TWI682644B - Dynamic protection method for network node and network protection server - Google Patents

Dynamic protection method for network node and network protection server Download PDF

Info

Publication number
TWI682644B
TWI682644B TW108100516A TW108100516A TWI682644B TW I682644 B TWI682644 B TW I682644B TW 108100516 A TW108100516 A TW 108100516A TW 108100516 A TW108100516 A TW 108100516A TW I682644 B TWI682644 B TW I682644B
Authority
TW
Taiwan
Prior art keywords
network packet
network
mobile protection
packet
virtual
Prior art date
Application number
TW108100516A
Other languages
Chinese (zh)
Other versions
TW202027460A (en
Inventor
王貞力
周國森
陳彥仲
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108100516A priority Critical patent/TWI682644B/en
Application granted granted Critical
Publication of TWI682644B publication Critical patent/TWI682644B/en
Publication of TW202027460A publication Critical patent/TW202027460A/en

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a dynamic protection method for network node and network protection server. The method includes: creating a dynamic protection table, wherein the dynamic protection table includes a plurality of virtual target hosts and a plurality of numbers corresponding to the virtual target hosts; recording a first time point of creating the dynamic protection table, and generating an interval time; updating the correspondence relationships between the virtual target hosts and the foregoing numbers at a second time point to update the dynamic protection table, wherein the second time point is the sum of the first time point and the interval time; and receiving a network packet and adaptively directing the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

Description

網路節點的移動防護方法及網路防護伺服器Network node mobile protection method and network protection server

本發明是有關於一種網路防護方法及網路防護伺服器,且特別是有關於一種網路節點的移動防護方法及網路防護伺服器。The invention relates to a network protection method and a network protection server, and in particular to a network node mobile protection method and a network protection server.

現行的網路環境對於系統服務主機本身的網路配置多偏向靜態且固定,且配置後不會一直持續變換網路配置資訊。當被入侵者透過如通訊埠掃描攻擊進行探測與資料蒐集後,則可針對性地對於系統服務主機的弱點或漏洞進行有效入侵動作。The current network environment tends to be static and fixed for the network configuration of the system service host itself, and the network configuration information will not be continuously changed after the configuration. After the intruder detects and collects data through, for example, a port scan attack, it can effectively target the weakness or vulnerability of the system service host.

有鑑於此,本發明提供一種網路節點的移動防護方法及網路防護伺服器,其可用以解決上述技術問題。In view of this, the present invention provides a mobile protection method of a network node and a network protection server, which can be used to solve the above technical problems.

本發明提供一種網路節點的移動防護方法,其包括:創建一移動防護表,其中移動防護表包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號;記錄創建移動防護表的一第一時間點,並產生一間隔時間;在一第二時間點更新前述虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表,其中第二時間點為第一時間點與間隔時間的總和;以及接收一網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。The invention provides a mobile protection method for a network node, which includes: creating a mobile protection table, wherein the mobile protection table includes a plurality of virtual target hosts and a plurality of mobile protection numbers corresponding to the aforementioned virtual target hosts; record creation movements A first time point of the protection table, and an interval time is generated; at a second time point, the correspondence between the virtual target host and the mobile protection number is updated to update the mobile protection table, where the second time point is the first time The sum of points and intervals; and receiving a network packet, and adaptively guiding the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

本發明提供一種網路防護伺服器,其包括儲存電路及處理器。儲存電路記錄多個模組。處理器耦接儲存電路,存取前述模組以執行下列步驟:創建一移動防護表,其中移動防護表包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號;記錄創建移動防護表的一第一時間點,並產生一間隔時間;在一第二時間點更新前述虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表,其中第二時間點為第一時間點與間隔時間的總和;以及接收一網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。The invention provides a network protection server, which includes a storage circuit and a processor. The storage circuit records multiple modules. The processor is coupled to the storage circuit and accesses the aforementioned module to perform the following steps: create a mobile protection table, wherein the mobile protection table includes multiple virtual target hosts and multiple mobile protection numbers corresponding to the virtual target hosts; records Create a first time point of the mobile protection table and generate an interval; update the correspondence between the virtual target host and the mobile protection number at a second time point to update the mobile protection table, where the second time point is the first The sum of a time point and the interval time; and receiving a network packet, and adaptively guiding the network packet to one of the virtual target hosts according to the packet content of the network packet.

基於上述,本發明可讓標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。Based on the above, the present invention can allow the target host to change and change over time, increase the complexity and cost of hacker attacks, and limit the chance of hackers discovering vulnerabilities, so as to achieve the protective effect of active defense.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more obvious and understandable, the embodiments are specifically described below in conjunction with the accompanying drawings for detailed description as follows.

概略而言,本發明係揭露一種網路節點隨機轉變的移動防護方法,係在虛擬主機間進行網路通訊時,採用軟體定義網路技術監聽虛擬網路,並透過移動防護表以變化可疑連線所欲連接的網路節點與主機位置,而移動防護表內的網路節點亦會於隨機的時間間隔持續變化,以混淆與欺騙可疑使用者。當收到網路封包時,會根據受保護的系統服務主機和標靶主機資訊,進行封包內容分析,辨別是否為可疑連線以進行移動防護處理。若判斷封包為可疑連線,則可視情況而基於OpenFlow通訊協定,派送移動防護連線規則至雲端虛擬交換器,轉換可疑連線原本欲連接的系統服務主機之網路節點,而轉送至標靶主機,或是直接將封包丟棄。若判斷封包不為可疑連線,則可使封包正常連線至系統服務主機。藉此,可疑使用者便無法獲得正確的系統服務資訊,且必須處理大量的不確定因素,而系統因具有動態性更難於探索和預測,以達防護系統的目的。In summary, the present invention discloses a mobile protection method in which network nodes randomly change. During network communication between virtual hosts, software-defined network technology is used to monitor the virtual network, and the mobile protection table is used to change suspicious connections. The location of the network node and the host that the line wants to connect, and the network node in the mobile protection table will continue to change at random intervals to confuse and deceive suspicious users. When receiving a network packet, it will analyze the content of the packet based on the protected system service host and target host information to identify whether it is a suspicious connection for mobile protection processing. If the packet is judged to be a suspicious connection, the mobile protection connection rule will be sent to the cloud virtual switch based on the OpenFlow protocol according to the situation. The host, or directly discard the packet. If it is judged that the packet is not a suspicious connection, the packet can be normally connected to the system service host. In this way, suspicious users cannot obtain correct system service information, and must deal with a large number of uncertain factors, and the system is more difficult to explore and predict because of its dynamic nature, so as to achieve the purpose of the protection system.

請參照圖1,其是依據本發明之一實施例繪示的網路防護伺服器示意圖。在本實施例中,網路防護伺服器100可以是伺服器、個人電腦(personal computer,PC)、筆記型電腦(notebook PC)、網本型電腦(netbook PC)、平板電腦(tablet PC)、虛擬機器(virtual machine)等,但可不限於此。Please refer to FIG. 1, which is a schematic diagram of a network protection server according to an embodiment of the present invention. In this embodiment, the network protection server 100 may be a server, a personal computer (PC), a notebook PC (notebook PC), a netbook PC (netbook PC), a tablet PC (tablet PC), Virtual machine (virtual machine), etc., but not limited to this.

如圖1所示,網路防護伺服器100包括儲存電路102及處理器104。儲存電路102例如是任意型式的固定式或可移動式隨機存取記憶體(Random Access Memory,RAM)、唯讀記憶體(Read-Only Memory,ROM)、快閃記憶體(Flash memory)、硬碟或其他類似裝置或這些裝置的組合,而可用以記錄多個程式碼或模組。As shown in FIG. 1, the network protection server 100 includes a storage circuit 102 and a processor 104. The storage circuit 102 is, for example, any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory (Flash memory), hard disk Disk or other similar devices or a combination of these devices can be used to record multiple codes or modules.

處理器104耦接於儲存電路102,並可為一般用途處理器、特殊用途處理器、傳統的處理器、數位訊號處理器、多個微處理器(microprocessor)、一個或多個結合數位訊號處理器核心的微處理器、控制器、微控制器、特殊應用集成電路(Application Specific Integrated Circuit,ASIC)、場可程式閘陣列電路(Field Programmable Gate Array,FPGA)、任何其他種類的積體電路、狀態機、基於進階精簡指令集機器(Advanced RISC Machine,ARM)的處理器以及類似品。The processor 104 is coupled to the storage circuit 102, and may be a general-purpose processor, a special-purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, or one or more combined digital signal processing The core of the processor is the microprocessor, controller, microcontroller, application specific integrated circuit (ASIC), field programmable gate array (FPGA), any other kind of integrated circuit, State machine, processor based on Advanced Reduced Instruction Set Machine (Advanced RISC Machine, ARM) and similar products.

在本發明的實施例中,處理器104可載入儲存電路102中所記錄的程式碼或模組以執行本發明提出的網路節點的移動防護方法,以下將作進一步說明。In the embodiment of the present invention, the processor 104 may load the program code or module recorded in the storage circuit 102 to execute the network node movement protection method proposed by the present invention, which will be further described below.

請參照圖2,其是依據本發明之一實施例繪示的網路節點的移動防護方法流程圖。本實施例的方法可由圖1的網路防護伺服器執行,以下即搭配圖1所示的元件來說明圖2各步驟的細節。Please refer to FIG. 2, which is a flowchart of a network node mobility protection method according to an embodiment of the invention. The method of this embodiment may be executed by the network protection server of FIG. 1, and the details of each step of FIG. 2 will be described below with the components shown in FIG. 1.

在步驟S210中,處理器104可創建移動防護表。在本實施例中,移動防護表可包括多個虛擬標靶主機及對應於前述虛擬標靶主機的多個移動防護編號。舉例而言,假設虛擬標靶主機的數量為n,且移動防護編號為0~(n-1),則處理器104可個別對前述虛擬標靶主機指派移動防護編號0~(n-1)的其中之一,且各虛擬標靶主機對應於不同的移動防護編號。此外,上述移動防護表還可包括各虛擬標靶主機對應的標靶主機編號、網路節點及虛擬網路介面,但可不限於此。In step S210, the processor 104 may create a mobile protection table. In this embodiment, the mobile protection table may include multiple virtual target hosts and multiple mobile protection numbers corresponding to the aforementioned virtual target hosts. For example, assuming that the number of virtual target hosts is n and the mobile protection number is 0~(n-1), the processor 104 can individually assign the mobile protection number 0~(n-1) to the virtual target host One of them, and each virtual target host corresponds to a different mobile protection number. In addition, the above mobile protection table may also include the target host number, network node and virtual network interface corresponding to each virtual target host, but it may not be limited to this.

