CN118138375B - Network telemetry method and system for detecting network intrusion - Google Patents
Network telemetry method and system for detecting network intrusion Download PDFInfo
- Publication number
- CN118138375B CN118138375B CN202410545564.7A CN202410545564A CN118138375B CN 118138375 B CN118138375 B CN 118138375B CN 202410545564 A CN202410545564 A CN 202410545564A CN 118138375 B CN118138375 B CN 118138375B
- Authority
- CN
- China
- Prior art keywords
- telemetry
- network
- packet
- switch
- network telemetry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000004806 packaging method and process Methods 0.000 claims description 11
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 6
- 238000005538 encapsulation Methods 0.000 claims description 5
- 230000008447 perception Effects 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000010485 coping Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network telemetry method and system for detecting network intrusion, which are characterized in that a network telemetry starting condition threshold is calculated at a network telemetry server according to the rate generated by packet_in of a switch under normal flow, the network telemetry starting condition threshold is deployed in a corresponding switch, small flow information with short duration in a network is perceived by the switch as telemetry metadata when data packets are forwarded and matched, the generation rate of packet_in of the current switch is calculated by utilizing a proper counting window when the switch operates, when the switch meets the network telemetry starting condition, the network telemetry metadata with fine granularity is embedded into the network data packets and is transmitted to the network telemetry server, a global network state view can be provided, low redundancy and fine granularity network telemetry data of the whole network are provided for SDN saturation attack detection, flow-level network telemetry is started according to the network telemetry starting condition, no participation of a controller is needed, and network load between the controller and the switch is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network telemetry method and system for detecting network intrusion.
Background
A Software defined network (Software-Defined Networking, SDN) is a brand-new network architecture, and the idea of separating control and forwarding is that the Software defined network has good usability and expansibility, so that the Software defined network is widely applied to the fields of data centers, internet of things and the like. However, the novel network architecture of the SDN also brings new security problems, for example, an attacker can send a large number of malicious requests to the network to initiate saturation attack by utilizing the characteristic of transfer control separation, so that the controller cannot process normal requests, or the controller is induced to install a large number of illegal flow table entries on the switch, so that the storage space of the flow table entries of the switch is occupied, and the switch is not available.
Currently, the commonly used SDN saturation attack detection methods include a method based on statistical analysis and a method based on machine learning, which prove to be effective in the actual process, but also face some challenges, for example, the statistical method has a target accuracy directly related to the traffic scale to be processed, while the machine learning method lacks a high-quality and standardized data set, lacks a proper feature selection method for the current data set, and the like, wherein the machine learning-based SDN attack detection is the most widely used method at present.
When SDN saturation attack detection is performed, the data acquisition method is usually based on network measurement technologies such as OpenFlow protocol or sFlow to acquire network state data, however, the data acquisition method has limitations in coping with complex and changeable attack methods and attack traffic with huge scale.
Disclosure of Invention
The application provides a network telemetry method for detecting network intrusion, which is used for solving the technical problems, providing low-redundancy and fine-granularity network telemetry data of the whole network for SDN saturation attack detection, helping network administrators to cope with increasing SDN saturation attack threats and improving the safety and reliability of SDN networks.
To solve the above technical problem, in a first aspect, the present application provides a network telemetry method for detecting network intrusion, applied to an SDN network, the method includes:
Acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploying the network telemetry starting condition threshold to the corresponding switch;
the switch senses small flow information with short duration in the SDN network through a data packet in the SDN network transmission data flow, and takes the small flow information as telemetry metadata;
Calculating the packet_in generation rate of the switch in normal operation, comparing the packet_in generation rate with the network telemetry starting condition threshold value, judging whether the switch meets the network telemetry starting condition threshold value according to a comparison result, and if so, starting network telemetry of the corresponding switch;
And packaging the telemetry metadata and sending the telemetry metadata to a network telemetry server.
Preferably, the acquiring a packet_in generation history rate set of the SDN network switch, calculating a network telemetry start condition threshold corresponding to the switch based on the packet_in generation history rate set, includes:
Setting a first counting window generated by the packet_in, respectively recording a first time stamp of a first packet_in message generated by the switch in the first counting window and a second time stamp of a last packet_in message, and calculating a packet_in generation history rate according to the first time stamp and the second time stamp;
and setting window count of the first counting window to zero, and circularly calculating a plurality of corresponding packet_in generation historical rates of the switch in the operation period to form a packet_in generation historical rate set.
And screening the packet_in to generate a maximum value in the historical rate set, and taking the maximum value as a network telemetry starting condition threshold corresponding to the switch.
Preferably, the first count window ranges from [2,20].
