TWI737506B - SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK - Google Patents

SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK Download PDF

Info

Publication number
TWI737506B
TWI737506B TW109133999A TW109133999A TWI737506B TW I737506 B TWI737506 B TW I737506B TW 109133999 A TW109133999 A TW 109133999A TW 109133999 A TW109133999 A TW 109133999A TW I737506 B TWI737506 B TW I737506B
Authority
TW
Taiwan
Prior art keywords
traffic
ipv6
detection
software
defined network
Prior art date
Application number
TW109133999A
Other languages
Chinese (zh)
Other versions
TW202215816A (en
Inventor
曾家偉
陳韋佑
徐葦棻
吳立凡
朱彥如
許世俊
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109133999A priority Critical patent/TWI737506B/en
Application granted granted Critical
Publication of TWI737506B publication Critical patent/TWI737506B/en
Publication of TW202215816A publication Critical patent/TW202215816A/en

Links

Images

Abstract

A system and method for IPv6 traffic based on software-defined network (SDN). The method includes: pre-storing default rules by a SDN switch; receiving a IPv6 packet from a user device by the SDN switch; forwarding, by the SDN switch, traffic from the user device to a target server or a honeypot server in response to the IPv6 packet being matching with the default rules; forwarding, by the SDN switch, the traffic to a sandbox server in response to the IPv6 packet not being matched with the default rules, and generating corresponding mirror traffic, where in the mirror traffic include current traffic; and determining if the current traffic is abnormal, indicating the SDN switch to forward the traffic to the target server in response to the traffic is normal, and indicating the SDN switch to block the traffic or forward the traffic to the honeypot server in response to the traffic is abnormal by the system.

Description

基於軟體定義網路的IPv6訊務偵防系統與方法IPv6 traffic detection and defense system and method based on software-defined network

本發明是有關於一種基於軟體定義網路(software-defined network,SDN)的IPv6訊務偵防系統和方法。The present invention relates to an IPv6 traffic detection and defense system and method based on a software-defined network (SDN).

隨著網際網路技術的迅速發展,也導致網路攻擊層出不窮,這讓網路安全越來越受到重視。現今網路是屬於靜態式網路架構,此架構能讓攻擊者有長時間來探測其目標伺服器之漏洞,所以在安全防護上屬於被動式防守。舉例來說,能透過監控方式來探測攻擊流量、修補不安全的漏洞或增添網路安全防護設備來抵擋攻擊。然而,這些方法往往都能被攻擊者破解,且一旦發起攻擊成功,攻擊者甚至有可能於目標伺服器中放入後門程式。如此,即使漏洞被修補後,攻擊者依舊能透過後門程式來入侵伺服器。因此,網路管理者需長時間來維護安全設備與伺服器來保護系統安全。基於以上所述,靜態式網路架構在面對現代智慧化及流量龐大的網路攻擊是無法招架的。因應未來網路多元化的資安威脅,資安防護措施的升級與革新更要加速發展,偵測與防禦是當前網路安全面臨的核心問題之一。如何設計更完備的邊緣網路安全防護機制,偵測與識別惡意的攻擊訊務,進而提供差異化的安全服務是未來網路與資訊安全發展的目標。With the rapid development of Internet technology, it has also led to an endless stream of network attacks, which has made network security more and more important. Today's network is a static network architecture. This architecture allows attackers to detect the vulnerabilities of their target servers for a long time, so it is a passive defense in terms of security protection. For example, monitoring can be used to detect attack traffic, repair insecure vulnerabilities, or add network security protection equipment to resist attacks. However, these methods can often be cracked by the attacker, and once the attack is successful, the attacker may even put a backdoor program into the target server. In this way, even after the vulnerability is patched, the attacker can still infiltrate the server through the backdoor. Therefore, network administrators need to maintain security equipment and servers for a long time to protect system security. Based on the above, the static network architecture is unable to withstand modern intelligence and network attacks with huge traffic. In response to the diversified information security threats of the future network, the upgrade and innovation of information security protection measures must accelerate the development. Detection and defense is one of the core issues facing current network security. How to design a more complete edge network security protection mechanism, detect and identify malicious attack traffic, and then provide differentiated security services is the goal of future network and information security development.

鑒於IPv6的快速發展與普及,使得IPv6的安全議題越來越受到重視。針對IPv6環境異常訊務的偵測與防禦已成為未來網路管理的重要研究課題。目前針對IPv6網路異常行為偵測與防禦的設備主要為入侵偵測系統(Intrusion Detection System,IDS)以及防火牆(Firewall)。防火牆主要是針對已知的IPv6位址目標或通訊協定服務類型作存取控制,但無法有效判斷通過防火牆的IPv6封包是否異常。現行的IDS主要以誤用偵測(Misuse)及異常偵測(Anomaly)兩種做法為主。傳統的IDS多以誤用偵測技術為基礎,使用特徵比對(Signature based)的方式來識別惡意IPv6網路攻擊。採用此類型的IDS除了需考量IDS對於IPv6特徵規則的支援能力外,管理者還需要不斷地更新特徵資料庫才能應付變型惡意程式的攻擊也是無法避免的缺點。使用異常偵測技術的IDS雖可用以檢測IPv4新式或特定的攻擊訊務類型,但由於通訊協定本身的差異,沿用IPv4既有參數不易制定對應的IPv6攻擊判斷模式與偵測條件。IPv6協定類型、位址空間、位址格式或掩碼格式等變化,也導致偵測IPv6異常訊務的複雜性大幅增加。針對IPv6特有攻擊(例如:IPv6 Extension Header Attacks、ICMPv6 DoS等),偵測防禦能力亦明顯不足。此外,不論IDS或防火牆本身支援IPv6能力為何,其偵防部署上均是透過人為制定規則來抵擋惡意訊務。因此,管理者需投入大量的時間更新與維護偵測規則,在制定偵測規則上可能也會有許多未考慮到的盲點而造成漏洞,而讓攻擊者利用規則或人為的疏失,透過變造的惡意訊務流量避免偵測,增加網路安全風險。由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,亟待加以改良。In view of the rapid development and popularization of IPv6, more and more attention has been paid to the security issues of IPv6. The detection and defense of abnormal traffic in the IPv6 environment has become an important research topic for future network management. At present, the equipment for detecting and preventing abnormal behaviors in IPv6 networks is mainly intrusion detection system (Intrusion Detection System, IDS) and firewall (Firewall). The firewall mainly performs access control for known IPv6 address targets or communication protocol service types, but it cannot effectively determine whether the IPv6 packets passing through the firewall are abnormal. The current IDS is mainly based on two methods: misuse detection (Misuse) and anomaly detection (Anomaly). Traditional IDS is mostly based on misuse detection technology and uses a signature based method to identify malicious IPv6 network attacks. In addition to considering the IDS's ability to support IPv6 feature rules, the use of this type of IDS also requires the administrator to constantly update the feature database to cope with attacks from variant malicious programs. It is also an inevitable shortcoming. Although IDS using anomaly detection technology can be used to detect new IPv4 or specific types of attack traffic, it is difficult to formulate corresponding IPv6 attack judgment modes and detection conditions due to the differences in the communication protocol itself. Changes in IPv6 protocol type, address space, address format or mask format have also led to a significant increase in the complexity of detecting abnormal IPv6 traffic. For IPv6 specific attacks (for example: IPv6 Extension Header Attacks, ICMPv6 DoS, etc.), the detection and defense capabilities are also obviously insufficient. In addition, regardless of the ability of IDS or firewalls to support IPv6, their detection and defense deployments are designed to resist malicious traffic through artificial rules. Therefore, managers need to invest a lot of time to update and maintain detection rules. There may be many blind spots that have not been considered in the formulation of detection rules, which may cause vulnerabilities, and allow attackers to use the rules or human negligence to change the detection rules. Of malicious traffic to avoid detection, increasing network security risks. It can be seen that there are still many shortcomings in the above-mentioned customary methods, which are not a good design and need to be improved urgently.

本發明是提供一種基於軟體定義網路的IPv6訊務偵防系統和方法,可強化IPv6網路安全防禦的能力。The invention provides a software-defined network-based IPv6 traffic detection and defense system and method, which can strengthen the capability of IPv6 network security defense.

本發明之目的是在於提供於基於軟體定義網路(SDN)/網路功能虛擬化(Network Function Virtualization,NFV)智能網路環境中偵測並防禦IPv6惡意攻擊的系統與方法,利用IPv6流量訊務特徵工程,以機器學習分類技術強化IDS識別IPv6的攻擊,提升IPv6異常訊務偵測判斷的準確度與能力。以SDN/NFV智能網路技術為基礎實現移動防禦(Mobile Threat Defense,MTD)機制,強化IPv6網路安全防禦的能力。The purpose of the present invention is to provide a system and method for detecting and defending against IPv6 malicious attacks in a software-defined network (SDN)/network function virtualization (Network Function Virtualization, NFV) intelligent network environment. Service feature engineering, using machine learning classification technology to strengthen IDS to identify IPv6 attacks, and improve the accuracy and ability of IPv6 abnormal traffic detection and judgment. Based on SDN/NFV intelligent network technology, it realizes the mobile defense (Mobile Threat Defense, MTD) mechanism and strengthens the capability of IPv6 network security defense.