在步驟S220中,處理器104可記錄創建移動防護表的第一時間點(以下稱為T pre),並產生間隔時間(以下稱為T r)。在不同的實施例中,處理器104可依需求而採用不同的方式產生T r。舉例而言,處理器104可隨機地產生介於一定數值範圍(例如30分鐘)內的數值作為T r,但可不限於此。 In step S220, the processor 104 may record a first time point to create a mobile protective sheet (hereinafter referred to as T pre), and generates a time interval (hereinafter, referred to as T r). In different embodiments, the processor 104 may generate T r in different ways according to requirements. For example, the processor 104 may randomly generate a value within a certain value range (for example, 30 minutes) as T r , but it may not be limited thereto.

在步驟S230中,處理器104可在第二時間點(以下稱為T now)更新虛擬標靶主機與移動防護編號的對應關係,以更新移動防護表。在本實施例中,T now例如是T pre與T r的總和。亦即,在T pre之後,處理器104可等待T r的時間,並更新虛擬標靶主機與移動防護編號的對應關係。 In step S230, the processor 104 may update the correspondence between the virtual target host and the mobile protection number at a second time point (hereinafter referred to as T now ) to update the mobile protection table. In the present embodiment, T now, for example, is the sum of T r and T pre. That is, after T pre , the processor 104 may wait for the time of T r and update the correspondence between the virtual target host and the mobile protection number.

在一實施例中,處理器104可藉由打亂虛擬標靶主機與移動防護編號的對應關係來更新移動防護表。舉例而言,假設初始創建的移動防護表包括第一、第二、…、第十虛擬標靶主機,而其一對一地依序對應於移動防護編號0~9。然而,在處理器104進行上述更新後,第一虛擬標靶主機至第十虛擬標靶主機即不再一對一地依序對應於移動防護編號0~9,而是個別對應於0~9的其中之一。例如,第一虛擬標靶主機對應於移動防護編號2,第二虛擬標靶主機對應於移動防護編號6等,以此類推。然而,上述內容僅用以舉例,並非用以限定本發明可能的實施方式。In one embodiment, the processor 104 can update the mobile protection table by disrupting the correspondence between the virtual target host and the mobile protection number. For example, assume that the initially created mobile protection table includes the first, second, ..., and tenth virtual target hosts, and they correspond to mobile protection numbers 0 to 9 in sequence one-to-one. However, after the processor 104 performs the above update, the first virtual target host to the tenth virtual target host no longer correspond to the mobile protection numbers 0 to 9 in sequence one by one, but individually correspond to 0 to 9 One of them. For example, the first virtual target host corresponds to mobile protection number 2, the second virtual target host corresponds to mobile protection number 6, and so on. However, the above content is only used as an example, and is not intended to limit the possible embodiments of the present invention.

在一實施例中,處理器104可在第三時間點再次更新更新虛擬標靶主機與移動防護編號的對應關係,以再次更新移動防護表,其中第三時間點與第二時間點間隔另一間隔時間,而此另一間隔時間亦可由處理器104(隨機)產生。亦即,處理器104可不時地藉由例如打亂虛擬標靶主機與移動防護編號的對應關係來不斷地更新移動防護表,但本發明可不限於此。In an embodiment, the processor 104 may update the corresponding relationship between the virtual target host and the mobile protection number again at a third time point to update the mobile protection table again, wherein the third time point is separated from the second time point by another The interval time, and this other interval time may also be generated by the processor 104 (randomly). That is, the processor 104 may constantly update the mobile protection table by, for example, disrupting the correspondence between the virtual target host and the mobile protection number, but the present invention may not be limited to this.

在步驟S240中,處理器104可接收網路封包,並依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一。In step S240, the processor 104 may receive the network packet, and adaptively guide the network packet to one of the aforementioned virtual target hosts according to the packet content of the network packet.

由上可知,透過本發明提出的移動防護方法,可讓標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。It can be seen from the above that through the mobile protection method proposed by the present invention, the target host can be continuously changed and changed over time, increasing the complexity and cost of hacker attacks, and limiting the opportunities for hackers to find vulnerabilities, to achieve active defense Protective effect.

為使本發明的概念更為清楚,以下另輔以圖3作進一步說明。請參照圖3,其是依據本發明之一實施例繪示的依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一的流程圖。首先,在步驟S301中,處理器104可判斷是否收到資安警示通知。若是,則接續執行步驟S302,反之則執行步驟S303。In order to make the concept of the present invention clearer, the following is supplemented with FIG. 3 for further explanation. Please refer to FIG. 3, which is a flowchart illustrating adaptively guiding the network packet to one of the virtual target hosts according to the packet content of the network packet according to an embodiment of the invention. First, in step S301, the processor 104 can determine whether a security warning notification is received. If yes, step S302 is executed successively, otherwise, step S303 is executed.

在步驟S302中,處理器104可將對應於資安警示通知的IP位址記錄至一可疑IP資料庫。在步驟S303中,處理器104可接收網路封包,並在步驟S304中解析網路封包的封包內容,其中前述封包內容可包括網路封包的目的IP、來源IP、目的通訊埠等,但可不限於此。In step S302, the processor 104 may record the IP address corresponding to the security warning notification to a suspicious IP database. In step S303, the processor 104 can receive the network packet, and parse the packet content of the network packet in step S304, wherein the packet content can include the destination IP, source IP, destination communication port of the network packet, etc. Limited to this.