Preferably, the switch senses short duration small flow information in the SDN network through a data packet in the SDN network transmission data flow, and uses the small flow information as telemetry metadata, including:
opening up a list of storage space in the switch for storing telemetry metadata;
When the switch matches the data packets in the SDN network transmission data flow, extracting a flow table item information field of the flow to which the current matched data packet belongs, starting a data perception thread and forwarding the original data packet, wherein the flow table item information field is expressed as [ source IP, destination IP, source port, destination port, flow existence time ];
and sensing the flow existence time in the flow table entry information field through the data sensing thread, taking the small flow information with the flow existence time smaller than a first set value as telemetry metadata, and storing or updating the flow table entry information field of the small flow information in the storage space list.
Preferably, the first set value is 10000ms.
Preferably, the storing or updating the stream entry information field of the small stream information in the storage space list with the small stream information whose stream lifetime is less than the first set value as telemetry metadata includes:
If the flow existence time is less than 10000ms, judging whether the flow table item information exists in the storage space list according to the source IP, the destination IP, the source port and the destination port, and if yes, updating; if not, directly storing the corresponding stream table item information in the storage space list;
If the flow existence time is more than or equal to 10000ms, judging whether the flow table item information exists in the storage space list according to the source IP, the destination IP, the source port and the destination port, and if so, deleting the stored flow table item information; if not, discarding the corresponding table entry information.
Preferably, the calculating the packet_in generating rate when the switch operates normally, comparing the packet_in generating rate with the threshold value of the network telemetry starting condition, and judging whether the switch meets the network telemetry starting condition according to the comparison result includes:
Setting a second counting window generated by the packet_in, respectively recording a third timestamp of a first packet_in message generated by the switch in the second counting window and a fourth timestamp of a last packet_in message, and calculating the packet_in generation rate according to the third timestamp and the fourth timestamp;
And when the packet_in generation rate is greater than or equal to the network telemetry starting condition threshold, the switch is indicated to meet the network telemetry starting condition.
Preferably, the second count window is larger than the first count window.
Preferably, the packaging and sending the telemetry metadata to a telemetry server includes:
calculating the number of the telemetry metadata which can be accommodated in a single data packet according to the MTU size;
calculating the number of network telemetry data packets according to the number of telemetry metadata in the storage space list and the number of the telemetry metadata which can be accommodated by the single data packet;
packaging telemetry header information according to the number of the network telemetry packets, and forming telemetry messages according to the telemetry header information and the telemetry metadata;
setting an Ethernet destination address of a telemetry message, sending the telemetry message to a network telemetry server for analysis, and storing telemetry metadata obtained by analysis in a local server.
In a second aspect, the present application further provides a network telemetry system for detecting network intrusion, applied to an SDN network, the system comprising: the system comprises a network telemetry starting condition calculation and deployment unit, a data stream sensing and filtering unit, a network telemetry starting unit and a network telemetry information encapsulation and transmission unit;
The network telemetry starting condition calculation and deployment unit is used for acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploying the network telemetry starting condition threshold to the corresponding switch;
a data flow sensing and filtering unit, configured to sense, by using a data packet in a data flow transmitted by the switch through the SDN network, small flow information with a short duration in the SDN network, and use the small flow information as telemetry metadata;
The network telemetry starting unit is used for calculating the packet_in generation rate when the switch normally operates, comparing the packet_in generation rate with the network telemetry starting condition threshold value, judging whether the switch meets the network telemetry starting condition according to the compared size, and if so, starting the network telemetry of the corresponding switch;
And the network telemetry information packaging and transmitting unit is used for packaging the telemetry metadata and transmitting the telemetry metadata to a network telemetry server.
The application provides a network telemetry method and a system for detecting network intrusion, wherein the method comprises the steps that a network telemetry server is arranged in an SDN network, and according to the packet_in rate when each switch normally operates, the telemetry server calculates network telemetry starting condition thresholds of all switches respectively, and deploys the network telemetry starting condition thresholds in corresponding switches; secondly, according to the characteristics of saturation attack and a matching mechanism of data packets in the data flow in a switch machine, when the data packets in the data flow are forwarded and matched, the switch perceives small flow information with short duration in a network, and stores a flow table item information field required by attack detection as telemetry metadata, updates repeatedly arrived short flow information in the process, and simultaneously filters large flow information with long duration; when the switch operates, the generation rate of the current switch packet_in is calculated by utilizing a proper counting window, whether the current switch meets the network telemetry starting condition is judged, if so, network telemetry of the current switch is started, telemetry metadata is packaged and sent to a network telemetry server, a global network state view is provided, and network telemetry data with low redundancy and fine granularity of the whole network is provided for SDN saturation attack detection. Meanwhile, the network telemetry method can start stream-level network telemetry according to the network telemetry starting condition through telemetry metadata with lower memory occupation, and the network telemetry method does not need the participation of a controller during working, so that the network load between the controller and a switch is reduced.