本發明提出一種基於軟體定義網路的IPv6訊務偵防系統,包含沙盒伺服器、目標伺服器、蜜罐伺服器、偵防裝置以及SDN交換器。SDN交換器耦接沙盒伺服器、目標伺服器、蜜罐伺服器以及偵防裝置,並且預存預設規則,其中SDN交換器接收來自用戶終端的IPv6封包,其中SDN交換器響應於IPv6封包與預設規則匹配而將來自用戶終端的訊務轉送到目標伺服器以及蜜罐伺服器的其中之一,其中SDN交換器響應於IPv6封包與預設規則不匹配而將訊務轉送到沙盒伺服器,並且產生對應於訊務的鏡像訊務,其中鏡像訊務包含當前訊務,其中偵防裝置自SDN交換器取得鏡像訊務,判斷當前訊務是否為異常,響應於當前訊務為正常而指示SDN交換器將該訊務轉送到目標伺服器,並且響應於當前訊務為異常而指示交換器將訊務阻斷或將該訊務轉送到蜜罐伺服器。The present invention provides an IPv6 traffic detection and defense system based on a software-defined network, which includes a sandbox server, a target server, a honeypot server, a detection and defense device, and an SDN switch. The SDN switch is coupled to the sandbox server, the target server, the honeypot server, and the detection device, and pre-stores preset rules. The SDN switch receives IPv6 packets from the user terminal, and the SDN switch responds to the IPv6 packets and The preset rule matches and forwards the traffic from the user terminal to one of the target server and the honeypot server, where the SDN switch forwards the traffic to the sandbox server in response to the IPv6 packet does not match the preset rule And generate a mirrored traffic corresponding to the traffic. The mirrored traffic includes the current traffic. The detection device obtains the mirrored traffic from the SDN switch, determines whether the current traffic is abnormal, and responds to the current traffic as normal. Instruct the SDN switch to forward the traffic to the target server, and instruct the switch to block the traffic or forward the traffic to the honeypot server in response to the current traffic being abnormal.

在本發明的一實施例中,上述的鏡像訊務更包含歷史訊務資料,其中歷史訊務資料包含多個標記封包,其中偵防裝置經配置以執行:自多個標記封包刪除不符合IPv6格式的標記封包以取得第一標記封包;將第一標記封包的格式從IPv6格式轉換為NetFlow格式,其中第一標記封包包含多個特徵值;標準化第一標記封包的多個特徵值,以產生第一標準化標記封包,其中第一標準化標記封包包含分別對應於多個特徵值的多個標準化特徵值;對第一標準化標記封包進行特徵擷取以從多個標準化特徵值中選出至少一標準化特徵值;根據至少一標準化特徵值訓練機器學習模型;以及根據機器學習模型判斷當前訊務是否為異常。In an embodiment of the present invention, the above-mentioned mirrored traffic further includes historical traffic data, wherein the historical traffic data includes a plurality of marked packets, and the detection device is configured to execute: delete non-compliant IPv6 from the plurality of marked packets Format the marked packet to obtain the first marked packet; convert the format of the first marked packet from the IPv6 format to the NetFlow format, where the first marked packet contains multiple characteristic values; standardize the multiple characteristic values of the first marked packet to generate A first standardized marking packet, wherein the first standardized marking packet includes a plurality of standardized characteristic values corresponding to the plurality of characteristic values; feature extraction is performed on the first standardized marking packet to select at least one standardized characteristic from the plurality of standardized characteristic values Value; training a machine learning model according to at least one standardized characteristic value; and judging whether the current traffic is abnormal according to the machine learning model.

在本發明的一實施例中,上述的多個特徵係包含第一特徵值,其中偵防裝置響應於第一特徵值對應於類別型特徵,將第一特徵值轉換為多個分類中的第一分類,並根據第一分類產生第一向量,其中第一向量為多個標準化特徵值中的對應於第一特徵值的標準化第一特徵值,其中第一向量包含分別對應於多個分類的多個元素,其中多個元素包含對應於第一分類的第一元素以及其他元素,其中第一元素為1,並且其他元素為0,其中偵防裝置響應於第一特徵值對應於數值型特徵而將第一特徵值正規化為0至1,以產生標準化第一特徵值。In an embodiment of the present invention, the above-mentioned multiple features include a first feature value, and in response to the first feature value corresponding to the categorical feature, the detection and defense device converts the first feature value into the first feature value in the multiple categories. A classification, and a first vector is generated according to the first classification, where the first vector is a standardized first eigenvalue corresponding to the first eigenvalue among the plurality of standardized eigenvalues, and the first vector contains the first eigenvalues corresponding to the multiple classifications respectively. Multiple elements, where multiple elements include the first element corresponding to the first category and other elements, where the first element is 1, and the other elements are 0, and the detection and defense device responds to the first feature value corresponding to the numerical feature The first feature value is normalized to 0 to 1 to generate a standardized first feature value.

在本發明的一實施例中,上述的多個特徵值包括對應於數值型特徵的特徵值集合,其中特徵值集合包括第一特徵值以及第二特徵值,其中響應於第二特徵值為特徵值集合中的最大者,偵防裝置將第一特徵值除以第二特徵值以將第一特徵值正規化為0至1。In an embodiment of the present invention, the multiple feature values described above include a feature value set corresponding to a numerical feature, wherein the feature value set includes a first feature value and a second feature value, and the feature value is a feature in response to the second feature value. For the largest one in the value set, the detection and defense device divides the first characteristic value by the second characteristic value to normalize the first characteristic value to 0 to 1.

在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將訊務轉送到目標伺服器而增加第一規則至預設規則中,其中第一規則指示SDN交換器將來自用戶終端的資料轉送至目標伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device adds a first rule to the preset rule in response to instructing the SDN switch to forward traffic to the target server, wherein the first rule instructs the SDN switch to be from the user The terminal's data is forwarded to the target server.

在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將IPv6訊務阻斷而增加第二規則至預設規則中,其中第二規則指示SDN交換器阻斷來自IPv6用戶終端的資料。In an embodiment of the present invention, the aforementioned detection and prevention device adds a second rule to the preset rule in response to instructing the SDN switch to block IPv6 traffic, wherein the second rule instructs the SDN switch to block IPv6 users from Information about the terminal.

在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將訊務轉送到蜜罐伺服器而增加第三規則至預設規則中,其中第三規則指示SDN交換器將來自用戶終端的資料轉送至蜜罐伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device adds a third rule to the preset rule in response to instructing the SDN switch to forward traffic to the honeypot server, wherein the third rule instructs the SDN switch to send traffic from The data of the user terminal is forwarded to the honeypot server.

在本發明的一實施例中,上述的偵防裝置經配置以執行:響應於判斷當前訊務為異常而判斷與當前訊務相關的流量是否大於流量閾值;響應於流量大於流量閾值而指示SDN交換器將訊務阻斷;響應於流量小於或等於流量閾值而判斷對應於當前訊務的用戶終端是否與預存於偵防裝置的IPv6黑名單匹配;以及響應於用戶終端與黑名單匹配而指示SDN交換器將訊務轉送到蜜罐伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device is configured to perform: in response to determining that the current traffic is abnormal, determining whether the traffic related to the current traffic is greater than the traffic threshold; and instructing the SDN in response to the traffic being greater than the traffic threshold The switch blocks the traffic; in response to the traffic being less than or equal to the traffic threshold, it is determined whether the user terminal corresponding to the current traffic matches the IPv6 blacklist pre-stored in the detection device; and in response to the user terminal matching the blacklist. The SDN switch forwards the traffic to the honeypot server.

在本發明的一實施例中,上述的偵防裝置判斷當前訊務是否為異常後,SDN交換器根據當前訊務更新預設規則。In an embodiment of the present invention, after the aforementioned detection and prevention device determines whether the current traffic is abnormal, the SDN switch updates the preset rule according to the current traffic.