在一實施例中,當駭客於雲端環境發起通訊埠掃描攻擊時,本發明方法採用軟體定義網路(software defined network,SDN)技術集中控制網路封包流向,並解析此等攻擊封包的封包內容,但本發明可不限於此。In one embodiment, when a hacker initiates a communication port scanning attack in a cloud environment, the method of the present invention uses a software defined network (SDN) technology to centrally control the flow of network packets and parse the packets of these attack packets Content, but the invention may not be limited to this.

在步驟S304之後,處理器104可在步驟S305中判斷上述可疑IP資料庫是否為空(null)。若是,則接續執行步驟S310,反之則接續執行步驟S306。After step S304, the processor 104 can determine whether the above-mentioned suspicious IP database is null in step S305. If yes, step S310 is continued, otherwise, step S306 is continued.

在步驟S306中,處理器104可判斷來源IP是否已記錄於可疑IP資料庫中。亦即,處理器104可判斷上述網路封包的來源IP先前是否曾引發對應的資安警示通知。若是,則代表此網路封包可能是攻擊封包並視為可疑網路封包,因此處理器104可相應地執行步驟S307、S308及S309以將網路封包導引至標靶主機的其中之一。In step S306, the processor 104 can determine whether the source IP has been recorded in the suspicious IP database. That is, the processor 104 can determine whether the source IP of the network packet previously caused a corresponding security warning notification. If so, it means that the network packet may be an attack packet and be regarded as a suspicious network packet, so the processor 104 can execute steps S307, S308, and S309 accordingly to direct the network packet to one of the target hosts.

在步驟S307中,處理器104可對網路封包的封包內容執行雜湊(hash)運算,以產生雜湊值。在步驟S308中,處理器104可基於雜湊值計算參考值。在一實施例中,處理器104可將此雜湊值轉換為十進位的多個美國資訊交換標準程式碼(American Standard Code for Information Interchange,ASCII)數字,並將前述ASCII數字加總為一總和值。之後,處理器104可計算此總和值除以n(即,虛擬標靶主機的數量)的一餘數,並以此餘數作為上述參考值。在此情況下,參考值將會是0~(n-1)之間的一整數值,亦即參考值將對應於前述移動防護編號的其中之一。接著,在步驟S309中,將網路封包導引至前述虛擬標靶主機的特定標靶主機,其中特定標靶主機的移動防護編號對應於上述參考值。In step S307, the processor 104 may perform a hash operation on the packet content of the network packet to generate a hash value. In step S308, the processor 104 may calculate the reference value based on the hash value. In an embodiment, the processor 104 may convert the hash value into decimal American Standard Code for Information Interchange (ASCII) digits, and add the aforementioned ASCII digits to a sum value . After that, the processor 104 may calculate a remainder of dividing the total value by n (ie, the number of virtual target hosts), and use the remainder as the reference value. In this case, the reference value will be an integer value between 0 and (n-1), that is, the reference value will correspond to one of the aforementioned mobile protection numbers. Next, in step S309, the network packet is directed to the specific target host of the aforementioned virtual target host, wherein the mobile protection number of the specific target host corresponds to the reference value.

舉例而言,假設所計算出的參考值為3,則處理器104可查找移動防護表以找出當下對應於移動防護編號3的虛擬標靶主機,以作為上述特定標靶主機。接著,處理器104可從移動防護表中獲取特定標靶主機的網路節點及虛擬網路介面,並基於一OpenFlow協定組成移動防護連線規則,並派送前述移動防護連線規則至雲端虛擬交換器的流向表(Flow Table),則雲端虛擬交換器可依流向表內的移動防護連線規則轉換原本的網路封包流向,以將網路封包導引至特定標靶主機的網路節點及虛擬網路介面。For example, assuming that the calculated reference value is 3, the processor 104 may look up the mobile protection table to find the current virtual target host corresponding to the mobile protection number 3 as the specific target host. Then, the processor 104 can obtain the network node and virtual network interface of the specific target host from the mobile protection table, and form a mobile protection connection rule based on an OpenFlow protocol, and send the aforementioned mobile protection connection rule to the cloud virtual exchange Flow Table of the device, the cloud virtual switch can convert the original network packet flow according to the mobile protection connection rules in the flow table, so as to direct the network packet to the network node of the specific target host and Virtual network interface.

簡言之,當處理器104發現可疑的網路封包時,可透過OpenFlow協定控制可疑網路封包的流向,進而將可疑網路封包目的地的虛擬網路介面從原欲連線的系統服務主機,改成連線至移動防護表內對應於參考值的虛擬標靶主機。換言之,駭客透過通訊埠掃描攻擊所探測到的系統服務資訊即為偽造的虛擬標靶主機所提供,從而可使得受保護的系統服務可免於被探測到漏洞後,被施以針對性的漏洞攻擊或進階持續性滲透攻擊(Advanced Persistent Threat, APT)攻擊。In short, when the processor 104 finds a suspicious network packet, it can control the flow of the suspicious network packet through the OpenFlow protocol, and then the virtual network interface of the suspicious network packet destination from the original system service host , Change to connect to the virtual target host corresponding to the reference value in the mobile protection table. In other words, the system service information detected by the hacker through the communication port scanning attack is provided by the forged virtual target host, so that the protected system service can be prevented from being detected after the vulnerability is targeted. Vulnerability attacks or Advanced Persistent Threat (APT) attacks.

此外,承先前實施例中所述,由於移動防護表可不斷地被更新,因此即便處理器104在不同的時間點算出同樣的參考值,在不同時間點碰到的可疑網路封包可能會被導引至不同的虛擬標靶主機。In addition, as described in the previous embodiment, since the mobile protection table can be continuously updated, even if the processor 104 calculates the same reference value at different time points, suspicious network packets encountered at different time points may be Guide to different virtual target hosts.

此外,在步驟S306中,若來源IP未記錄於可疑IP資料庫中,代表此網路封包可能不是可疑網路封包,因此處理器104可執行步驟S310以網路封包的目的IP是否屬於受保護IP。若是,則可接續執行步驟S311作進一步判斷,反之則可接續執行步驟S313。在本實施例中,本發明的方法可保護系統服務主機,因此一開始即會先儲存受保護的系統服務主機資料。在此情況下,受保護的系統服務主機IP即可視為受保護IP,而受保護的系統服務主機上開啟的通訊埠即為受保護通訊埠,但本發明可不限於此。In addition, in step S306, if the source IP is not recorded in the suspicious IP database, it means that the network packet may not be a suspicious network packet, so the processor 104 can perform step S310 to determine whether the destination IP of the network packet is protected IP. If yes, step S311 can be executed for further determination, otherwise, step S313 can be executed. In this embodiment, the method of the present invention can protect the system service host, so the protected system service host data will be stored at the beginning. In this case, the protected system service host IP can be regarded as the protected IP, and the communication port opened on the protected system service host is the protected communication port, but the invention may not be limited to this.

在步驟S311中,處理器104可以判斷網路封包的目的通訊埠是否屬於受保護通訊埠。若是,則可確定網路封包應不為可疑網路封包,因此可執行步驟S312以將網路封包導引至對應於目的IP的受保護系統服務主機。在一實施例中,處理器104可基於一OpenFlow協定組成正常連線規則,並派送前述正常連線規則至雲端虛擬交換器的流向表,則雲端虛擬交換器可依流向表內的正常連線規則,將網路封包送至對應於目的IP的(系統服務或是其他一般)主機。In step S311, the processor 104 can determine whether the destination communication port of the network packet belongs to the protected communication port. If so, it can be determined that the network packet should not be a suspicious network packet, so step S312 can be performed to direct the network packet to the protected system service host corresponding to the destination IP. In an embodiment, the processor 104 may form a normal connection rule based on an OpenFlow protocol and send the aforementioned normal connection rule to the flow table of the cloud virtual switch, then the cloud virtual switch may follow the normal connection in the flow table The rule is to send the network packet to the host (system service or other general) corresponding to the destination IP.

另一方面,若處理器104在步驟S311中判斷網路封包的目的通訊埠不屬於受保護通訊埠,即代表網路封包正嘗試連接至未開放的通訊埠,因而視為可疑網路封包,因此處理器104可相應地執行步驟S307、S308及S309以將網路封包導引至標靶主機的其中之一。On the other hand, if the processor 104 determines in step S311 that the destination communication port of the network packet does not belong to the protected communication port, it means that the network packet is trying to connect to the unopened communication port, so it is regarded as a suspicious network packet. Therefore, the processor 104 may perform steps S307, S308, and S309 accordingly to guide the network packet to one of the target hosts.

此外,在步驟S313中,處理器104可判斷網路封包的目的IP是否屬於前述虛擬標靶主機的任一。若是,處理器104可執行步驟S314以阻擋網路封包;若否,處理器104可接續執行步驟S315。具體而言,若網路封包的目的IP屬於前述虛擬標靶主機的任一,即代表先前某駭客曾經經由前置的通訊埠掃描攻擊動作,且曾經被導引連接至其中一個虛擬標靶主機,並取得其IP位址。由此可知,當下所處理的網路封包即為此駭客直接針對虛擬標靶主機的IP位址所發起的新一波網路攻擊。In addition, in step S313, the processor 104 can determine whether the destination IP of the network packet belongs to any of the aforementioned virtual target hosts. If yes, the processor 104 can perform step S314 to block network packets; if not, the processor 104 can continue to perform step S315. Specifically, if the destination IP of the network packet belongs to any of the aforementioned virtual target hosts, it means that a hacker has previously scanned the attack action through the front-end communication port and was directed to connect to one of the virtual targets. Host and obtain its IP address. It can be seen that the current network packet is a new wave of cyber attacks launched by the hacker directly against the IP address of the virtual target host.

換言之,處理器104可得知當下所處理的網路封包為高度可疑的網路封包,因此可直接阻擋並丟棄此網路封包。在一實施例中,處理器104可基於OpenFlow協定組成移動防護阻擋規則,並派送前述移動防護阻擋規則至雲端虛擬交換器的流向表,則雲端虛擬交換器可依流向表內的移動防護阻擋規則丟棄此網路封包,以達到阻擋網路封包的目的。In other words, the processor 104 can know that the current network packet being processed is a highly suspicious network packet, so it can directly block and discard this network packet. In an embodiment, the processor 104 may form a mobile protection blocking rule based on the OpenFlow protocol and send the aforementioned mobile protection blocking rule to the flow direction table of the cloud virtual switch, then the cloud virtual switch may follow the mobile protection blocking rule in the flow direction table Discard this network packet in order to block the network packet.

另一方面,在步驟S313中,若網路封包的目的IP不屬於前述虛擬標靶主機的任一,即代表此網路封包為無害的流量,因此可在步驟S315中將此網路封包導引至對應於目的IP的主機,以允許其連線至對應於目的IP的主機。在不同的實施例中,此主機可以是不受保護的系統服務主機,或其他客戶端主機等。On the other hand, in step S313, if the destination IP of the network packet does not belong to any of the aforementioned virtual target hosts, it means that the network packet is harmless traffic, so the network packet can be directed in step S315 Lead to the host corresponding to the destination IP to allow it to connect to the host corresponding to the destination IP. In different embodiments, this host may be an unprotected system service host, or other client host, and so on.

綜上所述,在本發明提供的移動防護方法及網路防護伺服器中,係採用SDN和OpenFlow技術以集中化的監聽與分析虛擬網路封包內容。當發覺可疑網路封包時,可進行網路節點轉變,從而防護SDN環境上服務系統的安全。In summary, in the mobile protection method and network protection server provided by the present invention, SDN and OpenFlow technologies are used to centrally monitor and analyze virtual network packet content. When a suspicious network packet is found, the network node can be transformed to protect the security of the service system in the SDN environment.

本發明提供之方法可對於通訊埠掃描攻擊進行偵測,並辨別出正常與可疑的網路封包後,避免可疑網路封包接觸到受保護的服務系統。The method provided by the invention can detect the scanning attack of the communication port, and identify the normal and suspicious network packets, so as to avoid the suspicious network packets from contacting the protected service system.

此外,透過創建多台虛擬標靶主機的方式,可使得駭客僅能獲取虛擬標靶主機的資訊,無法探測到真正服務系統主機資料,從而達到保護SDN環境上的服務系統主機的效果。In addition, by creating multiple virtual target hosts, hackers can only obtain the information of the virtual target hosts, and cannot detect the real service system host data, thereby achieving the effect of protecting the service system hosts in the SDN environment.

並且,本發明提供之方法會不斷地更新移動防護表,從而使得虛擬標靶主機隨著時間的推移不斷變化再變化,增加駭客攻擊的複雜性和成本,並限制駭客發現漏洞的機會,達到主動防禦的防護效果。Moreover, the method provided by the present invention will continuously update the mobile protection table, so that the virtual target host continuously changes and changes over time, increasing the complexity and cost of hacker attacks, and limiting the opportunities for hackers to discover vulnerabilities, To achieve the protective effect of active defense.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed as above with examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be subject to the scope defined in the appended patent application.

100‧‧‧網路防護伺服器 102‧‧‧儲存電路 104‧‧‧處理器 S210~S240、S301~S315‧‧‧步驟100‧‧‧Network protection server 102‧‧‧Storage circuit 104‧‧‧ processor S210~S240, S301~S315

圖1是依據本發明之一實施例繪示的網路防護伺服器示意圖。 圖2是依據本發明之一實施例繪示的網路節點的移動防護方法流程圖。 圖3是依據本發明之一實施例繪示的依據網路封包的封包內容適應性地將網路封包導引至前述虛擬標靶主機的其中之一的流程圖。 FIG. 1 is a schematic diagram of a network protection server according to an embodiment of the invention. FIG. 2 is a flowchart of a network node mobility protection method according to an embodiment of the invention. FIG. 3 is a flowchart illustrating adaptively guiding network packets to one of the aforementioned virtual target hosts according to the packet content of the network packets according to an embodiment of the invention.

S210~S240‧‧‧步驟 S210~S240‧‧‧Step

Claims (11)

一種網路節點的移動防護方法,包括: 創建一移動防護表,其中該移動防護表包括多個虛擬標靶主機及對應於該些虛擬標靶主機的多個移動防護編號; 記錄創建該移動防護表的一第一時間點,並產生一間隔時間; 在一第二時間點更新該些虛擬標靶主機與該些移動防護編號的對應關係,以更新該移動防護表,其中該第二時間點為該第一時間點與該間隔時間的總和;以及 接收一網路封包,並依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一。 A mobile protection method for network nodes, including: Create a mobile protection table, where the mobile protection table includes multiple virtual target hosts and multiple mobile protection numbers corresponding to the virtual target hosts; Record a first time point for creating the mobile protection table and generate an interval time; Updating the correspondence between the virtual target hosts and the mobile protection numbers at a second time point to update the mobile protection table, where the second time point is the sum of the first time point and the interval time; and Receive a network packet, and adaptively direct the network packet to one of the virtual target hosts according to the packet content of the network packet. 如申請專利範圍第1項所述的方法,更包括: 反應於收到一資安警示通知,將對應於該資安警示通知的一連線網際網路協定(internet protocol,IP)位址記錄至一可疑IP資料庫。 The method described in item 1 of the patent application scope further includes: In response to receiving a security alert notification, record a connection internet protocol (IP) address corresponding to the security alert notification to a suspicious IP database. 如申請專利範圍第2項所述的方法,其中該網路封包的該封包內容包括一來源IP,且依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一的步驟包括: 反應於該可疑IP資料庫不為空,判斷該來源IP是否已記錄於該可疑IP資料庫中; 反應於該來源IP已記錄於該可疑IP資料庫中,對該網路封包的該封包內容執行一雜湊運算,以產生一雜湊值; 基於該雜湊值計算一參考值,其中該參考值對應於該些移動防護編號的其中之一; 將該網路封包導引至該些虛擬標靶主機的一特定標靶主機,其中該特定標靶主機對應於該參考值。 The method as described in item 2 of the patent application scope, wherein the packet content of the network packet includes a source IP, and the network packet is adaptively guided to the virtual targets according to the packet content of the network packet One of the steps of the target host includes: In response to that the suspicious IP database is not empty, determine whether the source IP has been recorded in the suspicious IP database; In response to the source IP being recorded in the suspicious IP database, a hash operation is performed on the packet content of the network packet to generate a hash value; Calculating a reference value based on the hash value, where the reference value corresponds to one of the mobile protection numbers; The network packet is directed to a specific target host of the virtual target hosts, where the specific target host corresponds to the reference value. 如申請專利範圍第3項所述的方法,其中該些移動防護編號的數量為n,且基於該雜湊值計算該參考值的步驟包括: 將該雜湊值轉換為十進位的多個美國資訊交換標準程式碼(American Standard Code for Information Interchange,ASCII)數字; 將該些ASCII數字加總為一總和值;以及 計算該總和值除以n的一餘數,並以該餘數作為該參考值。 The method as described in item 3 of the patent application scope, wherein the number of the mobile protection numbers is n, and the step of calculating the reference value based on the hash value includes: Convert the hash value into a decimal number of American Standard Code for Information Interchange (ASCII) digits; Add these ASCII digits to a sum value; and Calculate the remainder by dividing the total value by n, and use the remainder as the reference value. 如申請專利範圍第3項所述的方法,其中該移動防護表更包括各該虛擬標靶主機對應的標靶主機編號、網路節點及虛擬網路介面,且將該網路封包導引至該些虛擬標靶主機的該特定標靶主機的步驟包括: 從該移動防護表中獲取該特定標靶主機的該網路節點及該虛擬網路介面;以及 基於一OpenFlow協定組成移動防護連線規則,並派送前述移動防護連線規則至雲端虛擬交換器的流向表,以令該雲端虛擬交換器依該流向表內的該移動防護連線規則轉換原本的該網路封包流向,以將該網路封包導引至該特定標靶主機的該網路節點及該虛擬網路介面。 The method as described in item 3 of the patent application scope, wherein the mobile protection table further includes a target host number, a network node and a virtual network interface corresponding to each virtual target host, and guides the network packet to The steps of the specific target host of the virtual target hosts include: Obtaining the network node and the virtual network interface of the specific target host from the mobile protection table; and Based on an OpenFlow protocol, a mobile protection connection rule is formed, and the aforementioned mobile protection connection rule is sent to the flow direction table of the cloud virtual switch, so that the cloud virtual switch converts the original mobile protection connection rule according to the mobile protection connection rule in the flow direction table The network packet flows to direct the network packet to the network node and the virtual network interface of the specific target host. 如申請專利範圍第2項所述的方法,其中該網路封包的該封包內容包括一目的IP,且依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一的步驟包括: 反應於該可疑IP資料庫為空,判斷該網路封包的該目的IP是否屬於一受保護IP; 反應於該網路封包的該目的IP不屬於該受保護IP,判斷該網路封包的該目的IP是否屬於該些虛擬標靶主機的任一;以及 反應於該網路封包的該目的IP屬於該些虛擬標靶主機的任一,阻擋該網路封包。 The method according to item 2 of the patent application scope, wherein the packet content of the network packet includes a destination IP, and the network packet is adaptively guided to the virtual targets according to the packet content of the network packet One of the steps of the target host includes: In response to the suspicious IP database being empty, determine whether the destination IP of the network packet belongs to a protected IP; Reflect that the destination IP of the network packet does not belong to the protected IP, determine whether the destination IP of the network packet belongs to any of the virtual target hosts; and The destination IP reflected in the network packet belongs to any of the virtual target hosts, blocking the network packet. 如申請專利範圍第6項所述的方法,其中該網路封包的該封包內容更包括一目的通訊埠,且反應於該網路封包的該目的IP屬於該受保護IP,所述方法更包括: 判斷該網路封包的該目的通訊埠是否屬於一受保護通訊埠;以及 反應於該目的通訊埠屬於該受保護通訊埠,將該網路封包導引至對應於該目的IP的一受保護系統服務主機。 The method as described in item 6 of the patent application scope, wherein the content of the network packet further includes a destination communication port, and the destination IP reflected in the network packet belongs to the protected IP, the method further includes : Determine whether the destination communication port of the network packet belongs to a protected communication port; and In response to the destination communication port belonging to the protected communication port, the network packet is directed to a protected system service host corresponding to the destination IP. 如申請專利範圍第7項所述的方法,其中反應於該目的通訊埠不屬於該受保護通訊埠,所述方法更包括: 對該網路封包的該封包內容執行一雜湊運算,以產生一雜湊值; 基於該雜湊值計算一參考值,其中該參考值對應於該些移動防護編號的其中之一; 將該網路封包導引至該些虛擬標靶主機的一特定標靶主機,其中該特定標靶主機對應於該參考值。 The method as described in item 7 of the patent application scope, in which the destination communication port does not belong to the protected communication port, the method further includes: Perform a hash operation on the packet content of the network packet to generate a hash value; Calculating a reference value based on the hash value, where the reference value corresponds to one of the mobile protection numbers; The network packet is directed to a specific target host of the virtual target hosts, where the specific target host corresponds to the reference value. 如申請專利範圍第6項所述的方法,其中反應於該網路封包的該目的IP不屬於該些虛擬標靶主機的任一,將該網路封包導引至對應於該目的IP的一主機。The method as described in item 6 of the patent application scope, wherein the destination IP reflected in the network packet does not belong to any of the virtual target hosts, and the network packet is directed to a destination corresponding to the destination IP Host. 如申請專利範圍第1項所述的方法,更包括: 在一第三時間點再次更新該些虛擬標靶主機與該些移動防護編號的對應關係,以再次更新該移動防護表,其中該第三時間點與該第二時間點間隔另一間隔時間。 The method described in item 1 of the patent application scope further includes: The correspondence between the virtual target hosts and the mobile protection numbers is updated again at a third time point to update the mobile protection table again, wherein the third time point is separated from the second time point by another interval. 一種網路防護伺服器,包括: 一儲存電路,記錄多個模組;以及 一處理器,耦接該儲存電路,存取該些模組以執行下列步驟: 創建一移動防護表,其中該移動防護表包括多個虛擬標靶主機及對應於該些虛擬標靶主機的多個移動防護編號; 記錄創建該移動防護表的一第一時間點,並產生一間隔時間; 在一第二時間點更新該些虛擬標靶主機與該些移動防護編號的對應關係,以更新該移動防護表,其中該第二時間點為該第一時間點與該間隔時間的總和;以及 接收一網路封包,並依據該網路封包的封包內容適應性地將該網路封包導引至該些虛擬標靶主機的其中之一。 A network protection server, including: A storage circuit to record multiple modules; and A processor, coupled to the storage circuit, accesses the modules to perform the following steps: Create a mobile protection table, where the mobile protection table includes multiple virtual target hosts and multiple mobile protection numbers corresponding to the virtual target hosts; Record a first time point for creating the mobile protection table and generate an interval time; Updating the correspondence between the virtual target hosts and the mobile protection numbers at a second time point to update the mobile protection table, where the second time point is the sum of the first time point and the interval time; and Receive a network packet, and adaptively direct the network packet to one of the virtual target hosts according to the packet content of the network packet.
TW108100516A 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server TWI682644B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Publications (2)

Publication Number Publication Date
TWI682644B true TWI682644B (en) 2020-01-11
TW202027460A TW202027460A (en) 2020-07-16

Family

ID=69942489

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108100516A TWI682644B (en) 2019-01-07 2019-01-07 Dynamic protection method for network node and network protection server

Country Status (1)

Country Link
TW (1) TWI682644B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11455159B2 (en) 2020-07-28 2022-09-27 Goldman Sachs & Co. LLC Wirelessly updating field programmable gate arrays upon detection of hardware vulnerability
TWI799070B (en) * 2022-01-10 2023-04-11 碩壹資訊股份有限公司 System and method for securing protected host

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
US9628507B2 (en) * 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
WO2018019010A1 (en) * 2016-07-25 2018-02-01 中兴通讯股份有限公司 Dynamic behavioral analysis method, device, system, and apparatus
US10015198B2 (en) * 2014-09-30 2018-07-03 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9628507B2 (en) * 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
US10015198B2 (en) * 2014-09-30 2018-07-03 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
WO2018019010A1 (en) * 2016-07-25 2018-02-01 中兴通讯股份有限公司 Dynamic behavioral analysis method, device, system, and apparatus

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11455159B2 (en) 2020-07-28 2022-09-27 Goldman Sachs & Co. LLC Wirelessly updating field programmable gate arrays upon detection of hardware vulnerability
TWI786732B (en) * 2020-07-28 2022-12-11 美商高盛有限責任公司 Wirelessly updating field programmable gate arrays upon detection of hardware vulnerability
TWI799070B (en) * 2022-01-10 2023-04-11 碩壹資訊股份有限公司 System and method for securing protected host

Also Published As

Publication number Publication date
TW202027460A (en) 2020-07-16

Similar Documents

Publication Publication Date Title
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
US8474044B2 (en) Attack-resistant verification of auto-generated anti-malware signatures
US11831420B2 (en) Network application firewall
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
US9794270B2 (en) Data security and integrity by remote attestation
KR101554809B1 (en) System and method for protocol fingerprinting and reputation correlation
JP2020515962A (en) Protection against APT attacks
US20130227691A1 (en) Detecting Malicious Network Content
KR20060013491A (en) Network attack signature generation
US20190394220A1 (en) Automatic characterization of malicious data flows
US11190433B2 (en) Systems and methods for identifying infected network nodes based on anomalous behavior model
TWI682644B (en) Dynamic protection method for network node and network protection server
US11552986B1 (en) Cyber-security framework for application of virtual features
US20230056101A1 (en) Systems and methods for detecting anomalous behaviors based on temporal profile
CN113328976B (en) Security threat event identification method, device and equipment
CN111683063B (en) Message processing method, system, device, storage medium and processor
Singh et al. Detection and Prevention of UDP Protocol Exploiting and Smurf Attack in WSN Using Sequential Probability Ratio Test Algorithm
KR102046612B1 (en) The system for defending dns amplification attacks in software-defined networks and the method thereof
US10757078B2 (en) Systems and methods for providing multi-level network security
Mohammed et al. An automated signature generation approach for polymorphic worms using principal component analysis
US20100157806A1 (en) Method for processing data packet load balancing and network equipment thereof
CN114553452B (en) Attack defense method and protection equipment
Suthar et al. A Survey on DDoS Detection and Prevention Mechanism
WO2024159901A1 (en) Network attack defense method, network element device and computer-readable storage medium
WO2023179461A1 (en) Method for processing suspected attack behavior, and related apparatus