Drawings
FIG. 1 is a schematic diagram of steps of a network telemetry method for detecting network intrusion according to a preferred embodiment of the present application;
FIG. 2 is a flow chart of a network telemetry method for detecting network intrusion according to a preferred embodiment of the present application;
FIG. 3 is an exemplary diagram of a network telemetry method for detecting network intrusion in accordance with a preferred embodiment of the present application;
FIG. 4 is a schematic diagram showing steps of a method for calculating a threshold value for network telemetry start conditions according to a preferred embodiment of the present application;
FIG. 5 is a diagram illustrating steps of a packet awareness method according to a preferred embodiment of the present application;
FIG. 6 is a flow chart of a packet awareness method according to a preferred embodiment of the present application;
FIG. 7 is a schematic diagram of the steps of the method for calculating the packet_in rate and initiating network telemetry of a switch according to a preferred embodiment of the present application;
FIG. 8 is a flow chart of a method for calculating the packet_in rate of the switch and initiating network telemetry according to a preferred embodiment of the present application;
FIG. 9 is a schematic diagram of steps of a network telemetry information encapsulation and transmission method provided by a preferred embodiment of the present application;
FIG. 10 is a diagram of a network telemetry message provided by a preferred embodiment of the present application;
Fig. 11 is a schematic diagram of a network telemetry system for detecting network intrusion according to a preferred embodiment of the present application.
Detailed Description
The following examples are given for illustrative purposes only and are not to be construed as limiting the application, as embodiments of the application are specifically illustrated by the accompanying drawings, which are included by reference and description only, and do not limit the scope of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1 and 2, in an embodiment of the present application, there is provided a network telemetry for detecting network intrusion, applied to an SDN network, the method including:
S100, acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploying the network telemetry starting condition threshold to the corresponding switch.
And S200, the switch senses small flow information with short duration in the SDN through a data packet in the SDN transmission data flow, and takes the small flow information as telemetry metadata.
S300, calculating the packet_in generation rate of the switch in normal operation, comparing the packet_in generation rate with the network telemetry starting condition threshold value, judging whether the switch meets the network telemetry starting condition according to the comparison result, and if so, starting the network telemetry of the corresponding switch.
And S400, packaging the telemetry metadata and sending the telemetry metadata to a network telemetry server.
Network telemetry (Network Telemetry) is used as a novel network measurement technology, and can be used for automatically and remotely collecting state information of multiple heterogeneous networks by using network equipment and transmitting information embedded into network data packets to a designated server. Compared with the traditional network measurement technology, the network telemetry has better flexibility, real-time performance and capability of acquiring network states in a finer granularity.
The network telemetry method for detecting network intrusion provided by the application does not need the participation of a controller, as shown in fig. 3, is an example graph of network telemetry for detecting saturation attack of an SDN, wherein an attacker initiates saturation attack to the SDN network by using 1 host (IP address 10.0.0.4), and a network telemetry server is arranged in the SDN network.
In a preferred embodiment of the present application, as shown in fig. 4, the method steps for calculating a network telemetry start condition threshold for a switch include:
s110, setting a first counting window generated by the packet_in, respectively recording a first time stamp of a first packet_in message generated by the switch in the first counting window and a second time stamp of a last packet_in message, and calculating a packet_in generation history rate according to the first time stamp and the second time stamp.
S120, setting the count of the first count window to zero, and circularly calculating a plurality of corresponding packet_in generation history rates of the switch in the operation period to form a packet_in generation history rate set.
S130, screening the maximum value in the history rate set generated by the packet_in, and taking the maximum value as a network telemetry starting condition threshold corresponding to the switch.
In the preferred embodiment of the present application, a first count window generated by packet_in is setThe first counting window records the number of the generated packet_in in a first counting window period, and simultaneously records a first timestamp corresponding to a first packet_in message and a second timestamp corresponding to a last packet_in message generated in the first window period. The value of the first counting window influences the sensitivity of the packet_in to generate rate calculation, the smaller the first counting window is, the more frequently the rate calculation is, the larger the first counting window is, and the rate is hardly perceived under normal flow due to the overlarge first counting window. Therefore, for the value range of the first window, the application is set as [2,20], which not only can effectively sense the rate, but also can not cause high rate calculation frequency and increase the calculation load of equipment.
In a preferred embodiment of the application, the first count window is 20, and the window count is incremented by 1 when the switch generates a Packet in message within the first count window, wherein the current timestamp is recorded when the window count is 1,For the first timestamp, when the window count is 20, the current timestamp is recorded,Is a second timestamp. Calculating a packet_in generation rate from the first timestamp and the second timestampThe historical rate is recorded as packet_in, and the calculation formula is as follows:
,
Wherein, Representing the number of the switch. In the present application, three switches S001, S002 and S003 are described as examples.