本發明的一種基於軟體定義網路的IPv6訊務的偵防方法,包含:由SDN交換器耦接至沙盒伺服器、目標伺服器、蜜罐伺服器以及偵防裝置,並且由SDN交換器預存預設規則;由SDN交換器接收來自用戶終端的封包;由SDN交換器響應於IPv6封包與預設規則匹配而將來自用戶終端的訊務轉送到目標伺服器以及蜜罐伺服器的其中之一;由SDN交換器響應於IPv6封包與預設規則不匹配而將訊務轉送到沙盒伺服器,並且產生對應於訊務的鏡像訊務,其中鏡像訊務包含當前訊務;以及由偵防裝置自SDN交換器取得鏡像訊務,判斷當前訊務是否為異常,響應於當前訊務為正常而指示SDN交換器將訊務轉送轉送到目標伺服器,並且響應於當前訊務為異常而指示SDN交換器將訊務阻斷或將訊務轉送到蜜罐伺服器。The invention provides a software-defined network-based IPv6 traffic detection and defense method, including: an SDN switch is coupled to a sandbox server, a target server, a honeypot server, and a detection and defense device, and the SDN switch is Pre-stored preset rules; the SDN switch receives the packet from the user terminal; the SDN switch forwards the traffic from the user terminal to one of the target server and the honeypot server in response to the IPv6 packet matching the preset rule One; The SDN switch forwards the traffic to the sandbox server in response to the IPv6 packets do not match the preset rules, and generates a mirrored traffic corresponding to the traffic, where the mirrored traffic includes the current traffic; and The anti-device obtains mirrored traffic from the SDN switch, determines whether the current traffic is abnormal, and instructs the SDN switch to forward the traffic to the target server in response to the current traffic being normal, and responds to the current traffic being abnormal. Instruct the SDN switch to block the traffic or forward the traffic to the honeypot server.

在IPv6環境下,如何根據IPv6訊務流量中的特徵與行為模式等資訊準確識別和判斷IPv6異常流量是IPv6攻擊偵測發展的重點。本發明透過機器學習來辨識未知IPv6訊務。如此,可以不用透過人為制定偵測規則。機器學習可透過大量的已知的IPv6訊務來學習辨識合法與惡意訊務,而且這樣的方式可解決人為在制定規則上所造成的漏洞,更可以減少維護偵測規則上的人力。機器學習主要是利用統計的方法歸納及建立正常特徵(normal pattern),再利用如分類或回歸預測的演算法,針對資料集的樣本,根據其特徵與標籤的關係,建構出IPv6分類攻擊行為的模型,來做為辨識的依據。除了透過機器學習來偵測IPv6攻擊外,也需要結合新型的防禦策略才能有效的防禦IPv6的網路攻擊。本發明採用移動目標防禦的防禦策略,其可透過動態的網路架構來轉移攻擊者的IPv6惡意訊務以達成防禦。目前有許多研究透過中繼節點或是代理伺服器來實現移動目標防禦,但此種方式一旦攻擊者利用蒐集攻擊並掌握確切的目標伺服器資訊後,此防禦機制也會隨之瓦解。In the IPv6 environment, how to accurately identify and judge IPv6 abnormal traffic based on information such as characteristics and behavior patterns in IPv6 traffic flow is the focus of the development of IPv6 attack detection. The present invention recognizes unknown IPv6 traffic through machine learning. In this way, there is no need to manually formulate detection rules. Machine learning can learn to identify legal and malicious traffic through a large number of known IPv6 traffic, and this method can solve the loopholes caused by man-made rules and reduce the manpower required to maintain detection rules. Machine learning mainly uses statistical methods to summarize and establish normal patterns, and then uses algorithms such as classification or regression prediction to construct IPv6 classification attack behaviors based on the relationship between the characteristics and the labels of the samples of the data set. The model is used as the basis for identification. In addition to detecting IPv6 attacks through machine learning, a new type of defense strategy is also needed to effectively defend against IPv6 network attacks. The present invention adopts the defense strategy of mobile target defense, which can transfer the attacker's IPv6 malicious traffic through a dynamic network structure to achieve defense. At present, there are many researches using relay nodes or proxy servers to achieve mobile target defense. However, once the attacker collects attacks and masters the exact target server information, this defense mechanism will also collapse.

在未來5G all-IP網路時代,SDN/NFV被視為最具有前瞻性的技術,藉由其提供的可程式化(Programmable)網路以及虛擬化(Virtualized)網路功能,是智能網路發展的基礎。未來IPv6網路安全架構的設計將朝可程式化與虛擬化的方向演進,如何結合SDN/NFV技術實現IPv6移動防禦,發展創新的IPv6網路安全服務模式,亦是未來IPv6防禦技術研究發展的重點。本發明提出一種IPv6網路安全系統,整合IDS特徵識別與機器學習分類技術,改善IPv6異常訊務偵測的精確度。此外,該系統利用SDN/NFV實現移動防禦機制,可強化IPv6網路安全防禦的能力。In the future 5G all-IP network era, SDN/NFV is regarded as the most forward-looking technology. With its Programmable and Virtualized network functions, it is an intelligent network. The basis of development. In the future, the design of IPv6 network security architecture will evolve in the direction of programmability and virtualization. How to combine SDN/NFV technology to achieve IPv6 mobile defense and develop an innovative IPv6 network security service model is also the future of IPv6 defense technology research and development. Focus. The present invention provides an IPv6 network security system that integrates IDS feature recognition and machine learning classification technology to improve the accuracy of IPv6 abnormal traffic detection. In addition, the system uses SDN/NFV to implement a mobile defense mechanism, which can strengthen the capability of IPv6 network security defense.

圖1根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防系統10以及用戶終端20的示意圖。IPv6訊務偵防系統10可包含偵防裝置100、SDN交換器200、沙盒伺服器300、目標伺服器400以及蜜罐伺服器500。FIG. 1 illustrates a schematic diagram of an SDN-based IPv6 traffic detection and defense system 10 and a user terminal 20 according to an embodiment of the present invention. The IPv6 traffic reconnaissance and defense system 10 may include a reconnaissance and defense device 100, an SDN switch 200, a sandbox server 300, a target server 400, and a honeypot server 500.

SDN交換器200例如是OpenFlow交換器,其可利用OpenFlow IPv6 matched Filed格式與規則轉送IPv6訊務。SDN交換器200可建立軟體定義網路。外部終端網路裝置可藉由透過與SDN交換器200連線來存取所述軟體定義網路。SDN交換器200可至少包含收發器電路、類比數位(A/D)/數位類比(D/A)轉換器、處理電路、任選的記憶體電路或一個或多個天線單元,但本發明不限於此。SDN交換器200可通訊連接至偵防裝置100、沙盒伺服器300、目標伺服器400、蜜罐伺服器500以及用戶終端20。SDN交換器200可預存預設規則。當有訊務通過SDN交換器200時,SDN交換器200可通過預設規則來管理所述訊務的轉送路徑。The SDN switch 200 is, for example, an OpenFlow switch, which can use the OpenFlow IPv6 matched Filed format and rules to forward IPv6 traffic. The SDN switch 200 can establish a software-defined network. An external terminal network device can access the software-defined network by connecting with the SDN switch 200. The SDN switch 200 may include at least a transceiver circuit, an analog-to-digital (A/D)/digital-to-analog (D/A) converter, a processing circuit, an optional memory circuit or one or more antenna units, but the present invention does not Limited to this. The SDN switch 200 can be communicatively connected to the detection and defense device 100, the sandbox server 300, the target server 400, the honeypot server 500, and the user terminal 20. The SDN switch 200 may pre-store preset rules. When traffic passes through the SDN switch 200, the SDN switch 200 can manage the forwarding path of the traffic through preset rules.

沙盒伺服器300用於處理未知的IPv6訊務,並為所述訊務提供試驗環境,以讓沙盒伺服器300中的訊務不致影響目標伺服器400。沙盒伺服器300可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行沙盒伺服器300的必要構件。The sandbox server 300 is used to process unknown IPv6 traffic, and provides a test environment for the traffic, so that the traffic in the sandbox server 300 does not affect the target server 400. The sandbox server 300 may have a processing unit (such as CPU central processing unit but not limited to this), a communication unit (such as various communication interfaces, Ethernet, mobile or WiFi wireless, etc., but not limited to this), and storage Units (for example: removable random access memory, flash memory, hard disk, etc. but not limited to these) and other necessary components for running the sandbox server 300.

目標伺服器400用於服務正常的用戶終端。由於用於服務用戶終端的軟體主要儲存於目標伺服器400,故目標伺服器400為IPv6訊務偵防系統10主要的保護目標。本發明的偵防裝置100可避免惡意的IPv6訊務侵入目標伺服器400。目標伺服器400可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行目標伺服器400的必要構件。The target server 400 is used to serve normal user terminals. Since the software used to serve the user terminal is mainly stored in the target server 400, the target server 400 is the main protection target of the IPv6 traffic detection and defense system 10. The detection and prevention device 100 of the present invention can prevent malicious IPv6 traffic from invading the target server 400. The target server 400 may have a processing unit (such as a CPU central processing unit but not limited to this), a communication unit (such as various communication interfaces, Ethernet, mobile or WiFi wireless, etc., but not limited to this), and a storage unit (For example: removable random access memory, flash memory, hard disk, etc. but not limited thereto) and other necessary components for running the target server 400.

蜜罐伺服器500用於引導IPv6攻擊者訊務,而使惡意訊務無法直接攻擊目標伺服器400。蜜罐伺服器500可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行蜜罐伺服器500的必要構件。The honeypot server 500 is used to guide the IPv6 attacker's traffic, so that the malicious traffic cannot directly attack the target server 400. The honeypot server 500 may have a processing unit (such as CPU central processing unit but not limited to this), a communication unit (such as various communication interfaces, Ethernet, mobile or WiFi wireless, etc., but not limited to this), and storage Units (for example: removable random access memory, flash memory, hard disk, etc. but not limited to these) and other necessary components for running the honeypot server 500.

用戶終端20可包含(但不限於)桌上型電腦、筆記型電腦、網路型電腦、電話裝置、呼叫器、照相機、電視、掌上型遊戲機等以IP作為通訊協定的客戶端電子裝置,但本發明不限於此。用戶終端20可至少包含收發器電路、類比數位(A/D)/數位類比(D/A)轉換器、處理電路、任選的記憶體電路或一個或多個天線單元,但本發明不限於此。The user terminal 20 may include (but is not limited to) a desktop computer, a notebook computer, a network computer, a telephone device, a pager, a camera, a TV, a handheld game console, and other client electronic devices that use IP as the communication protocol. However, the present invention is not limited to this. The user terminal 20 may at least include a transceiver circuit, an analog-to-digital (A/D)/digital-to-analog (D/A) converter, a processing circuit, an optional memory circuit or one or more antenna units, but the present invention is not limited to this.

偵防裝置100可用於配置SDN交換器200以管理軟體定義網路中的IPv6訊務轉送路徑。在本實施例中,偵防裝置100可判斷來自用戶終端20的IPv6訊務的性質,從而將來自用戶終端20的訊務或資料引導至沙盒伺服器300、目標伺服器400以及蜜罐伺服器500的其中之一。圖2根據本發明的實施例繪示偵防裝置100的示意圖。偵防裝置100可包含控制器110、儲存媒體120以及收發器130。The detection and defense device 100 can be used to configure the SDN switch 200 to manage the IPv6 traffic forwarding path in the software-defined network. In this embodiment, the detection and defense device 100 can determine the nature of the IPv6 traffic from the user terminal 20, so as to direct the traffic or data from the user terminal 20 to the sandbox server 300, the target server 400, and the honeypot server. One of 500 devices. FIG. 2 illustrates a schematic diagram of the detection and defense device 100 according to an embodiment of the present invention. The detection and defense device 100 may include a controller 110, a storage medium 120 and a transceiver 130.

控制器110例如是SDN可程式化控制器、中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。控制器110可耦接至儲存媒體120以及收發器130,並且存取和執行儲存於儲存媒體120中的多個模組和各種應用程式。The controller 110 is, for example, an SDN programmable controller, a central processing unit (CPU), or other programmable general-purpose or special-purpose micro control unit (MCU), microprocessor (Microprocessor), digital signal processor (DSP), programmable controller, application specific integrated circuit (ASIC), graphics processing unit (GPU), image signal processing Image signal processor (ISP), image processing unit (IPU), arithmetic logic unit (ALU), complex programmable logic device (CPLD), on-site programmable logic Field programmable gate array (FPGA) or other similar elements or a combination of the above elements. The controller 110 may be coupled to the storage medium 120 and the transceiver 130, and access and execute a plurality of modules and various application programs stored in the storage medium 120.

儲存媒體120例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由控制器110執行的多個模組或各種應用程式。儲存媒體120可儲存包括擷取分類模組121、特徵工程模組122、分析模組123以及移動防禦模組124等多個功能模組,其功能將於後續說明。在一實施例中,儲存媒體120可預存記錄了一或多個IPv6用戶終端的IPv6黑名單。The storage medium 120 is, for example, any type of fixed or removable random access memory (RAM), read-only memory (ROM), or flash memory. , Hard disk drive (HDD), solid state drive (solid state drive, SSD) or similar components or a combination of the above components, which are used to store multiple modules or various application programs that can be executed by the controller 110. The storage medium 120 can store multiple functional modules including the capture and classification module 121, the feature engineering module 122, the analysis module 123, and the mobile defense module 124, the functions of which will be described later. In an embodiment, the storage medium 120 may pre-store and record an IPv6 blacklist of one or more IPv6 user terminals.

收發器130以無線或有線的方式透過通訊界面(例如:乙太網路、行動或WiFi無線等)傳送及接收訊號。偵防裝置100可通過收發器130通訊連接至交換器200。The transceiver 130 transmits and receives signals through a communication interface (for example, Ethernet, mobile or WiFi wireless, etc.) in a wireless or wired manner. The detection and defense device 100 may be communicatively connected to the switch 200 through the transceiver 130.

圖3根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防的方法的流程圖。在步驟S301中,SDN交換器200可接收來自用戶終端20的IPv6封包。在步驟S302中,SDN交換器200可判斷IPv6封包是否與預存在SDN交換器200中的預設規則匹配。若IPv6封包與預設規則匹配,代表傳送所述IPv6封包的用戶終端20對交換器200來說並非未知的。據此,流程進入步驟S303。Fig. 3 shows a flow chart of an SDN-based IPv6 traffic detection and defense method according to an embodiment of the present invention. In step S301, the SDN switch 200 may receive an IPv6 packet from the user terminal 20. In step S302, the SDN switch 200 may determine whether the IPv6 packet matches a preset rule pre-stored in the SDN switch 200. If the IPv6 packet matches the preset rule, it means that the user terminal 20 transmitting the IPv6 packet is not unknown to the switch 200. Accordingly, the flow proceeds to step S303.

在步驟S303中,SDN交換器200可將來自用戶終端20的訊務轉送到目標伺服器400或蜜罐伺服器500。具體來說,SDN交換器200可根據來自用戶終端20的IPv6封包以及預設規則判斷用戶終端20屬於惡意的IPv6用戶或非惡意的IPv6用戶。若用戶終端20屬於惡意的用戶,則SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500。若用戶終端20屬於非惡意的用戶,則SDN交換器200將來自用戶終端20的訊務轉送到目標伺服器400。另一方面,若IPv6封包與預設規則不匹配,代表傳送所述IPv6封包的用戶終端20對SDN交換器200來說是未知的。據此,流程進入步驟S304。In step S303, the SDN switch 200 may forward the traffic from the user terminal 20 to the target server 400 or the honeypot server 500. Specifically, the SDN switch 200 can determine whether the user terminal 20 is a malicious IPv6 user or a non-malicious IPv6 user based on the IPv6 packet from the user terminal 20 and a preset rule. If the user terminal 20 belongs to a malicious user, the SDN switch 200 forwards the traffic from the user terminal 20 to the honeypot server 500. If the user terminal 20 belongs to a non-malicious user, the SDN switch 200 forwards the traffic from the user terminal 20 to the target server 400. On the other hand, if the IPv6 packet does not match the preset rule, it means that the user terminal 20 transmitting the IPv6 packet is unknown to the SDN switch 200. Accordingly, the flow proceeds to step S304.

在步驟S304中,SDN交換器200可將來自用戶終端20的訊務轉送到沙盒伺服器300,並且複製所述訊務以產生對應的鏡像訊務。接著,SDN交換器200可將鏡像訊務傳送給偵防裝置100。偵防裝置100可通過收發器130接收鏡像訊務,其中鏡像訊務可包含歷史訊務資料以及當前訊務。In step S304, the SDN switch 200 can forward the traffic from the user terminal 20 to the sandbox server 300, and copy the traffic to generate a corresponding mirrored traffic. Then, the SDN switch 200 can transmit the mirroring traffic to the detection and defense device 100. The detection and defense device 100 can receive mirrored traffic through the transceiver 130, where the mirrored traffic can include historical traffic data and current traffic.

在步驟S305中,偵防裝置100的分析模組123可判斷當前訊務是否為異常。若當前訊務為正常,則進入步驟S306。若當前訊務為異常,則進入步驟S307。具體來說,偵防裝置100的分析模組123可根據由歷史訊務資料訓練好的機器學習模型來判斷當前訊務是否為異常。In step S305, the analysis module 123 of the detection and defense device 100 can determine whether the current traffic is abnormal. If the current traffic is normal, step S306 is entered. If the current traffic is abnormal, step S307 is entered. Specifically, the analysis module 123 of the detection and defense device 100 can determine whether the current traffic is abnormal according to a machine learning model trained from historical traffic data.

在步驟S306中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給交換器200以指示交換器200將來自用戶終端20的訊務轉送到目標伺服器400。In step S306, the mobile defense module 124 of the detection and defense device 100 may send a command to the switch 200 through the transceiver 130 to instruct the switch 200 to forward the traffic from the user terminal 20 to the target server 400.

在步驟S307中,偵防裝置100的分析模組123可判斷與當前訊務相關的流量是否大於流量閾值。若所述流量大於流量閾值,則進入步驟S308。若所述流量小於或等於流量閾值,則進入步驟S309。In step S307, the analysis module 123 of the detection and defense device 100 can determine whether the traffic related to the current traffic is greater than the traffic threshold. If the flow rate is greater than the flow rate threshold, step S308 is entered. If the flow rate is less than or equal to the flow rate threshold, step S309 is entered.

在步驟S308中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給交換器200以指示SDN交換器200將來自用戶終端20的訊務阻斷。如此,可避免大量異常的訊務影響軟體定義網路的運作。In step S308, the mobile defense module 124 of the detection and defense device 100 may send a command to the switch 200 through the transceiver 130 to instruct the SDN switch 200 to block traffic from the user terminal 20. In this way, a large number of abnormal traffic can be prevented from affecting the operation of the software-defined network.

在步驟S309中,偵防裝置100的分析模組123可判斷對應於當前訊務的用戶終端20是否與預存於偵防裝置100中的IPv6黑名單匹配。若用戶終端20與IPv6黑名單匹配,則進入步驟S310。若用戶終端20與IPv6黑名單不匹配,則進入步驟S311。In step S309, the analysis module 123 of the detection and protection device 100 can determine whether the user terminal 20 corresponding to the current traffic matches the IPv6 blacklist pre-stored in the detection and protection device 100. If the user terminal 20 matches the IPv6 blacklist, step S310 is entered. If the user terminal 20 does not match the IPv6 blacklist, step S311 is entered.

在步驟S310中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500。由於偵防裝置100已經知道用戶終端20為惡意的IPv6用戶終端,故偵防裝置100可將用戶終端20引導至蜜罐伺服器500,以使用戶終端20的用戶將注意力集中在攻擊蜜罐伺服器500,而忽略目標伺服器400。In step S310, the mobile defense module 124 of the detection and defense device 100 may send a command to the SDN switch 200 through the transceiver 130 to instruct the SDN switch 200 to forward the traffic from the user terminal 20 to the honeypot server 500. Since the detection and prevention device 100 already knows that the user terminal 20 is a malicious IPv6 user terminal, the detection and prevention device 100 can direct the user terminal 20 to the honeypot server 500, so that the user of the user terminal 20 can focus on attacking the honeypot The server 500, and the target server 400 is ignored.

在步驟S311中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示交換器200將來自用戶終端20的訊務轉送到目標伺服器400。In step S311, the mobile defense module 124 of the detection and defense device 100 may send a command to the SDN switch 200 through the transceiver 130 to instruct the switch 200 to forward the traffic from the user terminal 20 to the target server 400.

在步驟S312中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示SDN交換器200根據當前訊務更新預設規則。具體來說,偵防裝置100的移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務轉送到目標伺服器400(如步驟S306所示)而通過收發器130指示SDN交換器200將第一規則新增至預設規則中。第一規則可指示SDN交換器200將未來的來自用戶終端20的訊務或資料轉送到目標伺服器400。此外,移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務阻斷(如步驟S308所示)而通過收發器130指示SDN交換器200將第二規則新增至預設規則中。第二規則可指示SDN交換器200阻斷未來的來自用戶終端20的訊務或資料。再者,移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500(如步驟S310所示)而通過收發器130指示SDN交換器200將第三規則新增至預設規則中。第三規則可指示交換器200將未來的來自用戶終端20的訊務或資料轉送到蜜罐伺服器500。在一實施例中,移動防禦模組124可讀取所取得的訊務或資料中的來源IPv6位址來判斷所述訊務或資料的來源是否為用戶終端20。In step S312, the mobile defense module 124 of the detection and defense device 100 may send a command to the SDN switch 200 through the transceiver 130 to instruct the SDN switch 200 to update the preset rules according to the current traffic. Specifically, the mobile defense module 124 of the detection and defense device 100 may instruct the SDN switch 200 to forward the traffic from the user terminal 20 to the target server 400 (as shown in step S306), and then instruct the SDN through the transceiver 130. The switch 200 adds the first rule to the preset rule. The first rule may instruct the SDN switch 200 to forward future traffic or data from the user terminal 20 to the target server 400. In addition, the mobile defense module 124 can instruct the SDN switch 200 to add the second rule to the preset via the transceiver 130 in response to instructing the SDN switch 200 to block traffic from the user terminal 20 (as shown in step S308). Set the rules. The second rule may instruct the SDN switch 200 to block future traffic or data from the user terminal 20. Furthermore, the mobile defense module 124 may instruct the SDN switch 200 to forward the traffic from the user terminal 20 to the honeypot server 500 (as shown in step S310) and instruct the SDN switch 200 through the transceiver 130 to transfer Three rules are added to the default rules. The third rule may instruct the switch 200 to forward future traffic or data from the user terminal 20 to the honeypot server 500. In one embodiment, the mobile defense module 124 can read the source IPv6 address in the obtained traffic or data to determine whether the source of the traffic or data is the user terminal 20.

偵防裝置100的分析模組123可根據機器學習模型來判斷當前訊務是否為異常。圖4根據本發明的實施例繪示訓練機器學習模型的流程圖。在步驟S401中,偵防裝置100的擷取分類模組121可取得對應於用戶終端20的鏡像訊務,其中鏡像訊務可包含歷史訊務資料。歷史訊務資料可包含多個標記封包,其中每一個標記封包可包含所述標記封包是否為異常IPv6封包的特徵資訊。The analysis module 123 of the detection and defense device 100 can determine whether the current traffic is abnormal according to the machine learning model. Fig. 4 shows a flowchart of training a machine learning model according to an embodiment of the present invention. In step S401, the capture and classification module 121 of the detection and defense device 100 can obtain the mirrored traffic corresponding to the user terminal 20, where the mirrored traffic may include historical traffic data. The historical traffic data may include a plurality of marked packets, and each marked packet may include characteristic information of whether the marked packet is an abnormal IPv6 packet.

在步驟S402中,偵防裝置100的擷取分類模組121可自多個標記封包中刪除不符合IPv6格式的標記封包以取得用於訓練機器學習模型的標記封包集合。換句話說,標記封包集合中的每一的標記封包可符合IPv6的格式。In step S402, the capture and classification module 121 of the detection device 100 can delete the marked packets that do not conform to the IPv6 format from the plurality of marked packets to obtain a set of marked packets for training the machine learning model. In other words, each marked packet in the marked packet set can conform to the IPv6 format.

在步驟S403中,偵防裝置100的擷取分類模組121可將標記封包集合中的每一者的格式從IPv6格式轉換為NetFlow格式,其中標記封包集合中的每一者可包括多個特徵值,其中所述多個特徵值可分別對應於類別型(category)特徵或數值型特徵,例如來源IPv6位址(Source IPv6 Address)、目標IPv6位址(Destination IPv6 Address)、來源埠編號(Source Port Number)、目標埠編號(Destination Port Number)、下一跳位址(Next Hop Address)、NetFlow持續時間(NetFlow Duration)、流開始時間(Time at Start of Flow)、流結束時間(Time at End of Flow)、傳輸控制協定(Transmission Control Protocol,TCP)旗標(TCP Flag)、傳輸層協定編號(Transport Layer Protocol Number)、服務的網際協定(Internet protocol,IP)種類(IP Type of Service)、封包計數(Packet Count)或位元組計數(Bytes Count)等,本發明不限於此。In step S403, the capture and classification module 121 of the detection and defense device 100 can convert the format of each of the marked packet sets from the IPv6 format to the NetFlow format, wherein each of the marked packet sets may include multiple features Value, wherein the multiple feature values can respectively correspond to category features or numeric features, such as source IPv6 address (Source IPv6 Address), destination IPv6 address, source port number (Source IPv6 Address) Port Number, Destination Port Number, Next Hop Address, NetFlow Duration, Time at Start of Flow, Time at End of Flow), Transmission Control Protocol (TCP) flag (TCP Flag), Transport Layer Protocol Number (Transport Layer Protocol Number), Internet protocol (IP) type of service (IP Type of Service), Packet Count or Bytes Count, etc., the present invention is not limited to this.

在步驟S404中,偵防裝置100的特徵工程模組122可對標記封包集合中的每一者的特徵值進行標準化,藉以產生標準化標記封包集合。標準化標記封包集合中的每一個標準化標記封包可包含分別對應於多個特徵值的多個標準化特徵值。In step S404, the feature engineering module 122 of the detection and defense device 100 can standardize the feature value of each of the marked packet sets, thereby generating a standardized marked packet set. Each standardized marked packet in the set of standardized marked packets may include a plurality of standardized characteristic values corresponding to the plurality of characteristic values, respectively.

圖5根據本發明的實施例繪示由特徵工程模組122標準化特徵值的流程圖。特徵工程模組122可對特徵值進行標準化以產生標準化特徵值。在步驟S501中,特徵工程模組122可判斷待標準化的特徵值對應於類別型特徵(例如:IPv6位址,TCP/UDP傳輸協定)或數值型特徵(例如:100、200或500)。若特徵值對應於類別型特徵,則進入步驟S502。若特徵值對應於數值型特徵,則進入步驟S504。FIG. 5 shows a flowchart of normalizing feature values by the feature engineering module 122 according to an embodiment of the present invention. The feature engineering module 122 can normalize the feature value to generate a standardized feature value. In step S501, the feature engineering module 122 may determine that the feature value to be standardized corresponds to a categorical feature (for example: IPv6 address, TCP/UDP transmission protocol) or a numerical feature (for example: 100, 200, or 500). If the feature value corresponds to the categorical feature, step S502 is entered. If the feature value corresponds to a numerical feature, step S504 is entered.

在步驟S502中,特徵工程模組122可根據預存的映射表來將特徵值轉換為多個分類中的一個分類,其中分類可以文字的形式呈現。表1為類別型特徵「IPv6位址」的特徵值以及與所述特徵值相對應的分類的範例。 表1 特徵值(IPv6位址) 分類 FE80::5480:E980:1000:201A linklocal 2001:0:68:1234::2 global 02::1 multicast In step S502, the feature engineering module 122 can convert the feature value into one of a plurality of categories according to the pre-stored mapping table, where the category can be presented in the form of text. Table 1 is an example of the feature value of the categorical feature "IPv6 address" and the classification corresponding to the feature value. Table 1 Characteristic value (IPv6 address) Classification FE80::5480:E980:1000:201A linklocal 2001:0:68:1234::2 global 02::1 multicast

在步驟S503中,偵防裝置100的特徵工程模組122可根據分類產生對應於特徵值的向量,其中所述向量即為標準化特徵值。在一實施例中,所述向量可包含分別對應於多個分類的多個元素,其中所述多個元素可包含對應於所述特徵值的元素以及其他元素。特徵工程模組122可使對應於所述特徵值的元素為「1」,並使其他元素為「0」。表2為分類以及根據分類所產生的向量的範例。在表2中,向量的第一個元素對應於分類「linklocal」,向量的第二個元素對應於分類「global」,並且向量的第三個元素對應於分類「multicast」。 表2 分類 向量(標準化特徵值) linklocal [1,0,0] global [0,1,0] multicast [0,0,1] In step S503, the feature engineering module 122 of the detection and defense device 100 can generate a vector corresponding to the feature value according to the classification, where the vector is the standardized feature value. In an embodiment, the vector may include a plurality of elements corresponding to a plurality of categories, and the plurality of elements may include elements corresponding to the feature value and other elements. The feature engineering module 122 can set the element corresponding to the feature value to "1", and set other elements to "0". Table 2 is an example of the classification and the vector generated according to the classification. In Table 2, the first element of the vector corresponds to the category "linklocal", the second element of the vector corresponds to the category "global", and the third element of the vector corresponds to the category "multicast". Table 2 Classification Vector (normalized eigenvalues) linklocal [1,0,0] global [0,1,0] multicast [0,0,1]

在步驟S504中,偵防裝置100的特徵工程模組122可將特徵值(即:對應於數值型特徵的特徵值)正規化為0至1,以產生標準化特徵值。在一實施例中,多個特徵值可包含對應於數值型特徵的特徵值集合,其中所述特徵值集合可包含第一特徵值以及第二特徵值。特徵工程模組122可響應於第二特徵值為特徵值集合中的最大者而將第一特徵值除以第二特徵值,從而將第一特徵值正規化為0至1。此外,特徵工程模組122可將第二特徵值正規化為1。表3為標記封包的數個數值型特徵的特徵值以及通過正規化特徵值而產生的標準化特徵值的範例。由表3可知,數值型特徵#3的特徵值大於其他的數值型特徵的特徵值。因此,特徵工程模組122可將每一個數值型特徵的特徵值除以數值型特徵#3的特徵值,以將各個特徵值正規化為0至1。 表3 數值型特徵編號 特徵值 標準化特徵值 #1 120 0.24 #2 200 0.4 #3 500 1 #4 80 0.16 #5 250 0.5 In step S504, the feature engineering module 122 of the detection and defense device 100 may normalize the feature value (ie, the feature value corresponding to the numerical feature) to 0 to 1, so as to generate a standardized feature value. In an embodiment, the plurality of characteristic values may include a characteristic value set corresponding to a numerical characteristic, wherein the characteristic value set may include a first characteristic value and a second characteristic value. The feature engineering module 122 may divide the first feature value by the second feature value in response to the second feature value being the largest one in the feature value set, thereby normalizing the first feature value to 0 to 1. In addition, the feature engineering module 122 can normalize the second feature value to 1. Table 3 is an example of the characteristic values of several numerical characteristics of the marked packet and the standardized characteristic values generated by normalizing the characteristic values. It can be seen from Table 3 that the feature value of numerical feature #3 is greater than the feature values of other numerical features. Therefore, the feature engineering module 122 can divide the feature value of each numeric feature by the feature value of numeric feature #3 to normalize each feature value to 0 to 1. table 3 Numerical feature number Eigenvalues Standardized eigenvalues #1 120 0.24 #2 200 0.4 #3 500 1 #4 80 0.16 #5 250 0.5

回到圖4,在取得標準化標記封包集合後,在步驟S405中,特徵工程模組122可對標準化標記封包集合中的每一者進行特徵擷取,以從每一個標準化標記封包的多個特徵值中選出用於訓練機器學習模型的至少一標準化特徵值。Returning to FIG. 4, after obtaining the standardized labeled packet set, in step S405, the feature engineering module 122 may perform feature extraction on each of the standardized labeled packet sets to obtain multiple features from each standardized labeled packet. At least one standardized feature value used for training the machine learning model is selected from the values.

在步驟S406中,特徵工程模組122可根據至少一標準化特徵值訓練機器學習模型。舉例來說,特徵工程模組122可基於決策樹(Decision Tree,DT)、K-近鄰演算法(K Nearest Neighbor,KNN)或深度神經網路(Deep Neural Networks,DNN)等演算法來訓練機器學習模型,本發明不限於此。In step S406, the feature engineering module 122 may train a machine learning model according to at least one standardized feature value. For example, the feature engineering module 122 can train the machine based on algorithms such as Decision Tree (DT), K Nearest Neighbor (KNN), or Deep Neural Networks (DNN). Learning model, the present invention is not limited to this.

本發明所提供之智能網路IPv6訊務偵防系統與方法,與其他習用技術相互比較時,更具有下列之效益與優點:The intelligent network IPv6 traffic detection and defense system and method provided by the present invention have the following benefits and advantages when compared with other conventional technologies:

本發明可透過先進的IPv6偵防技術對用戶端IPv6訊務進行惡意訊務分析與判別,可有效識別正常與異常IPv6訊務,結合MTD移動防禦機制可以強化IPv6資安威脅的偵防效率與應用。The invention can analyze and discriminate malicious traffic on user-side IPv6 traffic through advanced IPv6 detection and prevention technology, can effectively identify normal and abnormal IPv6 traffic, and can strengthen the detection and prevention efficiency of IPv6 information security threats in combination with MTD mobile defense mechanism. application.

本發明可提供IPv6訊務特徵工程處理能力建立IPv6訊務資料集以產生分類模型。本發明可將未知的IPv6訊務流量轉換給IPv6訊務分類模型來進行分類,可作為IPv6機器學習的發展基礎。The invention can provide IPv6 traffic characteristic engineering processing capability to establish IPv6 traffic data set to generate classification model. The invention can convert unknown IPv6 traffic flow to an IPv6 traffic classification model for classification, and can be used as a development basis for IPv6 machine learning.

本發明可藉由機器學習分類技術強化IDS識別偵測IPv6的攻擊,可提供多種IPv6攻擊訊務判斷條件,針對異常封包、異常流量以及異常用戶進行分析,強化異常IPv6訊務辨識能力。The invention can use machine learning classification technology to strengthen IDS identification and detection of IPv6 attacks, can provide multiple IPv6 attack traffic judgment conditions, analyze abnormal packets, abnormal traffic, and abnormal users, and strengthen the ability to identify abnormal IPv6 traffic.

本發明可透過SDN/NFV技術實現MTD移動防禦機制對IPv6訊務流量產生置換與變化,可有效阻絕惡意IPv6流量或針對可疑IPv6封包/異常用戶導向蜜罐伺服器,用以進一步分析IPv6攻擊訊務類型以及模式,強化IPv6網路環境的安全防護能力。The invention can realize the replacement and change of IPv6 traffic flow by the MTD mobile defense mechanism through SDN/NFV technology, and can effectively block malicious IPv6 traffic or direct the honeypot server to suspicious IPv6 packets/abnormal users to further analyze IPv6 attack information. Service types and modes, and strengthen the security protection capabilities of the IPv6 network environment.

10:IPv6訊務偵防系統 100:偵防裝置 110:控制器 120:儲存媒體 121:擷取分類模組 122:特徵工程模組 123:分析模組 124:移動防禦模組 130:收發器 20:用戶終端 200:軟體定義網路交換器 300:沙盒伺服器 400:目標伺服器 500:蜜罐伺服器 S301、S302、S303、S304、S305、S306、S307、S308、S309、S310、S311、S312、S401、S402、S403、S404、S405、S406、S501、S502、S503、S504:步驟 10: IPv6 traffic detection and defense system 100: Reconnaissance Device 110: Controller 120: storage media 121: Capture classification module 122: Feature Engineering Module 123: Analysis Module 124: Mobile Defense Module 130: Transceiver 20: User terminal 200: Software-defined network switch 300: Sandbox server 400: target server 500: Honeypot server S301, S302, S303, S304, S305, S306, S307, S308, S309, S310, S311, S312, S401, S402, S403, S404, S405, S406, S501, S502, S503, S504: steps

圖1根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防系統以及用戶終端的示意圖。 圖2根據本發明的實施例繪示偵防裝置的示意圖。 圖3根據本發明的實施例繪示一種基於SDN的IPv6訊務的偵防方法的流程圖。 圖4根據本發明的實施例繪示訓練機器學習模型的流程圖。 圖5根據本發明的實施例繪示由特徵工程模組標準化特徵值的流程圖。 Fig. 1 illustrates a schematic diagram of an SDN-based IPv6 traffic detection and defense system and a user terminal according to an embodiment of the present invention. Fig. 2 illustrates a schematic diagram of a detection and defense device according to an embodiment of the present invention. Fig. 3 illustrates a flow chart of an SDN-based IPv6 traffic detection and prevention method according to an embodiment of the present invention. Fig. 4 shows a flowchart of training a machine learning model according to an embodiment of the present invention. FIG. 5 shows a flowchart of normalizing feature values by a feature engineering module according to an embodiment of the present invention.

S301、S302、S303、S304、S305、S306、S307、S308、S309、S310、S311、S312:步驟 S301, S302, S303, S304, S305, S306, S307, S308, S309, S310, S311, S312: steps

Claims (10)

一種基於軟體定義網路的IPv6訊務偵防系統,包括:沙盒伺服器;目標伺服器;蜜罐伺服器;偵防裝置;以及軟體定義網路交換器,耦接所述沙盒伺服器、所述目標伺服器、所述蜜罐伺服器以及所述偵防裝置,並且預存預設規則,其中所述軟體定義網路交換器接收來自用戶終端的IPv6封包,其中所述軟體定義網路交換器響應於所述IPv6封包與所述預設規則匹配而將來自所述用戶終端的訊務轉送到所述目標伺服器以及所述蜜罐伺服器的其中之一,其中所述軟體定義網路交換器響應於所述IPv6封包與所述預設規則不匹配而將所述訊務轉送到所述沙盒伺服器,並且產生對應於所述訊務的鏡像訊務,其中所述鏡像訊務包括當前訊務,其中所述偵防裝置自所述軟體定義網路交換器取得所述鏡像訊務,判斷所述當前訊務是否為異常,響應於所述當前訊務為正常而指示所述軟體定義網路交換器將所述訊務轉送到所述目標伺服器,並且響應於所述當前訊務為異常而指示所述軟體定義網路交換器將所述訊務阻斷或將所述訊務轉送到所述蜜罐伺服器,其中所述鏡像訊務更包括歷史訊務資料,其中所述歷史訊務 資料包括多個標記封包,其中所述偵防裝置經配置以執行:自所述多個標記封包刪除不符合IPv6格式的標記封包以取得第一標記封包;以及將所述第一標記封包的格式從所述IPv6格式轉換為NetFlow格式,其中所述第一標記封包包括多個特徵值。 A software-defined network-based IPv6 traffic detection and defense system, including: a sandbox server; a target server; a honeypot server; a detection and defense device; and a software-defined network switch, coupled to the sandbox server , The target server, the honeypot server, and the detection device, and pre-stored preset rules, wherein the software-defined network switch receives IPv6 packets from the user terminal, and the software-defined network The switch forwards the traffic from the user terminal to one of the target server and the honeypot server in response to the IPv6 packet matching the preset rule, wherein the software-defined network The road switch forwards the traffic to the sandbox server in response to that the IPv6 packet does not match the preset rule, and generates a mirrored traffic corresponding to the traffic, wherein the mirrored traffic The service includes current traffic, wherein the detection and defense device obtains the mirrored traffic from the software-defined network switch, determines whether the current traffic is abnormal, and instructs the current traffic to be normal in response to the current traffic. The software-defined network switch forwards the traffic to the target server, and in response to the current traffic being abnormal, instructs the software-defined network switch to block the traffic or block all the traffic. The traffic is forwarded to the honeypot server, wherein the mirror traffic further includes historical traffic data, and the historical traffic The data includes a plurality of marked packets, wherein the detection device is configured to execute: delete marked packets that do not conform to the IPv6 format from the plurality of marked packets to obtain a first marked packet; and change the format of the first marked packet Converting from the IPv6 format to the NetFlow format, wherein the first marked packet includes a plurality of characteristic values. 如請求項1所述的IPv6訊務偵防系統,其中所述偵防裝置經配置以執行:標準化所述第一標記封包的所述多個特徵值,以產生第一標準化標記封包,其中所述第一標準化標記封包包括分別對應於所述多個特徵值的多個標準化特徵值;對所述第一標準化標記封包進行特徵擷取以從所述多個標準化特徵值中選出至少一標準化特徵值;根據所述至少一標準化特徵值訓練機器學習模型;以及根據所述機器學習模型判斷所述當前訊務是否為異常。 The IPv6 traffic detection and prevention system according to claim 1, wherein the detection and prevention device is configured to execute: normalize the plurality of characteristic values of the first marked packet to generate a first standardized marked packet, wherein The first standardized mark packet includes a plurality of standardized feature values respectively corresponding to the plurality of feature values; feature extraction is performed on the first standardized mark packet to select at least one standardized feature from the plurality of standardized feature values Value; training a machine learning model according to the at least one standardized characteristic value; and judging whether the current traffic is abnormal according to the machine learning model. 如請求項2所述的IPv6訊務偵防系統,其中所述多個特徵值包括第一特徵值,其中所述偵防裝置響應於所述第一特徵值對應於類別型特徵,將所述第一特徵值轉換為多個分類中的第一分類,並根據所述第一分類產生第一向量,其中所述第一向量為所述多個標準化特徵值中的對應於所述第一特徵值的標準化第一特徵值,其中所述第一向量包括分別對應於所述多個分類的多個元素,其中所述多個元素包括對應於所述第一分類的第一元素以及其他元素,其中所述 第一元素為1,並且所述其他元素為0,其中所述偵防裝置響應於所述第一特徵值對應於數值型特徵而將所述第一特徵值正規化為0至1,以產生所述標準化第一特徵值。 The IPv6 traffic detection and defense system according to claim 2, wherein the plurality of characteristic values includes a first characteristic value, and the detection and prevention device responds to the first characteristic value corresponding to a categorical characteristic, and converts the The first feature value is converted into a first category of a plurality of categories, and a first vector is generated according to the first category, wherein the first vector is one of the plurality of standardized feature values corresponding to the first feature A normalized first feature value of the value, wherein the first vector includes a plurality of elements corresponding to the plurality of categories, wherein the plurality of elements includes the first element corresponding to the first category and other elements, Which said The first element is 1, and the other elements are 0, wherein the detection and defense device normalizes the first feature value to 0 to 1 in response to the first feature value corresponding to a numeric feature to generate The normalized first characteristic value. 如請求項3所述的IPv6訊務偵防系統,其中所述多個特徵值包括對應於數值型特徵的特徵值集合,其中所述特徵值集合包括所述第一特徵值以及第二特徵值,其中響應於所述第二特徵值為所述特徵值集合中的最大者,所述偵防裝置將所述第一特徵值除以所述第二特徵值以將所述第一特徵值正規化為0至1。 The IPv6 traffic detection and defense system according to claim 3, wherein the plurality of characteristic values includes a characteristic value set corresponding to a numerical characteristic, wherein the characteristic value set includes the first characteristic value and the second characteristic value , Wherein in response to the second characteristic value being the largest one in the characteristic value set, the detection device divides the first characteristic value by the second characteristic value to normalize the first characteristic value Converted to 0 to 1. 如請求項1所述的IPv6訊務偵防系統,其中所述偵防裝置響應於指示所述軟體定義網路交換器將所述訊務轉送到所述目標伺服器而增加第一規則至所述預設規則中,其中所述第一規則指示所述軟體定義網路交換器將來自所述用戶終端的資料轉送至所述目標伺服器。 The IPv6 traffic detection and prevention system according to claim 1, wherein the detection and prevention device adds a first rule to all in response to instructing the software-defined network switch to forward the traffic to the target server In the preset rule, the first rule instructs the software-defined network switch to forward the data from the user terminal to the target server. 如請求項1所述的IPv6訊務偵防系統,其中所述偵防裝置響應於指示所述軟體定義網路交換器將所述訊務阻斷而增加第二規則至所述預設規則中,其中所述第二規則指示所述軟體定義網路交換器阻斷來自所述用戶終端的資料。 The IPv6 traffic detection and prevention system according to claim 1, wherein the detection and prevention device adds a second rule to the preset rule in response to instructing the software-defined network switch to block the traffic , Wherein the second rule instructs the software-defined network switch to block data from the user terminal. 如請求項1所述的IPv6訊務偵防系統,其中所述偵防裝置響應於指示所述軟體定義網路交換器將所述訊務轉送到所述蜜罐伺服器而增加第三規則至所述預設規則中,其中所述第三規 則指示所述軟體定義網路交換器將來自所述用戶終端的資料轉送至所述蜜罐伺服器。 The IPv6 traffic detection and prevention system according to claim 1, wherein the detection and prevention device adds a third rule to the honeypot server in response to instructing the software-defined network switch to forward the traffic to the honeypot server In the preset rule, the third rule Instruct the software-defined network switch to forward the data from the user terminal to the honeypot server. 如請求項1所述的IPv6訊務偵防系統,其中所述偵防裝置經配置以執行:響應於判斷所述當前訊務為異常而判斷與所述當前訊務相關的流量是否大於流量閾值;響應於所述流量大於所述流量閾值而指示所述軟體定義網路交換器將所述訊務阻斷;響應於所述流量小於或等於所述流量閾值而判斷對應於所述當前訊務的所述用戶終端是否與預存於所述偵防裝置的IPv6黑名單匹配;以及響應於所述用戶終端與所述IPv6黑名單匹配而指示所述軟體定義網路交換器將所述訊務轉送到所述蜜罐伺服器。 The IPv6 traffic detection and prevention system according to claim 1, wherein the detection and prevention device is configured to execute: in response to determining that the current traffic is abnormal, determine whether the traffic related to the current traffic is greater than a flow threshold ; In response to the traffic being greater than the traffic threshold, instruct the software-defined network switch to block the traffic; in response to the traffic being less than or equal to the traffic threshold, it is determined that the traffic corresponds to the current traffic Whether the user terminal matches the IPv6 blacklist pre-stored in the detection and defense device; and instructing the software-defined network switch to forward the traffic in response to the user terminal matching the IPv6 blacklist To the honeypot server. 如請求項1所述的IPv6訊務偵防系統,其中在所述偵防裝置判斷所述當前訊務是否為異常後,所述軟體定義網路交換器根據所述當前訊務更新所述預設規則。 The IPv6 traffic detection and prevention system according to claim 1, wherein after the detection and prevention device determines whether the current traffic is abnormal, the software-defined network switch updates the prediction according to the current traffic. Set rules. 一種基於軟體定義網路的IPv6訊務偵防的方法,包括:由軟體定義網路交換器耦接至沙盒伺服器、目標伺服器、蜜罐伺服器以及偵防裝置,並且由所述軟體定義網路交換器預存預設規則;由所述軟體定義網路交換器接收來自用戶終端的IPv6封包; 由所述軟體定義網路交換器響應於所述IPv6封包與所述預設規則匹配而將來自所述用戶終端的訊務轉送到所述目標伺服器以及所述蜜罐伺服器的其中之一;由所述軟體定義網路交換器響應於所述IPv6封包與所述預設規則不匹配而將所述訊務轉送到所述沙盒伺服器,並且產生對應於所述訊務的鏡像訊務,其中所述鏡像訊務包括當前訊務以及歷史訊務資料,其中所述歷史訊務資料包括多個標記封包;由所述偵防裝置自所述軟體定義網路交換器取得所述鏡像訊務,判斷所述當前訊務是否為異常,響應於所述當前訊務為正常而指示所述軟體定義網路交換器將所述訊務轉送到所述目標伺服器,並且響應於所述當前訊務為異常而指示所述軟體定義網路交換器將所述訊務阻斷或將所述訊務轉送到所述蜜罐伺服器;由所述偵防裝置自所述多個標記封包刪除不符合IPv6格式的標記封包以取得第一標記封包;以及由所述偵防裝置將所述第一標記封包的格式從所述IPv6格式轉換為NetFlow格式,其中所述第一標記封包包括多個特徵值。 A software-defined network-based IPv6 traffic detection and defense method includes: a software-defined network switch is coupled to a sandbox server, a target server, a honeypot server, and a detection and defense device, and the software Defining the pre-stored preset rules of the network switch; the software-defined network switch receives IPv6 packets from the user terminal; The software-defined network switch forwards the traffic from the user terminal to one of the target server and the honeypot server in response to the IPv6 packet matching the preset rule ; By the software-defined network switch in response to the IPv6 packet does not match the preset rules, the traffic is forwarded to the sandbox server, and a mirror image corresponding to the traffic is generated The mirrored traffic includes current traffic and historical traffic data, wherein the historical traffic data includes a plurality of marked packets; the detection device obtains the mirrored image from the software-defined network switch Traffic, determining whether the current traffic is abnormal, instructing the software-defined network switch to forward the traffic to the target server in response to the current traffic being normal, and responding to the The current traffic is abnormal, and the software-defined network switch is instructed to block the traffic or forward the traffic to the honeypot server; the detection device sends the multiple marked packets Deleting a marked packet that does not conform to the IPv6 format to obtain a first marked packet; and the detection and prevention device converts the format of the first marked packet from the IPv6 format to the NetFlow format, wherein the first marked packet includes multiple Eigenvalues.
TW109133999A 2020-09-30 2020-09-30 SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK TWI737506B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109133999A TWI737506B (en) 2020-09-30 2020-09-30 SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109133999A TWI737506B (en) 2020-09-30 2020-09-30 SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK

Publications (2)

Publication Number Publication Date
TWI737506B true TWI737506B (en) 2021-08-21
TW202215816A TW202215816A (en) 2022-04-16

Family

ID=78283489

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109133999A TWI737506B (en) 2020-09-30 2020-09-30 SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK

Country Status (1)

Country Link
TW (1) TWI737506B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107463844A (en) * 2016-06-06 2017-12-12 国家计算机网络与信息安全管理中心 WEB Trojan detecting methods and system
US10148677B2 (en) * 2015-08-31 2018-12-04 Splunk Inc. Model training and deployment in complex event processing of computer network data
CN109922048A (en) * 2019-01-31 2019-06-21 国网山西省电力公司长治供电公司 One kind serially dispersing concealed threat Network Intrusion detection method and system
TW201946416A (en) * 2018-04-26 2019-12-01 中華電信股份有限公司 System of host protection based on moving target defense and method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10148677B2 (en) * 2015-08-31 2018-12-04 Splunk Inc. Model training and deployment in complex event processing of computer network data
CN107463844A (en) * 2016-06-06 2017-12-12 国家计算机网络与信息安全管理中心 WEB Trojan detecting methods and system
TW201946416A (en) * 2018-04-26 2019-12-01 中華電信股份有限公司 System of host protection based on moving target defense and method thereof
CN109922048A (en) * 2019-01-31 2019-06-21 国网山西省电力公司长治供电公司 One kind serially dispersing concealed threat Network Intrusion detection method and system

Also Published As

Publication number Publication date
TW202215816A (en) 2022-04-16

Similar Documents

Publication Publication Date Title
Miettinen et al. Iot sentinel: Automated device-type identification for security enforcement in iot
AlEroud et al. Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach
Dhawan et al. Sphinx: detecting security attacks in software-defined networks.
US10673903B2 (en) Classification of security rules
US10601853B2 (en) Generation of cyber-attacks investigation policies
Hoque et al. Network attacks: Taxonomy, tools and systems
JP6014280B2 (en) Information processing apparatus, method, and program
US11038906B1 (en) Network threat validation and monitoring
KR102135024B1 (en) Method and apparatus for identifying category of cyber attack aiming iot devices
US9544273B2 (en) Network traffic processing system
US20110019574A1 (en) Technique for classifying network traffic and for validating a mechanism for classifying network traffic
US10693908B2 (en) Apparatus and method for detecting distributed reflection denial of service attack
US20160088001A1 (en) Collaborative deep packet inspection systems and methods
KR102244036B1 (en) Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method
Gadallah et al. Machine Learning-based Distributed Denial of Service Attacks Detection Technique using New Features in Software-defined Networks.
Xiao et al. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
Hagos et al. A machine-learning-based tool for passive os fingerprinting with tcp variant as a novel feature
Nobakht et al. IOT-NETSEC: policy-based IoT network security using OpenFlow
Unal et al. Towards prediction of security attacks on software defined networks: A big data analytic approach
Fenil et al. Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches
TWI737506B (en) SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK
TWI797962B (en) Method for sase based ipv6 cloud edge network secure connection
Nakahara et al. Malware Detection for IoT Devices using Automatically Generated White List and Isolation Forest.
Herzalla et al. TII-SSRC-23 Dataset: Typological Exploration of Diverse Traffic Patterns for Intrusion Detection
CN115225301B (en) Hybrid intrusion detection method and system based on D-S evidence theory