TWI737506B - SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK - Google Patents
SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK Download PDFInfo
- Publication number
- TWI737506B TWI737506B TW109133999A TW109133999A TWI737506B TW I737506 B TWI737506 B TW I737506B TW 109133999 A TW109133999 A TW 109133999A TW 109133999 A TW109133999 A TW 109133999A TW I737506 B TWI737506 B TW I737506B
- Authority
- TW
- Taiwan
- Prior art keywords
- traffic
- ipv6
- detection
- software
- defined network
- Prior art date
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明是有關於一種基於軟體定義網路(software-defined network,SDN)的IPv6訊務偵防系統和方法。The present invention relates to an IPv6 traffic detection and defense system and method based on a software-defined network (SDN).
隨著網際網路技術的迅速發展,也導致網路攻擊層出不窮,這讓網路安全越來越受到重視。現今網路是屬於靜態式網路架構,此架構能讓攻擊者有長時間來探測其目標伺服器之漏洞,所以在安全防護上屬於被動式防守。舉例來說,能透過監控方式來探測攻擊流量、修補不安全的漏洞或增添網路安全防護設備來抵擋攻擊。然而,這些方法往往都能被攻擊者破解,且一旦發起攻擊成功,攻擊者甚至有可能於目標伺服器中放入後門程式。如此,即使漏洞被修補後,攻擊者依舊能透過後門程式來入侵伺服器。因此,網路管理者需長時間來維護安全設備與伺服器來保護系統安全。基於以上所述,靜態式網路架構在面對現代智慧化及流量龐大的網路攻擊是無法招架的。因應未來網路多元化的資安威脅,資安防護措施的升級與革新更要加速發展,偵測與防禦是當前網路安全面臨的核心問題之一。如何設計更完備的邊緣網路安全防護機制,偵測與識別惡意的攻擊訊務,進而提供差異化的安全服務是未來網路與資訊安全發展的目標。With the rapid development of Internet technology, it has also led to an endless stream of network attacks, which has made network security more and more important. Today's network is a static network architecture. This architecture allows attackers to detect the vulnerabilities of their target servers for a long time, so it is a passive defense in terms of security protection. For example, monitoring can be used to detect attack traffic, repair insecure vulnerabilities, or add network security protection equipment to resist attacks. However, these methods can often be cracked by the attacker, and once the attack is successful, the attacker may even put a backdoor program into the target server. In this way, even after the vulnerability is patched, the attacker can still infiltrate the server through the backdoor. Therefore, network administrators need to maintain security equipment and servers for a long time to protect system security. Based on the above, the static network architecture is unable to withstand modern intelligence and network attacks with huge traffic. In response to the diversified information security threats of the future network, the upgrade and innovation of information security protection measures must accelerate the development. Detection and defense is one of the core issues facing current network security. How to design a more complete edge network security protection mechanism, detect and identify malicious attack traffic, and then provide differentiated security services is the goal of future network and information security development.
鑒於IPv6的快速發展與普及,使得IPv6的安全議題越來越受到重視。針對IPv6環境異常訊務的偵測與防禦已成為未來網路管理的重要研究課題。目前針對IPv6網路異常行為偵測與防禦的設備主要為入侵偵測系統(Intrusion Detection System,IDS)以及防火牆(Firewall)。防火牆主要是針對已知的IPv6位址目標或通訊協定服務類型作存取控制,但無法有效判斷通過防火牆的IPv6封包是否異常。現行的IDS主要以誤用偵測(Misuse)及異常偵測(Anomaly)兩種做法為主。傳統的IDS多以誤用偵測技術為基礎,使用特徵比對(Signature based)的方式來識別惡意IPv6網路攻擊。採用此類型的IDS除了需考量IDS對於IPv6特徵規則的支援能力外,管理者還需要不斷地更新特徵資料庫才能應付變型惡意程式的攻擊也是無法避免的缺點。使用異常偵測技術的IDS雖可用以檢測IPv4新式或特定的攻擊訊務類型,但由於通訊協定本身的差異,沿用IPv4既有參數不易制定對應的IPv6攻擊判斷模式與偵測條件。IPv6協定類型、位址空間、位址格式或掩碼格式等變化,也導致偵測IPv6異常訊務的複雜性大幅增加。針對IPv6特有攻擊(例如:IPv6 Extension Header Attacks、ICMPv6 DoS等),偵測防禦能力亦明顯不足。此外,不論IDS或防火牆本身支援IPv6能力為何,其偵防部署上均是透過人為制定規則來抵擋惡意訊務。因此,管理者需投入大量的時間更新與維護偵測規則,在制定偵測規則上可能也會有許多未考慮到的盲點而造成漏洞,而讓攻擊者利用規則或人為的疏失,透過變造的惡意訊務流量避免偵測,增加網路安全風險。由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,亟待加以改良。In view of the rapid development and popularization of IPv6, more and more attention has been paid to the security issues of IPv6. The detection and defense of abnormal traffic in the IPv6 environment has become an important research topic for future network management. At present, the equipment for detecting and preventing abnormal behaviors in IPv6 networks is mainly intrusion detection system (Intrusion Detection System, IDS) and firewall (Firewall). The firewall mainly performs access control for known IPv6 address targets or communication protocol service types, but it cannot effectively determine whether the IPv6 packets passing through the firewall are abnormal. The current IDS is mainly based on two methods: misuse detection (Misuse) and anomaly detection (Anomaly). Traditional IDS is mostly based on misuse detection technology and uses a signature based method to identify malicious IPv6 network attacks. In addition to considering the IDS's ability to support IPv6 feature rules, the use of this type of IDS also requires the administrator to constantly update the feature database to cope with attacks from variant malicious programs. It is also an inevitable shortcoming. Although IDS using anomaly detection technology can be used to detect new IPv4 or specific types of attack traffic, it is difficult to formulate corresponding IPv6 attack judgment modes and detection conditions due to the differences in the communication protocol itself. Changes in IPv6 protocol type, address space, address format or mask format have also led to a significant increase in the complexity of detecting abnormal IPv6 traffic. For IPv6 specific attacks (for example: IPv6 Extension Header Attacks, ICMPv6 DoS, etc.), the detection and defense capabilities are also obviously insufficient. In addition, regardless of the ability of IDS or firewalls to support IPv6, their detection and defense deployments are designed to resist malicious traffic through artificial rules. Therefore, managers need to invest a lot of time to update and maintain detection rules. There may be many blind spots that have not been considered in the formulation of detection rules, which may cause vulnerabilities, and allow attackers to use the rules or human negligence to change the detection rules. Of malicious traffic to avoid detection, increasing network security risks. It can be seen that there are still many shortcomings in the above-mentioned customary methods, which are not a good design and need to be improved urgently.
本發明是提供一種基於軟體定義網路的IPv6訊務偵防系統和方法,可強化IPv6網路安全防禦的能力。The invention provides a software-defined network-based IPv6 traffic detection and defense system and method, which can strengthen the capability of IPv6 network security defense.
本發明之目的是在於提供於基於軟體定義網路(SDN)/網路功能虛擬化(Network Function Virtualization,NFV)智能網路環境中偵測並防禦IPv6惡意攻擊的系統與方法,利用IPv6流量訊務特徵工程,以機器學習分類技術強化IDS識別IPv6的攻擊,提升IPv6異常訊務偵測判斷的準確度與能力。以SDN/NFV智能網路技術為基礎實現移動防禦(Mobile Threat Defense,MTD)機制,強化IPv6網路安全防禦的能力。The purpose of the present invention is to provide a system and method for detecting and defending against IPv6 malicious attacks in a software-defined network (SDN)/network function virtualization (Network Function Virtualization, NFV) intelligent network environment. Service feature engineering, using machine learning classification technology to strengthen IDS to identify IPv6 attacks, and improve the accuracy and ability of IPv6 abnormal traffic detection and judgment. Based on SDN/NFV intelligent network technology, it realizes the mobile defense (Mobile Threat Defense, MTD) mechanism and strengthens the capability of IPv6 network security defense.
本發明提出一種基於軟體定義網路的IPv6訊務偵防系統,包含沙盒伺服器、目標伺服器、蜜罐伺服器、偵防裝置以及SDN交換器。SDN交換器耦接沙盒伺服器、目標伺服器、蜜罐伺服器以及偵防裝置,並且預存預設規則,其中SDN交換器接收來自用戶終端的IPv6封包,其中SDN交換器響應於IPv6封包與預設規則匹配而將來自用戶終端的訊務轉送到目標伺服器以及蜜罐伺服器的其中之一,其中SDN交換器響應於IPv6封包與預設規則不匹配而將訊務轉送到沙盒伺服器,並且產生對應於訊務的鏡像訊務,其中鏡像訊務包含當前訊務,其中偵防裝置自SDN交換器取得鏡像訊務,判斷當前訊務是否為異常,響應於當前訊務為正常而指示SDN交換器將該訊務轉送到目標伺服器,並且響應於當前訊務為異常而指示交換器將訊務阻斷或將該訊務轉送到蜜罐伺服器。The present invention provides an IPv6 traffic detection and defense system based on a software-defined network, which includes a sandbox server, a target server, a honeypot server, a detection and defense device, and an SDN switch. The SDN switch is coupled to the sandbox server, the target server, the honeypot server, and the detection device, and pre-stores preset rules. The SDN switch receives IPv6 packets from the user terminal, and the SDN switch responds to the IPv6 packets and The preset rule matches and forwards the traffic from the user terminal to one of the target server and the honeypot server, where the SDN switch forwards the traffic to the sandbox server in response to the IPv6 packet does not match the preset rule And generate a mirrored traffic corresponding to the traffic. The mirrored traffic includes the current traffic. The detection device obtains the mirrored traffic from the SDN switch, determines whether the current traffic is abnormal, and responds to the current traffic as normal. Instruct the SDN switch to forward the traffic to the target server, and instruct the switch to block the traffic or forward the traffic to the honeypot server in response to the current traffic being abnormal.
在本發明的一實施例中,上述的鏡像訊務更包含歷史訊務資料,其中歷史訊務資料包含多個標記封包,其中偵防裝置經配置以執行:自多個標記封包刪除不符合IPv6格式的標記封包以取得第一標記封包;將第一標記封包的格式從IPv6格式轉換為NetFlow格式,其中第一標記封包包含多個特徵值;標準化第一標記封包的多個特徵值,以產生第一標準化標記封包,其中第一標準化標記封包包含分別對應於多個特徵值的多個標準化特徵值;對第一標準化標記封包進行特徵擷取以從多個標準化特徵值中選出至少一標準化特徵值;根據至少一標準化特徵值訓練機器學習模型;以及根據機器學習模型判斷當前訊務是否為異常。In an embodiment of the present invention, the above-mentioned mirrored traffic further includes historical traffic data, wherein the historical traffic data includes a plurality of marked packets, and the detection device is configured to execute: delete non-compliant IPv6 from the plurality of marked packets Format the marked packet to obtain the first marked packet; convert the format of the first marked packet from the IPv6 format to the NetFlow format, where the first marked packet contains multiple characteristic values; standardize the multiple characteristic values of the first marked packet to generate A first standardized marking packet, wherein the first standardized marking packet includes a plurality of standardized characteristic values corresponding to the plurality of characteristic values; feature extraction is performed on the first standardized marking packet to select at least one standardized characteristic from the plurality of standardized characteristic values Value; training a machine learning model according to at least one standardized characteristic value; and judging whether the current traffic is abnormal according to the machine learning model.
在本發明的一實施例中,上述的多個特徵係包含第一特徵值,其中偵防裝置響應於第一特徵值對應於類別型特徵,將第一特徵值轉換為多個分類中的第一分類,並根據第一分類產生第一向量,其中第一向量為多個標準化特徵值中的對應於第一特徵值的標準化第一特徵值,其中第一向量包含分別對應於多個分類的多個元素,其中多個元素包含對應於第一分類的第一元素以及其他元素,其中第一元素為1,並且其他元素為0,其中偵防裝置響應於第一特徵值對應於數值型特徵而將第一特徵值正規化為0至1,以產生標準化第一特徵值。In an embodiment of the present invention, the above-mentioned multiple features include a first feature value, and in response to the first feature value corresponding to the categorical feature, the detection and defense device converts the first feature value into the first feature value in the multiple categories. A classification, and a first vector is generated according to the first classification, where the first vector is a standardized first eigenvalue corresponding to the first eigenvalue among the plurality of standardized eigenvalues, and the first vector contains the first eigenvalues corresponding to the multiple classifications respectively. Multiple elements, where multiple elements include the first element corresponding to the first category and other elements, where the first element is 1, and the other elements are 0, and the detection and defense device responds to the first feature value corresponding to the numerical feature The first feature value is normalized to 0 to 1 to generate a standardized first feature value.
在本發明的一實施例中,上述的多個特徵值包括對應於數值型特徵的特徵值集合,其中特徵值集合包括第一特徵值以及第二特徵值,其中響應於第二特徵值為特徵值集合中的最大者,偵防裝置將第一特徵值除以第二特徵值以將第一特徵值正規化為0至1。In an embodiment of the present invention, the multiple feature values described above include a feature value set corresponding to a numerical feature, wherein the feature value set includes a first feature value and a second feature value, and the feature value is a feature in response to the second feature value. For the largest one in the value set, the detection and defense device divides the first characteristic value by the second characteristic value to normalize the first characteristic value to 0 to 1.
在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將訊務轉送到目標伺服器而增加第一規則至預設規則中,其中第一規則指示SDN交換器將來自用戶終端的資料轉送至目標伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device adds a first rule to the preset rule in response to instructing the SDN switch to forward traffic to the target server, wherein the first rule instructs the SDN switch to be from the user The terminal's data is forwarded to the target server.
在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將IPv6訊務阻斷而增加第二規則至預設規則中,其中第二規則指示SDN交換器阻斷來自IPv6用戶終端的資料。In an embodiment of the present invention, the aforementioned detection and prevention device adds a second rule to the preset rule in response to instructing the SDN switch to block IPv6 traffic, wherein the second rule instructs the SDN switch to block IPv6 users from Information about the terminal.
在本發明的一實施例中,上述的偵防裝置響應於指示SDN交換器將訊務轉送到蜜罐伺服器而增加第三規則至預設規則中,其中第三規則指示SDN交換器將來自用戶終端的資料轉送至蜜罐伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device adds a third rule to the preset rule in response to instructing the SDN switch to forward traffic to the honeypot server, wherein the third rule instructs the SDN switch to send traffic from The data of the user terminal is forwarded to the honeypot server.
在本發明的一實施例中,上述的偵防裝置經配置以執行:響應於判斷當前訊務為異常而判斷與當前訊務相關的流量是否大於流量閾值;響應於流量大於流量閾值而指示SDN交換器將訊務阻斷;響應於流量小於或等於流量閾值而判斷對應於當前訊務的用戶終端是否與預存於偵防裝置的IPv6黑名單匹配;以及響應於用戶終端與黑名單匹配而指示SDN交換器將訊務轉送到蜜罐伺服器。In an embodiment of the present invention, the aforementioned detection and prevention device is configured to perform: in response to determining that the current traffic is abnormal, determining whether the traffic related to the current traffic is greater than the traffic threshold; and instructing the SDN in response to the traffic being greater than the traffic threshold The switch blocks the traffic; in response to the traffic being less than or equal to the traffic threshold, it is determined whether the user terminal corresponding to the current traffic matches the IPv6 blacklist pre-stored in the detection device; and in response to the user terminal matching the blacklist. The SDN switch forwards the traffic to the honeypot server.
在本發明的一實施例中,上述的偵防裝置判斷當前訊務是否為異常後,SDN交換器根據當前訊務更新預設規則。In an embodiment of the present invention, after the aforementioned detection and prevention device determines whether the current traffic is abnormal, the SDN switch updates the preset rule according to the current traffic.
本發明的一種基於軟體定義網路的IPv6訊務的偵防方法,包含:由SDN交換器耦接至沙盒伺服器、目標伺服器、蜜罐伺服器以及偵防裝置,並且由SDN交換器預存預設規則;由SDN交換器接收來自用戶終端的封包;由SDN交換器響應於IPv6封包與預設規則匹配而將來自用戶終端的訊務轉送到目標伺服器以及蜜罐伺服器的其中之一;由SDN交換器響應於IPv6封包與預設規則不匹配而將訊務轉送到沙盒伺服器,並且產生對應於訊務的鏡像訊務,其中鏡像訊務包含當前訊務;以及由偵防裝置自SDN交換器取得鏡像訊務,判斷當前訊務是否為異常,響應於當前訊務為正常而指示SDN交換器將訊務轉送轉送到目標伺服器,並且響應於當前訊務為異常而指示SDN交換器將訊務阻斷或將訊務轉送到蜜罐伺服器。The invention provides a software-defined network-based IPv6 traffic detection and defense method, including: an SDN switch is coupled to a sandbox server, a target server, a honeypot server, and a detection and defense device, and the SDN switch is Pre-stored preset rules; the SDN switch receives the packet from the user terminal; the SDN switch forwards the traffic from the user terminal to one of the target server and the honeypot server in response to the IPv6 packet matching the preset rule One; The SDN switch forwards the traffic to the sandbox server in response to the IPv6 packets do not match the preset rules, and generates a mirrored traffic corresponding to the traffic, where the mirrored traffic includes the current traffic; and The anti-device obtains mirrored traffic from the SDN switch, determines whether the current traffic is abnormal, and instructs the SDN switch to forward the traffic to the target server in response to the current traffic being normal, and responds to the current traffic being abnormal. Instruct the SDN switch to block the traffic or forward the traffic to the honeypot server.
在IPv6環境下,如何根據IPv6訊務流量中的特徵與行為模式等資訊準確識別和判斷IPv6異常流量是IPv6攻擊偵測發展的重點。本發明透過機器學習來辨識未知IPv6訊務。如此,可以不用透過人為制定偵測規則。機器學習可透過大量的已知的IPv6訊務來學習辨識合法與惡意訊務,而且這樣的方式可解決人為在制定規則上所造成的漏洞,更可以減少維護偵測規則上的人力。機器學習主要是利用統計的方法歸納及建立正常特徵(normal pattern),再利用如分類或回歸預測的演算法,針對資料集的樣本,根據其特徵與標籤的關係,建構出IPv6分類攻擊行為的模型,來做為辨識的依據。除了透過機器學習來偵測IPv6攻擊外,也需要結合新型的防禦策略才能有效的防禦IPv6的網路攻擊。本發明採用移動目標防禦的防禦策略,其可透過動態的網路架構來轉移攻擊者的IPv6惡意訊務以達成防禦。目前有許多研究透過中繼節點或是代理伺服器來實現移動目標防禦,但此種方式一旦攻擊者利用蒐集攻擊並掌握確切的目標伺服器資訊後,此防禦機制也會隨之瓦解。In the IPv6 environment, how to accurately identify and judge IPv6 abnormal traffic based on information such as characteristics and behavior patterns in IPv6 traffic flow is the focus of the development of IPv6 attack detection. The present invention recognizes unknown IPv6 traffic through machine learning. In this way, there is no need to manually formulate detection rules. Machine learning can learn to identify legal and malicious traffic through a large number of known IPv6 traffic, and this method can solve the loopholes caused by man-made rules and reduce the manpower required to maintain detection rules. Machine learning mainly uses statistical methods to summarize and establish normal patterns, and then uses algorithms such as classification or regression prediction to construct IPv6 classification attack behaviors based on the relationship between the characteristics and the labels of the samples of the data set. The model is used as the basis for identification. In addition to detecting IPv6 attacks through machine learning, a new type of defense strategy is also needed to effectively defend against IPv6 network attacks. The present invention adopts the defense strategy of mobile target defense, which can transfer the attacker's IPv6 malicious traffic through a dynamic network structure to achieve defense. At present, there are many researches using relay nodes or proxy servers to achieve mobile target defense. However, once the attacker collects attacks and masters the exact target server information, this defense mechanism will also collapse.
在未來5G all-IP網路時代,SDN/NFV被視為最具有前瞻性的技術,藉由其提供的可程式化(Programmable)網路以及虛擬化(Virtualized)網路功能,是智能網路發展的基礎。未來IPv6網路安全架構的設計將朝可程式化與虛擬化的方向演進,如何結合SDN/NFV技術實現IPv6移動防禦,發展創新的IPv6網路安全服務模式,亦是未來IPv6防禦技術研究發展的重點。本發明提出一種IPv6網路安全系統,整合IDS特徵識別與機器學習分類技術,改善IPv6異常訊務偵測的精確度。此外,該系統利用SDN/NFV實現移動防禦機制,可強化IPv6網路安全防禦的能力。In the future 5G all-IP network era, SDN/NFV is regarded as the most forward-looking technology. With its Programmable and Virtualized network functions, it is an intelligent network. The basis of development. In the future, the design of IPv6 network security architecture will evolve in the direction of programmability and virtualization. How to combine SDN/NFV technology to achieve IPv6 mobile defense and develop an innovative IPv6 network security service model is also the future of IPv6 defense technology research and development. Focus. The present invention provides an IPv6 network security system that integrates IDS feature recognition and machine learning classification technology to improve the accuracy of IPv6 abnormal traffic detection. In addition, the system uses SDN/NFV to implement a mobile defense mechanism, which can strengthen the capability of IPv6 network security defense.
圖1根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防系統10以及用戶終端20的示意圖。IPv6訊務偵防系統10可包含偵防裝置100、SDN交換器200、沙盒伺服器300、目標伺服器400以及蜜罐伺服器500。FIG. 1 illustrates a schematic diagram of an SDN-based IPv6 traffic detection and
SDN交換器200例如是OpenFlow交換器,其可利用OpenFlow IPv6 matched Filed格式與規則轉送IPv6訊務。SDN交換器200可建立軟體定義網路。外部終端網路裝置可藉由透過與SDN交換器200連線來存取所述軟體定義網路。SDN交換器200可至少包含收發器電路、類比數位(A/D)/數位類比(D/A)轉換器、處理電路、任選的記憶體電路或一個或多個天線單元,但本發明不限於此。SDN交換器200可通訊連接至偵防裝置100、沙盒伺服器300、目標伺服器400、蜜罐伺服器500以及用戶終端20。SDN交換器200可預存預設規則。當有訊務通過SDN交換器200時,SDN交換器200可通過預設規則來管理所述訊務的轉送路徑。The
沙盒伺服器300用於處理未知的IPv6訊務,並為所述訊務提供試驗環境,以讓沙盒伺服器300中的訊務不致影響目標伺服器400。沙盒伺服器300可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行沙盒伺服器300的必要構件。The
目標伺服器400用於服務正常的用戶終端。由於用於服務用戶終端的軟體主要儲存於目標伺服器400,故目標伺服器400為IPv6訊務偵防系統10主要的保護目標。本發明的偵防裝置100可避免惡意的IPv6訊務侵入目標伺服器400。目標伺服器400可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行目標伺服器400的必要構件。The
蜜罐伺服器500用於引導IPv6攻擊者訊務,而使惡意訊務無法直接攻擊目標伺服器400。蜜罐伺服器500可具有處理單元(例如:CPU中央處理器但不限於此)、通訊單元(例如:各類通訊界面、乙太網路、行動或WiFi無線等,但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行蜜罐伺服器500的必要構件。The
用戶終端20可包含(但不限於)桌上型電腦、筆記型電腦、網路型電腦、電話裝置、呼叫器、照相機、電視、掌上型遊戲機等以IP作為通訊協定的客戶端電子裝置,但本發明不限於此。用戶終端20可至少包含收發器電路、類比數位(A/D)/數位類比(D/A)轉換器、處理電路、任選的記憶體電路或一個或多個天線單元,但本發明不限於此。The
偵防裝置100可用於配置SDN交換器200以管理軟體定義網路中的IPv6訊務轉送路徑。在本實施例中,偵防裝置100可判斷來自用戶終端20的IPv6訊務的性質,從而將來自用戶終端20的訊務或資料引導至沙盒伺服器300、目標伺服器400以及蜜罐伺服器500的其中之一。圖2根據本發明的實施例繪示偵防裝置100的示意圖。偵防裝置100可包含控制器110、儲存媒體120以及收發器130。The detection and
控制器110例如是SDN可程式化控制器、中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。控制器110可耦接至儲存媒體120以及收發器130,並且存取和執行儲存於儲存媒體120中的多個模組和各種應用程式。The
儲存媒體120例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由控制器110執行的多個模組或各種應用程式。儲存媒體120可儲存包括擷取分類模組121、特徵工程模組122、分析模組123以及移動防禦模組124等多個功能模組,其功能將於後續說明。在一實施例中,儲存媒體120可預存記錄了一或多個IPv6用戶終端的IPv6黑名單。The
收發器130以無線或有線的方式透過通訊界面(例如:乙太網路、行動或WiFi無線等)傳送及接收訊號。偵防裝置100可通過收發器130通訊連接至交換器200。The
圖3根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防的方法的流程圖。在步驟S301中,SDN交換器200可接收來自用戶終端20的IPv6封包。在步驟S302中,SDN交換器200可判斷IPv6封包是否與預存在SDN交換器200中的預設規則匹配。若IPv6封包與預設規則匹配,代表傳送所述IPv6封包的用戶終端20對交換器200來說並非未知的。據此,流程進入步驟S303。Fig. 3 shows a flow chart of an SDN-based IPv6 traffic detection and defense method according to an embodiment of the present invention. In step S301, the
在步驟S303中,SDN交換器200可將來自用戶終端20的訊務轉送到目標伺服器400或蜜罐伺服器500。具體來說,SDN交換器200可根據來自用戶終端20的IPv6封包以及預設規則判斷用戶終端20屬於惡意的IPv6用戶或非惡意的IPv6用戶。若用戶終端20屬於惡意的用戶,則SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500。若用戶終端20屬於非惡意的用戶,則SDN交換器200將來自用戶終端20的訊務轉送到目標伺服器400。另一方面,若IPv6封包與預設規則不匹配,代表傳送所述IPv6封包的用戶終端20對SDN交換器200來說是未知的。據此,流程進入步驟S304。In step S303, the
在步驟S304中,SDN交換器200可將來自用戶終端20的訊務轉送到沙盒伺服器300,並且複製所述訊務以產生對應的鏡像訊務。接著,SDN交換器200可將鏡像訊務傳送給偵防裝置100。偵防裝置100可通過收發器130接收鏡像訊務,其中鏡像訊務可包含歷史訊務資料以及當前訊務。In step S304, the
在步驟S305中,偵防裝置100的分析模組123可判斷當前訊務是否為異常。若當前訊務為正常,則進入步驟S306。若當前訊務為異常,則進入步驟S307。具體來說,偵防裝置100的分析模組123可根據由歷史訊務資料訓練好的機器學習模型來判斷當前訊務是否為異常。In step S305, the
在步驟S306中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給交換器200以指示交換器200將來自用戶終端20的訊務轉送到目標伺服器400。In step S306, the
在步驟S307中,偵防裝置100的分析模組123可判斷與當前訊務相關的流量是否大於流量閾值。若所述流量大於流量閾值,則進入步驟S308。若所述流量小於或等於流量閾值,則進入步驟S309。In step S307, the
在步驟S308中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給交換器200以指示SDN交換器200將來自用戶終端20的訊務阻斷。如此,可避免大量異常的訊務影響軟體定義網路的運作。In step S308, the
在步驟S309中,偵防裝置100的分析模組123可判斷對應於當前訊務的用戶終端20是否與預存於偵防裝置100中的IPv6黑名單匹配。若用戶終端20與IPv6黑名單匹配,則進入步驟S310。若用戶終端20與IPv6黑名單不匹配,則進入步驟S311。In step S309, the
在步驟S310中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500。由於偵防裝置100已經知道用戶終端20為惡意的IPv6用戶終端,故偵防裝置100可將用戶終端20引導至蜜罐伺服器500,以使用戶終端20的用戶將注意力集中在攻擊蜜罐伺服器500,而忽略目標伺服器400。In step S310, the
在步驟S311中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示交換器200將來自用戶終端20的訊務轉送到目標伺服器400。In step S311, the
在步驟S312中,偵防裝置100的移動防禦模組124可通過收發器130傳送指令給SDN交換器200以指示SDN交換器200根據當前訊務更新預設規則。具體來說,偵防裝置100的移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務轉送到目標伺服器400(如步驟S306所示)而通過收發器130指示SDN交換器200將第一規則新增至預設規則中。第一規則可指示SDN交換器200將未來的來自用戶終端20的訊務或資料轉送到目標伺服器400。此外,移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務阻斷(如步驟S308所示)而通過收發器130指示SDN交換器200將第二規則新增至預設規則中。第二規則可指示SDN交換器200阻斷未來的來自用戶終端20的訊務或資料。再者,移動防禦模組124可響應於指示SDN交換器200將來自用戶終端20的訊務轉送到蜜罐伺服器500(如步驟S310所示)而通過收發器130指示SDN交換器200將第三規則新增至預設規則中。第三規則可指示交換器200將未來的來自用戶終端20的訊務或資料轉送到蜜罐伺服器500。在一實施例中,移動防禦模組124可讀取所取得的訊務或資料中的來源IPv6位址來判斷所述訊務或資料的來源是否為用戶終端20。In step S312, the
偵防裝置100的分析模組123可根據機器學習模型來判斷當前訊務是否為異常。圖4根據本發明的實施例繪示訓練機器學習模型的流程圖。在步驟S401中,偵防裝置100的擷取分類模組121可取得對應於用戶終端20的鏡像訊務,其中鏡像訊務可包含歷史訊務資料。歷史訊務資料可包含多個標記封包,其中每一個標記封包可包含所述標記封包是否為異常IPv6封包的特徵資訊。The
在步驟S402中,偵防裝置100的擷取分類模組121可自多個標記封包中刪除不符合IPv6格式的標記封包以取得用於訓練機器學習模型的標記封包集合。換句話說,標記封包集合中的每一的標記封包可符合IPv6的格式。In step S402, the capture and
在步驟S403中,偵防裝置100的擷取分類模組121可將標記封包集合中的每一者的格式從IPv6格式轉換為NetFlow格式,其中標記封包集合中的每一者可包括多個特徵值,其中所述多個特徵值可分別對應於類別型(category)特徵或數值型特徵,例如來源IPv6位址(Source IPv6 Address)、目標IPv6位址(Destination IPv6 Address)、來源埠編號(Source Port Number)、目標埠編號(Destination Port Number)、下一跳位址(Next Hop Address)、NetFlow持續時間(NetFlow Duration)、流開始時間(Time at Start of Flow)、流結束時間(Time at End of Flow)、傳輸控制協定(Transmission Control Protocol,TCP)旗標(TCP Flag)、傳輸層協定編號(Transport Layer Protocol Number)、服務的網際協定(Internet protocol,IP)種類(IP Type of Service)、封包計數(Packet Count)或位元組計數(Bytes Count)等,本發明不限於此。In step S403, the capture and
在步驟S404中,偵防裝置100的特徵工程模組122可對標記封包集合中的每一者的特徵值進行標準化,藉以產生標準化標記封包集合。標準化標記封包集合中的每一個標準化標記封包可包含分別對應於多個特徵值的多個標準化特徵值。In step S404, the
圖5根據本發明的實施例繪示由特徵工程模組122標準化特徵值的流程圖。特徵工程模組122可對特徵值進行標準化以產生標準化特徵值。在步驟S501中,特徵工程模組122可判斷待標準化的特徵值對應於類別型特徵(例如:IPv6位址,TCP/UDP傳輸協定)或數值型特徵(例如:100、200或500)。若特徵值對應於類別型特徵,則進入步驟S502。若特徵值對應於數值型特徵,則進入步驟S504。FIG. 5 shows a flowchart of normalizing feature values by the
在步驟S502中,特徵工程模組122可根據預存的映射表來將特徵值轉換為多個分類中的一個分類,其中分類可以文字的形式呈現。表1為類別型特徵「IPv6位址」的特徵值以及與所述特徵值相對應的分類的範例。
表1
在步驟S503中,偵防裝置100的特徵工程模組122可根據分類產生對應於特徵值的向量,其中所述向量即為標準化特徵值。在一實施例中,所述向量可包含分別對應於多個分類的多個元素,其中所述多個元素可包含對應於所述特徵值的元素以及其他元素。特徵工程模組122可使對應於所述特徵值的元素為「1」,並使其他元素為「0」。表2為分類以及根據分類所產生的向量的範例。在表2中,向量的第一個元素對應於分類「linklocal」,向量的第二個元素對應於分類「global」,並且向量的第三個元素對應於分類「multicast」。
表2
在步驟S504中,偵防裝置100的特徵工程模組122可將特徵值(即:對應於數值型特徵的特徵值)正規化為0至1,以產生標準化特徵值。在一實施例中,多個特徵值可包含對應於數值型特徵的特徵值集合,其中所述特徵值集合可包含第一特徵值以及第二特徵值。特徵工程模組122可響應於第二特徵值為特徵值集合中的最大者而將第一特徵值除以第二特徵值,從而將第一特徵值正規化為0至1。此外,特徵工程模組122可將第二特徵值正規化為1。表3為標記封包的數個數值型特徵的特徵值以及通過正規化特徵值而產生的標準化特徵值的範例。由表3可知,數值型特徵#3的特徵值大於其他的數值型特徵的特徵值。因此,特徵工程模組122可將每一個數值型特徵的特徵值除以數值型特徵#3的特徵值,以將各個特徵值正規化為0至1。
表3
回到圖4,在取得標準化標記封包集合後,在步驟S405中,特徵工程模組122可對標準化標記封包集合中的每一者進行特徵擷取,以從每一個標準化標記封包的多個特徵值中選出用於訓練機器學習模型的至少一標準化特徵值。Returning to FIG. 4, after obtaining the standardized labeled packet set, in step S405, the
在步驟S406中,特徵工程模組122可根據至少一標準化特徵值訓練機器學習模型。舉例來說,特徵工程模組122可基於決策樹(Decision Tree,DT)、K-近鄰演算法(K Nearest Neighbor,KNN)或深度神經網路(Deep Neural Networks,DNN)等演算法來訓練機器學習模型,本發明不限於此。In step S406, the
本發明所提供之智能網路IPv6訊務偵防系統與方法,與其他習用技術相互比較時,更具有下列之效益與優點:The intelligent network IPv6 traffic detection and defense system and method provided by the present invention have the following benefits and advantages when compared with other conventional technologies:
本發明可透過先進的IPv6偵防技術對用戶端IPv6訊務進行惡意訊務分析與判別,可有效識別正常與異常IPv6訊務,結合MTD移動防禦機制可以強化IPv6資安威脅的偵防效率與應用。The invention can analyze and discriminate malicious traffic on user-side IPv6 traffic through advanced IPv6 detection and prevention technology, can effectively identify normal and abnormal IPv6 traffic, and can strengthen the detection and prevention efficiency of IPv6 information security threats in combination with MTD mobile defense mechanism. application.
本發明可提供IPv6訊務特徵工程處理能力建立IPv6訊務資料集以產生分類模型。本發明可將未知的IPv6訊務流量轉換給IPv6訊務分類模型來進行分類,可作為IPv6機器學習的發展基礎。The invention can provide IPv6 traffic characteristic engineering processing capability to establish IPv6 traffic data set to generate classification model. The invention can convert unknown IPv6 traffic flow to an IPv6 traffic classification model for classification, and can be used as a development basis for IPv6 machine learning.
本發明可藉由機器學習分類技術強化IDS識別偵測IPv6的攻擊,可提供多種IPv6攻擊訊務判斷條件,針對異常封包、異常流量以及異常用戶進行分析,強化異常IPv6訊務辨識能力。The invention can use machine learning classification technology to strengthen IDS identification and detection of IPv6 attacks, can provide multiple IPv6 attack traffic judgment conditions, analyze abnormal packets, abnormal traffic, and abnormal users, and strengthen the ability to identify abnormal IPv6 traffic.
本發明可透過SDN/NFV技術實現MTD移動防禦機制對IPv6訊務流量產生置換與變化,可有效阻絕惡意IPv6流量或針對可疑IPv6封包/異常用戶導向蜜罐伺服器,用以進一步分析IPv6攻擊訊務類型以及模式,強化IPv6網路環境的安全防護能力。The invention can realize the replacement and change of IPv6 traffic flow by the MTD mobile defense mechanism through SDN/NFV technology, and can effectively block malicious IPv6 traffic or direct the honeypot server to suspicious IPv6 packets/abnormal users to further analyze IPv6 attack information. Service types and modes, and strengthen the security protection capabilities of the IPv6 network environment.
10:IPv6訊務偵防系統 100:偵防裝置 110:控制器 120:儲存媒體 121:擷取分類模組 122:特徵工程模組 123:分析模組 124:移動防禦模組 130:收發器 20:用戶終端 200:軟體定義網路交換器 300:沙盒伺服器 400:目標伺服器 500:蜜罐伺服器 S301、S302、S303、S304、S305、S306、S307、S308、S309、S310、S311、S312、S401、S402、S403、S404、S405、S406、S501、S502、S503、S504:步驟 10: IPv6 traffic detection and defense system 100: Reconnaissance Device 110: Controller 120: storage media 121: Capture classification module 122: Feature Engineering Module 123: Analysis Module 124: Mobile Defense Module 130: Transceiver 20: User terminal 200: Software-defined network switch 300: Sandbox server 400: target server 500: Honeypot server S301, S302, S303, S304, S305, S306, S307, S308, S309, S310, S311, S312, S401, S402, S403, S404, S405, S406, S501, S502, S503, S504: steps
圖1根據本發明的實施例繪示一種基於SDN的IPv6訊務偵防系統以及用戶終端的示意圖。 圖2根據本發明的實施例繪示偵防裝置的示意圖。 圖3根據本發明的實施例繪示一種基於SDN的IPv6訊務的偵防方法的流程圖。 圖4根據本發明的實施例繪示訓練機器學習模型的流程圖。 圖5根據本發明的實施例繪示由特徵工程模組標準化特徵值的流程圖。 Fig. 1 illustrates a schematic diagram of an SDN-based IPv6 traffic detection and defense system and a user terminal according to an embodiment of the present invention. Fig. 2 illustrates a schematic diagram of a detection and defense device according to an embodiment of the present invention. Fig. 3 illustrates a flow chart of an SDN-based IPv6 traffic detection and prevention method according to an embodiment of the present invention. Fig. 4 shows a flowchart of training a machine learning model according to an embodiment of the present invention. FIG. 5 shows a flowchart of normalizing feature values by a feature engineering module according to an embodiment of the present invention.
S301、S302、S303、S304、S305、S306、S307、S308、S309、S310、S311、S312:步驟 S301, S302, S303, S304, S305, S306, S307, S308, S309, S310, S311, S312: steps
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109133999A TWI737506B (en) | 2020-09-30 | 2020-09-30 | SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109133999A TWI737506B (en) | 2020-09-30 | 2020-09-30 | SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI737506B true TWI737506B (en) | 2021-08-21 |
TW202215816A TW202215816A (en) | 2022-04-16 |
Family
ID=78283489
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW109133999A TWI737506B (en) | 2020-09-30 | 2020-09-30 | SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI737506B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107463844A (en) * | 2016-06-06 | 2017-12-12 | 国家计算机网络与信息安全管理中心 | WEB Trojan detecting methods and system |
US10148677B2 (en) * | 2015-08-31 | 2018-12-04 | Splunk Inc. | Model training and deployment in complex event processing of computer network data |
CN109922048A (en) * | 2019-01-31 | 2019-06-21 | 国网山西省电力公司长治供电公司 | One kind serially dispersing concealed threat Network Intrusion detection method and system |
TW201946416A (en) * | 2018-04-26 | 2019-12-01 | 中華電信股份有限公司 | System of host protection based on moving target defense and method thereof |
-
2020
- 2020-09-30 TW TW109133999A patent/TWI737506B/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10148677B2 (en) * | 2015-08-31 | 2018-12-04 | Splunk Inc. | Model training and deployment in complex event processing of computer network data |
CN107463844A (en) * | 2016-06-06 | 2017-12-12 | 国家计算机网络与信息安全管理中心 | WEB Trojan detecting methods and system |
TW201946416A (en) * | 2018-04-26 | 2019-12-01 | 中華電信股份有限公司 | System of host protection based on moving target defense and method thereof |
CN109922048A (en) * | 2019-01-31 | 2019-06-21 | 国网山西省电力公司长治供电公司 | One kind serially dispersing concealed threat Network Intrusion detection method and system |
Also Published As
Publication number | Publication date |
---|---|
TW202215816A (en) | 2022-04-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Miettinen et al. | Iot sentinel: Automated device-type identification for security enforcement in iot | |
AlEroud et al. | Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach | |
Dhawan et al. | Sphinx: detecting security attacks in software-defined networks. | |
Blaise et al. | Detection of zero-day attacks: An unsupervised port-based approach | |
Hoque et al. | Network attacks: Taxonomy, tools and systems | |
KR102135024B1 (en) | Method and apparatus for identifying category of cyber attack aiming iot devices | |
US11038906B1 (en) | Network threat validation and monitoring | |
US9544273B2 (en) | Network traffic processing system | |
US20190081986A1 (en) | Classification of security rules | |
US20170063930A1 (en) | Generation of cyber-attacks investigation policies | |
WO2015107862A1 (en) | Information processing device, method, and program | |
US20110019574A1 (en) | Technique for classifying network traffic and for validating a mechanism for classifying network traffic | |
US20170295196A1 (en) | Network anomaly detection | |
US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
US20110154492A1 (en) | Malicious traffic isolation system and method using botnet information | |
CN109905361A (en) | Internet of Things ddos attack defence method, device, system and storage medium | |
US20160088001A1 (en) | Collaborative deep packet inspection systems and methods | |
KR102244036B1 (en) | Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method | |
Gadallah et al. | Machine Learning-based Distributed Denial of Service Attacks Detection Technique using New Features in Software-defined Networks. | |
Nobakht et al. | IOT-NETSEC: policy-based IoT network security using OpenFlow | |
Unal et al. | Towards prediction of security attacks on software defined networks: A big data analytic approach | |
WO2019140876A1 (en) | Method for establishing phantom device capable of network attack prevention, medium, and device | |
Franco et al. | S-pot: A smart honeypot framework with dynamic rule configuration for sdn | |
TWI737506B (en) | SYSTEM AND METHOD FOR IPv6 TRAFFIC DETECTION AND DEFENSE BASED ON SOFTWARE-DEFINED NETWORK | |
Patel et al. | A Snort-based secure edge router for smart home |