Setting the window count of the first counting window to zero, circularly counting and calculating a plurality of corresponding packet_in generation history rates of the switch under normal flow in the operation period, and combining all calculated packet_in generation history rates into a packet_in generation history rate setWherein, the method comprises the steps of, wherein,A number indicating the history rate of packet_in generation.
Further, it willTransmitting to a network telemetry server, and respectively calculating network telemetry starting condition threshold values of three switches S001, S002 and S003In the present application, the number of the components,Generating a historical rate set for each switch Packet inThe rate maximum value of (2) is calculated as follows:
network telemetry starting condition threshold values corresponding to three switches S001, S002 and S003 Are sequentially arranged in corresponding switches respectively、、。
In the preferred embodiment of the application, the historical packet_in information of the switch is taken as an object, the historical rate of the generation of the packet_in of the switch in the system operation period is obtained and is taken as the network telemetry starting condition threshold of the switch, the threshold is not simply the average value, the maximum value or the minimum value, but one operation period is divided into a plurality of counting windows, the rate of each counting window is calculated, and the maximum value is selected as the network telemetry starting condition threshold of the corresponding switch. The network telemetry starting condition threshold can reflect the real packet_in generation rate of the switch, so that fine-grained network telemetry data can be acquired later. Furthermore, the updating period of the network telemetry starting condition threshold can be set so as to update the network telemetry starting condition threshold periodically, so that the acquired network telemetry data can more accurately reflect the running condition of the network.
Further, in a preferred embodiment of the present application, real-time data plane traffic data is obtained as telemetry metadata for network telemetry, as described in fig. 5 and 6, comprising the steps of:
S220, a storage space list for storing telemetry metadata is opened up in the switch.
In the preferred embodiment of the present application, a list of memory space for storing telemetry metadata is developed in each of the three switches of computation S001, S002 and S003. The storage space list adopts a dynamic allocation mode, and sets the maximum storage item, in the embodiment of the application, 4000 storage items are set, whenWhen the storage is full, the list is emptied to re-sense the data, when the network telemetry is started,The stored entries within are encapsulated as network telemetry metadata for transmission as telemetry packets.
S220, when the switch matches the data packets in the SDN network transmission data flow, extracting flow table item information fields of the flow to which the current matched data packets belong, starting a data perception thread and forwarding the original data packets, wherein the flow table item information fields are represented as [ source IP, destination IP, source port, destination port, flow existence time ].
When the switch operates and the data packets of the SDN transmission data flow are matched in the switch, the switch extracts the flow table item information field of the flow to which the current matched data packet belongs, wherein the flow table item information field is as follows: [ source IP, destination IP, source port, destination port, flow present time ], wherein the flow present time calculation formula is: current matching time stampStream entry installation time. The network telemetry data aware thread is then turned on and the original packet is immediately forwarded.
S230, sensing the flow existence time in the flow table entry information field through the data sensing thread, taking the small flow information with the flow existence time smaller than a first set value as telemetry metadata, and storing or updating the flow table entry information field of the small flow information in the storage space list.
Extracting flow existence time in flow table entry information field when data perception thread executes, and storing or updating flow table entry information field of small flow information with short flow existence time in flow table entry information fieldAs telemetry metadata. In a preferred embodiment of the present application, the determination of the small flow information is delimited by a flow presence time of 10000ms, the determination of the flow presence time in the flow entry information field being less than 10000ms is small flow information, and the determination of greater than or equal to 10000ms is long duration large flow information. The large stream information is basically discarded, but it is also necessary to determine whether or not to store the large stream information as small stream information in the storage space list, and if so, the large stream information is deleted in the storage space list.
The small flow information is not only added and stored in the storage space list, and if the flow item information exists in the storage space list, the small flow information needs to be updated to ensure the uniqueness of the flow item information. If the extracted flow table entry information field of the current matching data packet is [10.0.0.4, 10.0.0.2, 1345, 1807, 234], judging the current matching data packet as small flow information. Further, judging whether the storage space list exists or not according to [10.0.0.4, 10.0.0.2, 1345, 1807], and if the storage space list does not exist, directly adding [10.0.0.4, 10.0.0.2, 1345, 1807, 234] into the storage space list for storage; if present, and is [10.0.0.4, 10.0.0.2, 1345, 1807, 300], then [10.0.0.4, 10.0.0.2, 1345, 1807, 300] is updated to [10.0.0.4, 10.0.0.2, 1345, 1807, 234], ensuring that the total number of the blocks is equal to the total number of blocksOnly one piece of information is maintained per stream.
If the extracted flow entry information field of the current matching data packet is [10.0.0.4, 10.0.0.1, 1340, 1697, 12568], judging that the current matching data packet is large-flow information with long duration. Further, according to [10.0.0.4, 127.0.0.2, 1340, 1697], judging whether the information exists in the storage space list, if not, directly discarding the information, and not storing the information; if so, deleting the original storage flow table entry information field.
In the example shown in fig. 3, the IP address of the SDN controller is 127.0.0.1, and the flow entry information field extracted for the network telemetry packet may be [10.0.0.4, 127.0.0.2, 1340, 1697, 234], which is not stored.
In the preferred embodiment of the application, small flow information is extracted, redundancy is filtered, and the rest large flow information is deleted and discarded, so that low redundancy and fine granularity network telemetry data of the whole network are provided for SDN saturation attack detection, and the accuracy of network telemetry is improved.
Further, calculating the packet_in generation rate of the switch in normal operation, comparing the packet_in generation rate with the network telemetry start condition threshold, and starting the network telemetry according to the comparison result, as shown in fig. 7 and 8, including the following steps:
s310, setting a second counting window generated by the packet_in, respectively recording a third timestamp of a first packet_in message and a fourth timestamp of a last packet_in message generated by the switch in the second counting window, and calculating the packet_in generation rate according to the third timestamp and the fourth timestamp.
When the switch is started and operates normally, a second counting window generated by the packet_in is setAnd initializing, namely, orderEnabling the packet_in count to start from 0, and maintaining a count window in real time during system operationAnd (5) circularly working. The second counting window is used for recording the number of the packet_in generation in the second counting window period, and simultaneously recording a third timestamp corresponding to the first packet_in message generated in the second counting window periodFourth timestamp corresponding to last Packet in message。
In step S101, more history data needs to be acquired, so the first count window is set slightly smaller, and the second count window should be larger than the first count window. In a preferred embodiment of the application, the value of the second counting window is 50, i.e. the upper limit value of the count is 50. For example, in switch S001, in a second count window, the window count is incremented by 1 each time a packet_in message is generated in S001, and when the window count is 1, the current timestamp is recorded as; When the window count is 50, the current timestamp is recordedThe current packet_in rate is calculated as: Calculated out And resetting the second counting window to 0, and repeating the process to enable the window to work circularly. Respective second count windows in the data plane through the switchesCycling updates its rateThe packet_in generation rates updated by the three switches in the embodiment of the application are respectively used、、And (3) representing.
And S320, when the packet_in generation rate is greater than or equal to the network telemetry starting condition threshold, the switch meets the network telemetry starting condition.
In a preferred embodiment of the application, byJudging whether the corresponding switch meets the network telemetry starting condition or not, wherein the judging rule for meeting the network telemetry starting condition is as follows: . Network telemetry is initiated upon satisfaction of network telemetry initiation conditions, as shown in FIG. 3, switch S001 in the specific example of the present application If the network telemetry starting condition is met, the switch S001 is started to perform network telemetry, and the other two switches S002 and S003 are respectivelyAndNetwork telemetry start conditions are not met, so network telemetry is not started.
Further, in the preferred embodiment of the present application, after network telemetry is initiated, telemetry metadata is encapsulated and sent to a telemetry server, as shown in FIG. 9, comprising the steps of:
S410, calculating the number of the telemetry metadata which can be accommodated in a single data packet according to the MTU size.
S420, calculating the number of network telemetry data packets according to the number of telemetry metadata in the storage space list and the number of the telemetry metadata which can be accommodated by the single data packet.
S430, packaging telemetry head information according to the number of the network telemetry packets, and forming telemetry messages according to the telemetry head information and the telemetry metadata.
S440, setting the Ethernet destination address of the telemetry message, sending the telemetry message to a network telemetry server for analysis, and storing the telemetry metadata obtained by analysis in a local server.
According to the MTU size (1500 KB) and the telemetry head size, the number s of telemetry metadata which can be contained in a single data packet is calculated, and as shown in a network telemetry message schematic diagram in FIG. 10, the calculation formula is as follows: wherein the telemetry header is 3KB in size, the udp is 8KB in size, the IP is 20KB in size, the remaining space available for accommodating telemetry metadata is 1496KB, each telemetry metadata being 16byte in size. Further, according to the number of telemetry metadata in the storage space list And the number of telemetry metadata that a single data packet can accommodate calculates the number of network telemetry data packets, the calculation formula is:。
Further, the telemetry header information is encapsulated according to the number of network telemetry packets, and telemetry messages are formed according to the telemetry header information and telemetry metadata. As shown in fig. 10, the telemetry head consists of INT Proto, which is a protocol port number, and a telemetry identifier network telemetry packet, in this example 21807, is selected as the network telemetry protocol port number, by selecting one of the registration ports (1024-49151). The high 2 bits of the telemetry identifier are used to identify the type of telemetry packet, which in the present embodiment is identified by 00B, and the identification may be indicated by 01 when expanding a new network telemetry packet type, such as a telemetry packet for collecting device information alone rather than flow information. The telemetry identifies the round of telemetry initiation, e.g., 0000001B, the lower 14 higher 7 bits, the first round of initiation network telemetry, the lower 7 bits, e.g., 0000010B, the 2 nd packet of the current network telemetry, e.g., 00000100000011B, the 3 rd packet of the 2 nd round of initiation network telemetry. In the embodiment of the application, when only 1 part of telemetry metadata information is packaged, the complete INTProto information is as follows: 110101001111010101B; the telemetry identification field is: 0000000010000001B; the telemetry metadata fields are: [10.0.0.4, 10.0.2, 1345, 1807, 234], the metadata size is 16 bytes, and the telemetry message meets the minimum frame length without padding.
After obtaining the telemetry message, setting an Ethernet destination address dst of the telemetry message, and sending the telemetry message to a network telemetry server, wherein in the embodiment of the application, the dst address is 127.0.0.2, and the telemetry message is collected by using an INT-XD working mode in an INT v2.1 standard. The network telemetry server analyzes the telemetry message to obtain telemetry metadata, and stores the telemetry metadata in the local server to complete all network telemetry work.
In the preferred embodiment of the application, a network telemetry server is arranged in an SDN network, and according to the packet_in rate obtained when each switch normally operates, the telemetry server calculates network telemetry starting condition thresholds of all switches respectively and deploys the network telemetry starting condition thresholds in corresponding switches; secondly, according to the characteristics of saturation attack and a matching mechanism of data packets in the data flow in a switch machine, when the data packets in the data flow are forwarded and matched, the switch perceives small flow information with short duration in a network, and stores a flow table item information field required by attack detection as telemetry metadata, updates repeatedly arrived short flow information in the process, and simultaneously filters large flow information with long duration; when the switch operates, the generation rate of the packet_in of the current switch is calculated by utilizing a proper counting window, whether the current switch meets the network telemetry starting condition is judged, if so, network telemetry of the current switch is started, telemetry metadata are packaged and sent to a network telemetry server, and network telemetry data with low redundancy and fine granularity of the whole network are provided for SDN saturation attack detection. Meanwhile, the network telemetry method can start stream-level network telemetry according to the network telemetry starting condition through telemetry metadata with lower memory occupation, and the network telemetry method does not need the participation of a controller during working, so that the network load between the controller and a switch is reduced.
Accordingly, as shown in fig. 11, based on a network telemetry method for detecting network intrusion, the embodiment of the invention further provides a network telemetry system for detecting network intrusion, which is applied to an SDN network, and the system includes: the system comprises a network telemetry starting condition calculation unit 1, a deployment unit 2, a data stream sensing and filtering unit 3 and a network telemetry information encapsulation and transmission unit 4;
The network telemetry starting condition calculating and deploying unit 1 is configured to obtain a packet_in generation history rate set of an SDN network switch, calculate a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploy the network telemetry starting condition threshold to the corresponding switch.
A data flow sensing and filtering unit 2, configured to sense, by using a data packet in the data flow transmitted by the switch through the SDN network, small flow information with a short duration in the SDN network, and use the small flow information as telemetry metadata.
And the network telemetry starting unit 3 is used for calculating the packet_in generating rate when the switch normally operates, comparing the packet_in generating rate with the threshold value of the network telemetry starting condition, judging whether the switch meets the network telemetry starting condition according to the comparison result, and if so, starting the network telemetry of the corresponding switch.
And the network telemetry information encapsulation transmitting unit 4 is used for encapsulating and transmitting the telemetry metadata to a network telemetry server.
For specific limitations on a network telemetry system for detecting network intrusions, reference may be made to the above-described limitations on a network telemetry method for detecting network intrusions, which are not repeated here. Those of ordinary skill in the art will appreciate that the various modules and steps described in connection with the disclosed embodiments of the application may be implemented in hardware, software, or a combination of both. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The foregoing examples represent only a few preferred embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the application. It should be noted that modifications and substitutions can be made by those skilled in the art without departing from the technical principles of the present application, and such modifications and substitutions should also be considered to be within the scope of the present application. Therefore, the protection scope of the patent of the application is subject to the protection scope of the claims.
Claims (9)
1. A network telemetry method for detecting network intrusion, applied to an SDN network, the method comprising:
Acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploying the network telemetry starting condition threshold to the corresponding switch;
the switch senses small flow information with short duration in the SDN network through a data packet in the SDN network transmission data flow, and takes the small flow information as telemetry metadata;
Calculating the packet_in generation rate of the switch in normal operation, comparing the packet_in generation rate with the network telemetry starting condition threshold value, judging whether the switch meets the network telemetry starting condition according to the comparison result, and if so, starting the network telemetry of the corresponding switch;
Packaging the telemetry metadata and sending the telemetry metadata to a network telemetry server;
the acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry start condition threshold corresponding to the switch based on the packet_in generation history rate set, including:
Setting a first counting window generated by the packet_in, respectively recording a first time stamp of a first packet_in message generated by the switch in the first counting window and a second time stamp of a last packet_in message, and calculating a packet_in generation history rate according to the first time stamp and the second time stamp;
setting window count of the first counting window to zero, and circularly calculating a plurality of corresponding packet_in generation history rates of the switch in an operation period to form a packet_in generation history rate set;
And screening the packet_in to generate a maximum value in the historical rate set, and taking the maximum value as a network telemetry starting condition threshold corresponding to the switch.
2. The network telemetry method of claim 1 wherein the first count window ranges from [2,20].
3. The network telemetry method of claim 1 for detecting network intrusion, wherein the switch perceives short duration small flow information in the SDN network as telemetry metadata through data packets in the SDN network transport data flow, comprising:
opening up a list of storage space in the switch for storing telemetry metadata;
When the switch matches the data packets in the SDN network transmission data flow, extracting a flow table item information field of the flow to which the current matched data packet belongs, starting a data perception thread and forwarding the original data packet, wherein the flow table item information field is expressed as [ source IP, destination IP, source port, destination port, flow existence time ];
and sensing the flow existence time in the flow table entry information field through the data sensing thread, taking the small flow information with the flow existence time smaller than a first set value as telemetry metadata, and storing or updating the flow table entry information field of the small flow information in the storage space list.
4. A network telemetry method for detecting network intrusion according to claim 3, wherein said first setting is 10000ms.
5. The network telemetry method of claim 4 wherein said storing or updating the flow entry information field of said small flow information as telemetry metadata for small flow information having a flow lifetime less than a first set point in said memory space list comprises:
If the flow existence time is less than 10000ms, judging whether the flow table item information exists in the storage space list according to the source IP, the destination IP, the source port and the destination port, and if yes, updating; if not, directly storing the corresponding stream table item information in the storage space list;
If the flow existence time is more than or equal to 10000ms, judging whether the flow table item information exists in the storage space list according to the source IP, the destination IP, the source port and the destination port, and if so, deleting the stored flow table item information; if not, discarding the corresponding table entry information.
6. The network telemetry method of claim 1 wherein said calculating a packet_in generation rate of said switch during normal operation, comparing said packet_in generation rate with said network telemetry initiation condition threshold, and determining whether said switch satisfies network telemetry initiation conditions based on the comparison result comprises:
Setting a second counting window generated by the packet_in, respectively recording a third timestamp of a first packet_in message generated by the switch in the second counting window and a fourth timestamp of a last packet_in message, and calculating the packet_in generation rate according to the third timestamp and the fourth timestamp;
And when the packet_in generation rate is greater than or equal to the network telemetry starting condition threshold, the switch is indicated to meet the network telemetry starting condition.
7. The network telemetry method of claim 6 wherein the second count window is greater than the first count window.
8. The network telemetry method of claim 3 wherein said encapsulating and transmitting said telemetry metadata to a telemetry server comprises:
calculating the number of the telemetry metadata which can be accommodated in a single data packet according to the MTU size;
calculating the number of network telemetry data packets according to the number of telemetry metadata in the storage space list and the number of the telemetry metadata which can be accommodated by the single data packet;
packaging telemetry header information according to the number of the network telemetry data packets, and forming telemetry messages according to the telemetry header information and the telemetry metadata;
setting an Ethernet destination address of a telemetry message, sending the telemetry message to a network telemetry server for analysis, and storing telemetry metadata obtained by analysis in a local server.
9. A network telemetry system for detecting network intrusion for application to an SDN network, the system comprising: the system comprises a network telemetry starting condition calculation and deployment unit, a data stream sensing and filtering unit, a network telemetry starting unit and a network telemetry information encapsulation and transmission unit;
The network telemetry starting condition calculation and deployment unit is used for acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry starting condition threshold corresponding to the switch based on the packet_in generation history rate set, and deploying the network telemetry starting condition threshold to the corresponding switch;
a data flow sensing and filtering unit, configured to sense, by using a data packet in a data flow transmitted by the switch through the SDN network, small flow information with a short duration in the SDN network, and use the small flow information as telemetry metadata;
The network telemetry starting unit is used for calculating the packet_in generation rate when the switch normally operates, comparing the packet_in generation rate with the network telemetry starting condition threshold value, judging whether the switch meets the network telemetry starting condition according to the compared size, and if so, starting the network telemetry of the corresponding switch;
The network telemetry information packaging and transmitting unit is used for packaging the telemetry metadata and transmitting the telemetry metadata to a network telemetry server;
the acquiring a packet_in generation history rate set of an SDN network switch, calculating a network telemetry start condition threshold corresponding to the switch based on the packet_in generation history rate set, including:
Setting a first counting window generated by the packet_in, respectively recording a first time stamp of a first packet_in message generated by the switch in the first counting window and a second time stamp of a last packet_in message, and calculating a packet_in generation history rate according to the first time stamp and the second time stamp;
setting window count of the first counting window to zero, and circularly calculating a plurality of corresponding packet_in generation history rates of the switch in an operation period to form a packet_in generation history rate set;
And screening the packet_in to generate a maximum value in the historical rate set, and taking the maximum value as a network telemetry starting condition threshold corresponding to the switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410545564.7A CN118138375B (en) | 2024-05-06 | 2024-05-06 | Network telemetry method and system for detecting network intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410545564.7A CN118138375B (en) | 2024-05-06 | 2024-05-06 | Network telemetry method and system for detecting network intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118138375A CN118138375A (en) | 2024-06-04 |
| CN118138375B true CN118138375B (en) | 2024-07-23 |
Family
ID=91239192
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410545564.7A Active CN118138375B (en) | 2024-05-06 | 2024-05-06 | Network telemetry method and system for detecting network intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118138375B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115883465A (en) * | 2022-12-01 | 2023-03-31 | 迈普通信技术股份有限公司 | Flow control method, device, server, system and storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106411820B (en) * | 2015-07-29 | 2019-05-21 | 中国科学院沈阳自动化研究所 | A kind of industrial communication based on SDN framework spreads defeated method of controlling security |
| CN109617931B (en) * | 2019-02-20 | 2020-11-06 | 电子科技大学 | DDoS attack defense method and system of SDN controller |
| US20210194894A1 (en) * | 2019-12-23 | 2021-06-24 | Cisco Technology, Inc. | Packet metadata capture in a software-defined network |
| WO2022000189A1 (en) * | 2020-06-29 | 2022-01-06 | 北京交通大学 | In-band network telemetry bearer stream selection method and system |
| US11582105B2 (en) * | 2020-06-30 | 2023-02-14 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Telemetry-based network switch configuration validation |
| CN113194504B (en) * | 2021-04-27 | 2022-01-28 | 缪周航 | Method and system for optimizing transmission protocol based on multiplex detection and opposite-end remote measurement |
| CN114422213B (en) * | 2021-12-31 | 2023-07-25 | 南京邮电大学 | INT-based abnormal flow detection method and device |
| CN115442275B (en) * | 2022-07-27 | 2024-02-27 | 北京邮电大学 | Hybrid telemetry method and system based on hierarchical trusted streams |
| CN117834501A (en) * | 2023-12-28 | 2024-04-05 | 中国科学技术大学 | Network telemetry method, device and medium |
-
2024
- 2024-05-06 CN CN202410545564.7A patent/CN118138375B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115883465A (en) * | 2022-12-01 | 2023-03-31 | 迈普通信技术股份有限公司 | Flow control method, device, server, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118138375A (en) | 2024-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11228515B2 (en) | Data packet detection method, device, and system | |
| US7440409B2 (en) | Network traffic monitoring system and monitoring method | |
| US7587762B2 (en) | Intrusion detection system and network flow director method | |
| US9065767B2 (en) | System and method for reducing netflow traffic in a network environment | |
| EP3735762B1 (en) | In-band telemetry with limited extra bytes | |
| EP1906591B1 (en) | Method, device, and system for detecting layer 2 loop | |
| US20210185070A1 (en) | Lightweight intrusion detection apparatus and method for vehicle network | |
| CN101138200A (en) | Method and apparatus for evaluation of service quality of a real time application operating over a packet-based network | |
| JP4924503B2 (en) | Congestion detection method, congestion detection apparatus, and congestion detection program | |
| US10887240B2 (en) | Automatic flow learning in network devices | |
| US7027395B2 (en) | Method for marking packets of a data transmission flow and marker device performing this method | |
| US7953007B2 (en) | Excessive flow detection device, excessive flow detection circuit, terminal apparatus and network node | |
| US8904534B2 (en) | Method and apparatus for detecting scans in real-time | |
| CN113242208B (en) | Network situation analysis system based on network flow | |
| JP2002124990A (en) | Policy execution switch | |
| JPWO2011102086A1 (en) | Loop detection apparatus, system, method and program | |
| US8826296B2 (en) | Method of supervising a plurality of units in a communications network | |
| KR100501080B1 (en) | A method and system for distinguishing higher layer protocols of the internet traffic | |
| EP2618524A1 (en) | Method for providing QoS management in a packet-based transport network | |
| CN118138375B (en) | Network telemetry method and system for detecting network intrusion | |
| JP2009164706A (en) | Network simulation system, network simulation method, and program for network simulation | |
| JP2007228217A (en) | Traffic decision device, traffic decision method, and program therefor | |
| CN109309679B (en) | Network scanning detection method and detection system based on TCP flow state | |
| JP3596478B2 (en) | Traffic classification device and traffic classification method | |
| CN114157602B (en) | Method and device for processing message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |