices 20 exchange access services, the committee offices 20 do not need to pass through the aggregation router 14 and the core router 13, and cannot identify and block the threat flow when the inter-branch exchange access services are performed; and the threat flow is blocked after reaching the aggregation router 14 or the core router 13, and the bandwidth of the border access router 12, the aggregation router 14 and the core router 13 is occupied, so that the service flow of normally accessing the government affair cloud server is influenced.
In one example, the security protection device hung by the core router only identifies the threat flow, and the border access router completes the processing work of dropping, blocking and the like of the threat flow. The safety protection equipment sends a Quality of Service (Qos) strategy based on complex flow classification to the boundary access router through a netconf/YANG protocol, and the boundary access router and a firewall beside the core router complete the safety protection function together. The complex flow classification means that a complex rule is adopted, for example, quintuple information is adopted to finely classify the message, and then the complex flow classification rule is associated with the corresponding executable flow to form a Qos policy. Illustratively, the five-tuple information may include: source address, source port number, protocol number, destination address, destination port number; the flow operations may include: traffic supervision, congestion management, congestion avoidance, message filtering, etc. The safety protection equipment forms a Qos strategy based on the rules of the complex flow classification and the corresponding executable flow actions, and then sends the Qos strategy to the boundary access router through a netconf/YANG protocol. In network security protection, the Qos policy generally discards a threat flow and counts the total packet number and the total byte number of the threat flow. And after receiving the Qos strategy, the border access router completes the safety protection task according to the Qos strategy.
A Network Configuration Protocol (netconf Protocol) provides a set of mechanisms for managing Network devices, and a user can use the mechanisms to add, modify and delete the Configuration of the Network devices and acquire the Configuration and state information of the Network devices; YANG (Yet antenna Next Generation) is a data modeling language, and defines a hierarchical structure of data, which can describe all data transmitted between a NETCONF client and a server completely. However, the netconf/YANG protocol has poor issuing performance, generally only a few rules and policies can be issued per second, when the number of threat streams is large, a performance bottleneck can be formed, and when a large number of threat streams exist, the blocking requirement cannot be met; moreover, when the safety protection equipment has problems, the overall reliability is poor, and the border access router is easy to form residual configuration; in addition, the safety protection device also needs to sense the difference between the manufacturers of the network nodes and the command lines, adapt and convert the command lines of different manufacturers, and the management complexity is high.
Therefore, how to realize rapid identification and rapid blocking of a large number of security threat flows, how to improve reliability of a blocking action of the threat flows under the condition of not influencing normal services of the current network, how to realize command line intercommunication of multiple manufacturers, and the like are problems which need to be solved at present.
In order to solve the above problems, the present application provides a security protection method, apparatus, electronic device and storage medium. The safety protection device issues the filtering rule and the blocking instruction information to the boundary access router through the boundary gateway protocol flow rule, and the safety protection function is realized by the safety protection device and the boundary access router together. The expandable performance of the rule of the border gateway protocol flow is stronger, the reliability is higher, and the problem that command lines of a plurality of manufacturers are not intercommunicated does not exist.
The following describes the technical solution of the present application and how to solve the above technical problems in detail by specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
The following describes a security protection method and an application scenario provided in an embodiment of the present application. When the following description refers to the accompanying drawings, the same data in different drawings represent the same or similar elements, unless otherwise indicated.
Fig. 3 is a safety protection architecture diagram corresponding to an application scenario of a safety protection method according to an embodiment of the present application. As shown in fig. 3, the security architecture 10 includes a security device 11 and an edge access router 12, and the security device 11 is connected to the edge access router 12. In practice, the access server 20 accesses the target server 30 through the security protection architecture 10.
For example, in the embodiment of the present application, each authority accesses the government affair cloud, the access server 20 may be a server of each authority, and the target server 30 may be the government affair cloud. Each authority accesses as an access server 20 through the boundary access router 12, and accesses a government affair cloud, that is, an access target server 30, via the security device 11.
The number of the clients 20 may be plural, and the border access router 12 may be plural, so as to satisfy the access request of each client. When the border access router 12 is multiple, for convenience of management and control, an aggregation router (not shown) and/or a core router 13 interconnected between the border access router 12 and the safety protection device 11 may be further included. The core router 13 is in turn connected to the safety device 11.
Illustratively, the security protection device 11 is configured to parse the traffic flows accessing the government affair cloud 30 accessed through the boundary access router 12, determine whether a threat flow exists in all the accessed traffic flows, extract N-tuple information of the threat if it is determined that the threat flow exists, and send filtering rule information and blocking instruction information to the boundary access router 12. After the border access router 12 receives the filtering rule information and the blocking instruction information, the blocking instruction information is executed according to the filtering rule information, and the threat flow is blocked at the border access router 12, so as to implement security protection on the target server 30.
In one example, the safety device 11 may include a first server 111 and a second server 112, wherein the first server 111 is connected to the second server 112, and the second server 112 is connected to the border access router 12. Identifying, by the first server 111, a traffic flow accessing the destination server 30 accessed from the border access router 12; then, the first server 111 and the second server 112 cooperatively determine whether a threat flow exists in the traffic flow, and if it is determined that the threat flow exists, extract N-tuple information of the threat, and send filtering rule information and blocking instruction information to the border access router 12.
The function allocation of the first server 111 and the second server 112 is not limited in the present application, and the purpose of the present application is to cooperatively complete the protection task of the safety protection device 11. Illustratively, the first server 111 may be a probe server for parsing a traffic flow accessing the government cloud 30 accessed from the border access router 12 and transmitting the parsed traffic flow to the second server 112. The second server 112 may be a secure resource pool server, and the secure resource pool server is configured to determine whether a threat flow exists in the service flow according to the parsed service flow, extract N-tuple information of the threat when it is determined that the threat flow exists, and send filtering rule information, blocking instruction information, and the like to the border access router 12.
Fig. 4 is a schematic flowchart of a security protection method according to an embodiment of the present application. The execution main body of the application can be a safety protection device, and the safety protection device can be located in safety protection equipment. The safety protection method provided by the embodiment of the application is applied to safety protection equipment, the safety protection equipment is located in a safety protection framework, and the safety protection framework comprises the following steps: the safety protection equipment is connected with the boundary access router.
As shown in fig. 4, the safety protection method provided in this embodiment includes:
s401, acquiring a service flow for accessing a target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
For example, among the traffic flows accessing the target server, there may be traffic flows that pose a security threat or attack on the target server, and these traffic flows are referred to as threat flows. The existence of the threat flow poses a security threat or attack on the target server, which makes the target server unable to provide normal service, and therefore, the threat flow needs to be blocked.
Illustratively, in the present application, the security protection device first obtains all the traffic flows accessing the target server from the border access router, and parses the traffic flows to obtain parsed traffic flows. Then, it can be determined whether a threat flow exists in the service flow according to the parsed service flow. Among them, network attacks are also often classified into various types according to security threats or attacks on target servers. The method and the device do not limit whether the threat flow exists in the service flow or not according to the analyzed service flow, and have different implementation modes according to different security threats or attacks.
Illustratively, a DoS (Denial of Service)/DDoS (Distributed Denial of Service) attack is a common attack mode that poses a significant threat to network security. An attacker of a DoS/DDoS attack may control thousands of attack devices to simultaneously launch traffic attacks on the same destination address, network segment, server, or the like through a plurality of control ends, which may cause network congestion or a Central Processing Unit (CPU) of the server to occupy too high to provide services. In the service flow accessing the target server, doS/DDoS attacks may exist, which may cause security threat to the target server. Therefore, whether the threat flow exists in the service flow can be determined according to the characteristics of the DoS/DDoS attack.
In one example, the parsed service flow includes detailed information of the service flow; determining that a threat flow exists in the service flow according to the parsed service flow may include:
and according to the detailed information, if the service flow is determined to accord with the characteristics of the DoS/DDoS attack, determining that the threat flow exists in the service flow.
Illustratively, the parsed service flow includes detailed information of the service flow, and the security protection device may determine whether a threat flow exists in the service flow according to the detailed information of the service flow. If the service flow is determined to accord with the characteristics of DoS/DDoS attack, the threat flow in the service flow can be determined; if the service flow is determined not to accord with the characteristics of the DoS/DDoS attack, the threat flow does not exist in the service flow.
In addition, a security analysis algorithm engine may be deployed in the security protection device, and the security analysis algorithm engine is used to determine whether a threat flow exists in the service flow, which is not limited in the present application.
S402, if the threat flow exists in the service flow according to the analyzed service flow, extracting N-tuple information of the threat flow; the threat flow is a service flow which has security threat or attack on a target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer.
Exemplarily, if the safety protection device determines that a threat flow exists in the service flow according to the parsed service flow, the N-tuple information of the threat flow is extracted. Different threat streams may have different characteristics, and the acquired N-tuple information may also be different.
For example, the N-tuple information may be transmission attribute information of part or all of the threat flow for distinguishing from the normal traffic flow so as to generate the filtering rule information later. Where N is a positive integer, for example, when N is 3, it is 3-tuple information, and when N is 5, it is 5-tuple information. The value of N may vary depending on the characteristics of the threat flow. Illustratively, if the threat flow is determined according to a source address, a source port number, a protocol number, a destination address, and a destination port number, the extracted N-tuple information of the threat flow is five-tuple information. If the threat flow is determined according to the source address, the source port number, the destination address and the destination port number, extracting N-tuple information of the threat flow to be quadruple information; if the threat stream can be determined according to other information, the extracted N-tuple information of the threat stream is tuple information of other numerical values, which is not limited in the present application, and the specific numerical value of N can be determined according to the characteristics of the threat stream.
S403, generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Illustratively, after the safety protection device extracts the N-tuple information of the threat stream, the routing information including the filtering rule information and the blocking instruction information may be generated according to the N-tuple information of the threat stream. And the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
Illustratively, after the secure gatekeeper generates the routing information, the secure gatekeeper sends the routing information to the Border access router through a preset Protocol, such as a Border Gateway Protocol Flow Specification (BGP Flow) Protocol. And after the boundary access router receives the routing information, blocking the threat flow according to the routing information so as to realize the safety protection of the target server.
The BGP flow rule uses reachability information and extended community attribute of a Border Gateway Protocol (BGP) network layer defined by a standard Protocol, and provides rich flow rules and flow actions. The flow rules defined by the border gateway protocol BGP currently include: destination Prefix (Destination Prefix), source Prefix (Source Prefix), IP Protocol (IP Protocol), port (Port), destination Port (Destination Port), source Port (Source Port), etc.; the flow defined by the current border gateway protocol BGP includes: traffic Filtering operations (Traffic Filtering Actions), packet Traffic rates (Traffic rates in Packets), etc.
Based on this, the application generates and sends the routing information to the border access router through the border gateway protocol flow rule BGP Flowspec, and can greatly improve the safety and reliability of the network. Because the routing information in the application can carry the filtering rule information and the blocking instruction information which independently exist, better maintainability can be realized, and the control on the service flow can be realized more pertinently. Specifically, real-time monitoring can be realized, the threat flow is quickly responded in a timing sampling mode, and the control on the threat flow is realized; the protection strategy can be deployed in advance according to the characteristics of common attack traffic, so that the common attack traffic has no chance to cause damage to the network, the attack is prevented in the bud, and the advance protection is realized; in addition, a control strategy does not need to be established on each device independently, so that the maintainability is improved, and the cost is reduced; in addition, the BGP Flowspec also supports a cross-domain propagation function, can eliminate the harm of the attack flow to the network from the equipment (the border access router in the application) which is as close to the attack source as possible, and greatly reduces the influence of the attack flow to the network.
In one example, the routing information further includes: counting instruction information; the statistical instruction information is used for indicating the boundary access router to determine the packet number and the total byte number of the blocked threat flow.
Illustratively, the routing information sent by the security protection device may further include statistical instruction information for instructing the border access router to determine the packet number and the total byte number of the blocked threat stream, and after the border access router receives the statistical instruction information, the border access router executes the statistical instruction information to count the packet number and the total byte number of the blocked threat stream.
In an example, if the routing information further includes statistical instruction information, the method may further include step S1 and step S2.
S1, receiving statistical data sent by a border access router; the statistics include the number of packets and the total number of bytes of the threat stream that was blocked.
S2, if the threat flow does not exist in the service flow according to the statistical data, transmitting revocation information to the boundary access router through a preset protocol; the withdrawal information is used for instructing the border access router to stop executing the blocking instruction information.
Illustratively, if the routing information further includes statistical instruction information, the security protection device further receives statistical data including the packet number and the total byte number of the blocked threat flow, which is sent by the border access router, so as to determine whether the threat flow still exists in the traffic flow according to the statistical data. And if the service flow is determined to have no threat flow, transmitting revocation information for instructing the border access router to stop executing blocking instruction information to the border access router through a preset protocol such as a border gateway protocol flow rule BGP Flowspec.
The application does not limit how to determine that the threat flow does not exist in the service flow according to the statistical data. Exemplarily, the attack characteristics of the threat flow can be analyzed according to the statistical data, and if the statistical data is not newly added within a certain time, the threat flow does not exist in the service flow; or, if no threat flow appears in the duration, the service flow is considered to have no threat flow; and so on.
In one example, if it is determined that the packet number and the total byte number of the blocked threat stream do not increase within the preset time, it is determined that the threat stream does not exist in the traffic stream.
For example, if it is determined that the packet number and the total byte number of the blocked threat streams in the statistical data do not increase any more within the preset time, it may be determined that no threat stream exists in the traffic stream. The preset time is not limited, and for example, the preset time may be 2h/3 h.
In addition, due to the complexity and irregularity of the network attack, when it is determined that no threat flow exists in the traffic flow, the identification can be performed by combining other characteristics, which is not limited to the above manner. For example, in a regular network attack, the network attack may be performed in time intervals, and the above determination is no longer applicable.
In addition, statistical data may also be analyzed through an AI algorithm and the like to determine whether a threat flow still exists in the traffic flow, which is not limited in the present application.
Illustratively, after the border access router receives the revocation information, the revocation information is executed, the blocking instruction information is not executed any more, and the blocking action is stopped, at this time, all the service flows accessing the target server accessed from the border access router can be forwarded normally.
When a threat flow exists in a service flow, the safety protection equipment sends blocking instruction information to the boundary access router through a border gateway protocol flow rule BGP Flowspec, and can control the boundary access router to block the threat flow as required; and when no threat flow exists in the service flow, a withdrawal message is sent to the boundary access router, so that the boundary access router stops the blocking action. The dynamic security protection scheme can not form residual configuration in the boundary access router while realizing blocking of the threat flow according to the requirement, and solves the problems of poor reliability and easy formation of residual configuration when realizing the blocking of the threat service flow by the QoS strategy of a complex flow class through a static command line.
In addition, in the method of the present application, when the safety protection device sends information to the border access router, the information can be implemented through protocols such as PCEP or BGP SR, in addition to the border gateway protocol flow rule BGP Flowspec. When the border access router sends information to the safety protection device, the information can be realized through a PCEP (physical layer protocol), a BGP SR (border gateway protocol) or a BMP (bone marrow protocol) or a Telemetry technology and other protocols besides a border gateway protocol flow rule BGP Flowspec. Wherein, PCEP is called Path Computation Element Communication Protocol, which refers to Path Computation Element Communication Protocol; the BGP SR is an extension of a border gateway protocol BGP for Segment Routing (Segment Routing) and is used for realizing source Routing between autonomous systems; the BMP is called BGP Monitoring Protocol in full, and refers to BGP control Protocol; telemetry is a new generation of network monitoring technology for collecting data remotely from devices at high speed. When a uniform standard protocol is selected for information interaction, adaptation and conversion are not needed, and management is facilitated.
According to the safety protection method provided by the embodiment of the application, the service flow of the access target server is obtained, and the service flow is analyzed to obtain the analyzed service flow; wherein, the service flow is accessed from the border access router; if the threat flow exists in the service flow according to the analyzed service flow, extracting N-tuple information of the threat flow; the threat flow is a service flow which has security threat or attack on a target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer; generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
The method and the device have the advantages that routing information is sent to the border access router through the border gateway protocol flow rule, and based on the characteristics of the border gateway protocol flow rule, threat flow blocking is achieved as required, and residual configuration cannot be formed in the border access router; the problem that residual configuration is easily formed due to poor reliability when the QoS strategy of the complex stream class is blocked by the static command line to threaten the service stream is solved; and the border gateway protocol is used as a standard protocol, and the command lines of different manufacturers do not need to be adapted and converted during safety protection, so that the management complexity is reduced, and the safety and the reliability of the network are improved.
On the basis of the above embodiments, the safety protection devices in the present application may be deployed in a merged manner or deployed separately. If the deployment is the merging deployment, the safety protection device only comprises one fusion server to complete the safety protection method of the embodiment. In the whole safety protection, only information interaction between the safety protection equipment and the boundary access router is included.
Fig. 5 is a signaling diagram illustrating a method for implementing security protection by a convergence server and an edge access router according to an embodiment of the present application. As shown in fig. 5, the implementation process may include:
s501, the fusion server obtains service flows accessed from the boundary access router and accessing a target server, analyzes the service flows, extracts N-tuple information of the threat flows if the threat flows exist in the service flows, and generates routing information according to the N-tuple information of the threat flows.
The routing information may include filtering rule information, blocking instruction information, and statistical instruction information; the blocking instruction information is used for indicating the boundary access router to block the threat flow according to the filtering rule information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat flow.
S502, the fusion server sends routing information to the border access router through protocols such as BGP Flowspec/PCEP/BGP SR and the like.
S503, the border access router receives the routing information, executes blocking instruction information according to filtering rule information in the routing information, and blocks threat flow information; and executing the statistical instruction information, and counting the packet number and the total byte number of the blocked threat flow.
And S504, the border access router sends the statistical data to the fusion server through BGP Flowspec/PCEP/BGP SR/BMP/Telemetry and other protocols.
And S505, the fusion server determines whether a threat flow still exists in the service flow according to the statistical data, and if the threat flow does not exist, the fusion server sends revocation information to the border access router through protocols such as BGP Flowspec/PCEP/BGP SR and the like.
The withdrawal information is used for indicating the border access router to stop executing the blocking instruction information.
S506, the border access router receives the revocation information and stops executing the blocking instruction information.
The safety protection equipment is merged and deployed, namely a safety protection method is cooperatively completed through the fusion server and the boundary access router, so that dynamic identification and on-demand blocking of threat flows are realized; in addition, the safety protection equipment is combined and deployed, only one server is provided, so that the management is convenient, and the management complexity is reduced.
Illustratively, if the security protection device is separately deployed, that is, the security protection device includes at least two servers, then during the whole security protection process, the information interaction between the two servers in the security protection device and the border access router is performed.
Illustratively, the safety device may include a first server and a second server, wherein the first server may be a probe server and the second server may be a secure resource pool server. Analyzing the service flow of the access target server accessed from the boundary access router by the probe server; and the security resource pool server determines whether a threat flow exists in the service flow, extracts N-tuple information of the threat if the threat flow exists, and sends information such as filtering rule information and blocking instruction information to the boundary access router.
Exemplarily, fig. 6 is a signaling diagram of a method for completing security protection by a probe server, a security resource pool server, and an edge access router according to an embodiment of the present application. As shown in fig. 6, the implementation process may include:
s601, the probe server obtains the service flow which is accessed from the border access router and accesses the target server, analyzes the service flow, obtains the analyzed service flow, and sends the analyzed service flow to the security resource pool server through protocols such as BGP Flowspec/PCEP/BGP SR.
The parsed service flow may include detailed information of the service flow.
S602, the security resource pool server determines whether a threat stream exists in the service stream according to the analyzed service stream, extracts N-tuple information of the threat stream if the threat stream exists in the service stream, and generates routing information according to the N-tuple information of the threat stream.
The routing information may include filtering rule information, blocking instruction information, and statistical instruction information; the blocking instruction information is used for indicating the boundary access router to block the threat flow according to the filtering rule information; the statistical instruction information is used for instructing the boundary access router to determine the packet number and the total byte number of the blocked threat flow.
S603, the security resource pool server sends routing information to the border access router through protocols such as BGP Flowspec/PCEP/BGP SR.
S604, the border access router receives the routing information, executes blocking instruction information according to filtering rule information in the routing information, and blocks threat flow information; and executing the statistical instruction information to count the packet number and the total byte number of the blocked threat flow.
And S605, the border access router sends statistical data to the security resource pool server through protocols such as BGP Flowspec/PCEP/BGP SR/BMP/Telemetry and the like.
And S606, the security resource pool server determines whether a threat flow still exists in the service flow according to the statistical data, and if the threat flow does not exist, the security resource pool server sends revocation information to the border access router through protocols such as BGP Flowspec/PCEP/BGP SR.
And the revocation information is used for indicating the boundary access router to stop executing the blocking instruction information.
S607, the border access router receives the revocation information and stops executing the blocking instruction information.
The safety protection equipment is separately deployed, namely the safety protection equipment comprises at least two servers, and compared with a fusion server, the at least two servers share the working load pressure of the safety protection equipment, the working load pressure is low, the response speed of the safety protection equipment can be increased, and the safety protection efficiency is improved.
In addition, the safety protection equipment can also be deployed in one or more ways according to the safety protection requirement adaptability, and the application is not limited.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 7 is a schematic structural diagram of a safety device according to an embodiment of the present application. Wherein, the device is applied to safety protection equipment, and safety protection equipment is arranged in the safety protection framework, and the safety protection framework includes: the safety protection device is connected with the border access router. As shown in fig. 7, safety shield apparatus 70 of the present embodiment includes: an acquisition unit 701, an extraction unit 702, and a control unit 703.
The acquiring unit 701 is configured to acquire a service flow accessing a target server, and analyze the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
An extracting unit 702, configured to extract N-tuple information of the threat flow if it is determined that the threat flow exists in the service flow according to the analyzed service flow; the threat flow is a service flow which has security threat or attack on a target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer.
A control unit 703, configured to generate routing information according to the N-tuple information of the threat flow, and send the routing information to the border access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating a border access router to block a threat flow according to the filtering rule information.
Fig. 8 is a schematic structural diagram of another safety shield apparatus according to an embodiment of the present disclosure. Wherein, the device is applied to safety protection equipment, and safety protection equipment is arranged in the safety protection framework, and the safety protection framework includes: the safety protection equipment is connected with the boundary access router. As shown in fig. 8, safety shield 80 of the present embodiment includes: an acquisition unit 801, an extraction unit 802, and a control unit 803.
The acquiring unit 801 is configured to acquire a service flow accessing a target server, and analyze the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router.
An extracting unit 802, configured to extract N-tuple information of the threat flow if it is determined that the threat flow exists in the service flow according to the analyzed service flow; the threat flow is a service flow which has security threat or attack on a target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer.
A control unit 803, configured to generate routing information according to the N-tuple information of the threat flow, and send the routing information to the border access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating a border access router to block a threat flow according to the filtering rule information.
In one example, the parsed service flow includes detailed information of the service flow; the extraction unit 802 comprises a determination module 8021.
The determining module 8021 is configured to determine, according to the detailed information, that a threat flow exists in the service flow if it is determined that the service flow meets the characteristics of the DoS/DDoS attack.
In one example, the routing information further includes: counting instruction information; the statistical instruction information is used for indicating the boundary access router to determine the packet number and the total byte number of the blocked threat flow.
In one example, apparatus 80 further comprises a receiving unit 804, receiving unit 804 comprising a receiving module 8041 and a revocation module 8042.
A receiving module 8041, configured to receive statistical data sent by the border access router; the statistical data comprises the packet number and the total byte number of the blocked threat flow;
a revocation module 8042, configured to send revocation information to the border access router through a preset protocol if it is determined that a threat flow does not exist in the service flow according to the statistical data; the withdrawal information is used for instructing the border access router to stop executing the blocking instruction information.
In one example, the receiving unit 804 further includes a decision block 8043.
The determining module 8043 is configured to determine that a threat flow does not exist in a service flow if it is determined that the packet number and the total byte number of the blocked threat flow do not increase within a preset time.
In one example, the safety protection device comprises a first server and a second server, wherein the first server is connected with the second server, and the second server is connected with the border access router.
In one example, the preset protocol further comprises one or more of: path computation element communication protocol, BGP SR protocol, BGP control protocol, telemetry technology.
It should be noted that the division of each module of the above apparatus is only a logical division, and all or part of the actual implementation may be integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or can be implemented in the form of hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. In addition, the program code may be stored in a memory of the apparatus, and a certain processing element of the apparatus may call and execute the function of the data processing module. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 9, the electronic device 90 includes: a processor 901, and a memory 902 communicatively coupled to the processor.
Wherein the memory 902 stores computer-executable instructions; processor 901 executes computer-executable instructions stored by memory 902 to implement a method as in any of the preceding.
In a Specific implementation of the electronic device, it should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The method disclosed in the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor.
Embodiments of the present application further provide a computer-readable storage medium, in which computer-executable instructions are stored, and when executed by a processor, the computer-executable instructions are used to implement the method according to any one of the foregoing descriptions.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with computer instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Embodiments of the present application also provide a computer program product comprising a computer program for implementing a method according to any one of the preceding claims when executed by a processor.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A safety protection method is applied to safety protection equipment, the safety protection equipment is positioned in a safety protection architecture, and the safety protection architecture comprises the following steps: the security protection device is connected with the border access router, and the method comprises the following steps:
acquiring a service flow accessing a target server, and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router;
if the threat flow exists in the service flow according to the analyzed service flow, extracting the N-tuple information of the threat flow; the threat flow is a service flow which has a security threat or attack on the target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer;
generating routing information according to the N-tuple information of the threat flow, and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
2. The method of claim 1, wherein the parsed service flow includes detailed information of the service flow; the determining that a threat flow exists in the service flow according to the analyzed service flow comprises:
and according to the detailed information, if the service flow is determined to accord with the characteristics of DoS/DDoS attack, determining that threat flow exists in the service flow.
3. The method of claim 1, wherein the routing information further comprises: counting instruction information; wherein the statistical instruction information is used for instructing the border access router to determine the packet number and the total byte number of the blocked threat flow.
4. The method of claim 3, further comprising:
receiving statistical data sent by the border access router; the statistical data comprises the packet number and the total byte number of the blocked threat flow;
if it is determined that no threat flow exists in the service flow according to the statistical data, revocation information is sent to the border access router through the preset protocol; the revocation information is used for instructing the border access router to stop executing the blocking instruction information.
5. The method of claim 4, further comprising:
and if the packet number and the total byte number of the blocked threat flow are determined not to be increased within the preset time, determining that the threat flow does not exist in the service flow.
6. The method of any of claims 1-5, wherein the security device comprises a first server and a second server, wherein the first server is connected to the second server, and wherein the second server is connected to the border access router.
7. The method according to any one of claims 1-5, wherein the pre-set protocol further comprises one or more of: path computation element communication protocol, BGPSR protocol, BGP control protocol, telemetry technology.
8. A safety shield apparatus, wherein the apparatus is applied to a safety shield device, the safety shield device is located in a safety shield framework, the safety shield framework comprises: the safety protection device and the border access router are connected, and the device comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a service flow for accessing a target server and analyzing the service flow to obtain an analyzed service flow; wherein the traffic flow is accessed from the border access router;
an extracting unit, configured to extract N-tuple information of the threat flow if it is determined that the threat flow exists in the service flow according to the analyzed service flow; the threat flow is a service flow which has security threat or attack on the target server in the service flow, the N-tuple information is transmission attribute information of the threat flow, and N is a positive integer;
the control unit is used for generating routing information according to the N-tuple information of the threat flow and sending the routing information to the boundary access router through a preset protocol; the preset protocol comprises a border gateway protocol flow rule, the routing information comprises filtering rule information and blocking instruction information, and the blocking instruction information is used for indicating the border access router to block the threat flow according to the filtering rule information.
9. An electronic device, characterized in that the electronic device comprises: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored by the memory to implement the method of any of claims 1-7.
10. A computer-readable storage medium having computer-executable instructions stored therein, which when executed by a processor, are configured to implement the method of any one of claims 1-7.
CN202211531304.1A 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium Active CN115776406B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211531304.1A CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211531304.1A CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115776406A true CN115776406A (en) 2023-03-10
CN115776406B CN115776406B (en) 2023-10-10

Family

ID=85390971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211531304.1A Active CN115776406B (en) 2022-12-01 2022-12-01 Security protection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115776406B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180234454A1 (en) * 2017-02-16 2018-08-16 Dell Products, L.P. Securing devices using network traffic analysis and software-defined networking (sdn)
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
US20200382540A1 (en) * 2019-05-29 2020-12-03 Arbor Networks, Inc. Measurement and analysis of traffic filtered by network infrastructure
CN112861132A (en) * 2021-02-08 2021-05-28 杭州迪普科技股份有限公司 Cooperative protection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180234454A1 (en) * 2017-02-16 2018-08-16 Dell Products, L.P. Securing devices using network traffic analysis and software-defined networking (sdn)
US20200382540A1 (en) * 2019-05-29 2020-12-03 Arbor Networks, Inc. Measurement and analysis of traffic filtered by network infrastructure
CN110830469A (en) * 2019-11-05 2020-02-21 中国人民解放军战略支援部队信息工程大学 DDoS attack protection system and method based on SDN and BGP flow specification
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN112861132A (en) * 2021-02-08 2021-05-28 杭州迪普科技股份有限公司 Cooperative protection method and device

Also Published As

Publication number Publication date
CN115776406B (en) 2023-10-10

Similar Documents

Publication Publication Date Title
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN113812126B (en) Message transmission method, device and system, and readable storage medium
EP3151470B1 (en) Analytics for a distributed network
US9654395B2 (en) SDN-based service chaining system
US7623466B2 (en) Symmetric connection detection
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
Hyun et al. Knowledge-defined networking using in-band network telemetry
US10986018B2 (en) Reducing traffic overload in software defined network
US20130294449A1 (en) Efficient application recognition in network traffic
US20110064093A1 (en) Method and apparatus for controlling data communication sessions
WO2020083272A1 (en) Processing strategy generation method and system, and storage medium
CN112202646B (en) Flow analysis method and system
KR101615045B1 (en) Intelligent security networking system
CN112787959A (en) Traffic scheduling method and system
Almaini et al. Delegation of authentication to the data plane in software-defined networks
Wijesinghe et al. Botnet detection using software defined networking
WO2021098425A1 (en) Qos policy method, device, and computing device for service configuration
EP2996291B1 (en) Packet processing method, device, and system
WO2021083324A1 (en) Information reporting method, and data processing method and device
Mauricio et al. Aclflow: An nfv/sdn security framework for provisioning and managing access control lists
CN115776406B (en) Security protection method and device, electronic equipment and storage medium
CN114978604A (en) Security gateway system for software defined service perception
Sanjeetha et al. Mitigation of controller induced DDoS attack on primary server in high traffic scenarios of software defined networks
US11146468B1 (en) Intelligent export of network information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant