WO2016127555A1 - 控制应用程序权限的方法及控制器 - Google Patents
控制应用程序权限的方法及控制器 Download PDFInfo
- Publication number
- WO2016127555A1 WO2016127555A1 PCT/CN2015/083522 CN2015083522W WO2016127555A1 WO 2016127555 A1 WO2016127555 A1 WO 2016127555A1 CN 2015083522 W CN2015083522 W CN 2015083522W WO 2016127555 A1 WO2016127555 A1 WO 2016127555A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- permission
- application
- controller
- filter
- request
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- Embodiments of the present invention relate to the field of communications, and, more particularly, to a method and controller for controlling application rights.
- SDN Software Defined Network
- APP Application, APP
- the embodiment of the invention provides a method for controlling application permission, which can avoid malicious attacks of the application and ensure network security.
- a method for controlling application permission comprising: a controller receiving an access request of an application; the controller determining whether the access request belongs to a permission list corresponding to the application, wherein the The permission list refers to the authority to operate on the resource; if the access request belongs to the permission list, the controller allows the application to access.
- the method before the controller receives the access request of the application, the method further includes:
- the controller receives a permission request sent by the application
- the controller generates the permission list corresponding to the application according to the permission request.
- the generating, by the permission request, the permission list corresponding to the application includes:
- the permission filter comprises at least one atomic filter, and one of the at least one atomic filter is used to represent a filter expression of an attribute dimension of the application interface API call of the controller.
- the generating, according to the permission request, generating the permission list corresponding to the application including Determining whether the permission request is legal according to a security constraint, wherein the security constraint is used to indicate a scope of the authority opened by the controller; and when determining that the permission request is legal, the permission list is generated.
- the determining whether the access request belongs to a permission list corresponding to the application includes:
- the controller allows the application to access, including:
- the controller allows the application to access.
- a controller comprising:
- a receiving unit configured to receive an access request of the application
- a determining unit configured to determine whether the access request received by the receiving unit belongs to a permission list corresponding to the application, where the permission list refers to a permission for operation of a resource;
- an execution unit configured to allow the application to access when the determining unit determines that the access request belongs to the permission list.
- the receiving unit is further configured to receive a permission request sent by the application
- the executing unit is further configured to: according to the permission request And generating the permission list corresponding to the application.
- the executing unit is configured to: generate, by using a permission filter, according to the permission request List of permissions;
- the privilege filter comprises at least one atomic filter
- An atomic filter in the filter is used to represent a filter expression for an attribute dimension of the controller's application interface API call.
- the executing unit is specifically configured to:
- the determining unit is specifically configured to: convert the access request into an extraction paradigm, and convert the permission list into a conjunction paradigm; and determine whether the extraction paradigm belongs to the conjunction paradigm;
- the execution unit is specifically configured to: when the determining unit determines that the extraction paradigm belongs to the conjunction paradigm, allow the application to access.
- the controller determines whether the access request of the application belongs to the permission list corresponding to the application, so that the access permission of the application is restricted according to the permission list, thereby preventing malicious attacks of the application and ensuring network security.
- FIG. 1 is a flow chart of a method of controlling application rights according to an embodiment of the present invention.
- FIG. 2 is a flow chart of a method of controlling application rights according to another embodiment of the present invention.
- FIG. 3 is a block diagram showing the structure of a controller in accordance with an embodiment of the present invention.
- FIG. 4 is a block diagram showing the structure of a controller according to another embodiment of the present invention.
- FIG. 1 is a flow chart of a method of controlling application rights according to an embodiment of the present invention.
- the method shown in Figure 1 includes:
- the controller receives an access request of the application.
- the controller determines whether the access request belongs to a permission list corresponding to the application, where the permission list refers to a permission for an operation of a resource.
- the controller allows the application to access.
- the controller determines whether the access request of the application belongs to the permission list corresponding to the application, so that the access permission of the application is restricted according to the permission list, thereby preventing malicious attacks of the application and ensuring network security.
- the method shown in the embodiment of the present invention is applied to the SDN field.
- the controller shown in the embodiment of the present invention refers to a controller in the SDN.
- a list of permissions corresponding to the application is stored in the controller.
- the list of permissions can be pre-configured by the administrator or pre-configured by the controller based on the scope of its own open permissions.
- the present invention does not limit the form of the rights list.
- the list of permissions may be in the form of a list, or may be in the form of a list, or may be in the form of a collection, and the like.
- the embodiment of the present invention should not use the name of the permission list as a limitation on its form.
- the method may further include: the controller generating a permission list corresponding to the application.
- the controller may receive the permission request sent by the application; and generate the permission list corresponding to the application according to the permission request.
- the access of the application to the controller includes accessing the resource, where the resource includes at least one of the following: a flow table, a topology, a statistical information and an error, a group table, a traffic shaping, and an operating system. , Packet_in and Packet_out. As shown in Table 1.
- the operation on the resource can be a read or write or an event callback.
- the permission list may be used to indicate the authority to operate the resource.
- the third column as shown in Table 1 includes the rights defined by the embodiments of the present invention.
- the embodiment of the present invention defines a privilege language. Specifically, the privilege language and its meaning are as follows:
- PERM the name of the claim permission
- IP_SRC (V6 or V4): IP source address, the value can be an integer variable, or a string in IP format;
- IP_DST (V6 or V4): IP destination address, the value can be an integer variable, or a string in IP format;
- TCP_SRC TCP source address, the value can be an integer variable, or a string in IP format
- TCP_DST TCP destination address, whose value can be an integer variable or a string in IP format.
- MASK Subnet mask, whose value can be an integer variable or a string in IP format.
- WILDCARD wildcard matching
- OWN_FLOWS Ownership permission, only allows to view and modify the flow table rules created by the APP itself;
- ALL_FLOWS Ownership permission, allowing all flow table rules to be viewed and modified
- GROUP_FLOW Ownership permission, only allows to view and modify the group table rules created by the APP itself;
- ALL_GROUP_FLOWS Ownership permission, allowing all group table rules to be viewed and modified
- METER_FLOW Ownership permission, only allows to view and modify the meter_table rule created by the APP itself;
- ALL_METER_FLOWS Ownership permission, allowing all meter_table rules to be viewed and modified;
- MAX_PRIORITY Limits the maximum priority of rules that can be created or modified
- MIN_PRIORITY Limits the minimum priority of rules that can be created or modified
- MAX_RULE_COUNT The number of rules that are restricted on one switch
- ARBITRARY Allows packets to be sent outside in any case
- SWITCH A switch that can be operated. It can be a single switch or a group of switches. It can also be used with LINK to limit the link that can be operated.
- LINK Qualify the link that can be operated. It can be one or a group of links when used.
- ALL_SWITCHES Allows all switches to be operated
- VIRTUAL defines a virtual switch that can be operated
- SINGLE_BIG_SWITCH Limited to a single virtual switch
- PATHS_AS_LINKS is limited to the link directly or indirectly adjacent to the switch
- EVENT_INTERCEPTION Allows the interception interception callback event
- MODIFY_EVENT_ORDER Allows modification of the order in which callback events are handled by the APP
- FLOW_LEVEL Allows viewing of stream level statistics
- PORT_LEVEL Allows viewing of port level statistics
- SWITCH_LEVEL Allows you to view statistics at the switch level.
- the controller when generating the permission list, the controller may first determine whether the permission request is legal according to the security constraint; and when determining that the permission request is legal, generate the permission list.
- the security constraint is used to indicate a range of rights opened by the controller.
- the scope of the authority opened by the controller may be pre-defined by the administrator and configured on the controller.
- the controller determines that the permission request is illegal, the permission list is not generated, and the application is not allowed to access.
- the permission request of the application can be understood as a rough permission list, which is an all-or-nothing authorization mode, that is, all pass or no pass, and the granularity is coarse.
- the list of permissions generated by the controller can be understood as a refined list of permissions for limiting the scope of permissions.
- controller generating the permission list may include: generating the permission list by using a predefined permission grammar rule according to the permission request.
- the controller may generate the permission list by using a predefined permission grammar rule according to the permission request and the security constraint.
- the predefined permission grammar rules can be represented as privilege filters.
- rational The controller generates a permission list, and the controller generates the permission list by using a permission filter according to the permission request.
- the controller may generate the permission list by using a permission filter according to the permission request and the security constraint.
- the privilege filter includes at least one atomic filter, and one of the at least one atomic filter is used to represent an application interface (API) call to the controller.
- API application interface
- An atomic filter can be a building block for filtering expressions.
- Application API calls to controllers are typically associated with a certain number of parameters and runtime attributes, such as matching fields for flow table entries and target switches.
- Atomic filters can classify API calls based on specific attribute dimensions of API calls. Different atomic filters examine different attribute dimensions, so different atomic filters are independent of each other. Typically, an atomic filter is a subset of permissions that contain specific properties.
- attribute dimension may be determined according to the resource as shown in Table 1.
- attribute dimensions can include: flow, topology, event callbacks, statistics, group tables, and traffic shaping.
- the atomic filter may further include: a flow filter, a topology filter, an event callback filter, a statistical filter, a group table filter, and a traffic shaping filter.
- a flow filter a topology filter
- an event callback filter a statistical filter
- a group table filter a traffic shaping filter
- Stream filter acts on an API call for a specific stream parameter. Therefore, the flow filter can be associated with the resources of the flow table in the rights management. The flow filter checks several types of inputs.
- the parameters at the time of API call can be compared with the filter parameters.
- the filter parameter value can be a specific value or a range, and the range can be represented by a bitwise mask.
- IP_DST 10.13.0.0 MASK 255.255.0.0
- a check on the wildcard field can be provided.
- the upper 24 bits of the IP destination address representing any newly inserted rules must be wildcards, and only the lower 8 bits of the IP destination address can be specified. Therefore, the high 24 of the IP destination address of any packet cannot be modified by the APP, and only the lower 8 bits of the IP destination address can be modified by the APP.
- the flow filter may further include: an action filter, an ownership filter, a priority filter, a table size filter, and a packet outflow filter.
- the action filter identifies the behavior of dropping, forwarding, and modifying the stream in a specific domain.
- the ownership filter identifies and tracks the issuer of all existing streams.
- the priority filter limits the maximum/minimum priority value an application can set for its flow rules.
- the table size filter limits the maximum number of rules an application can put on a switch.
- the packet outflow filter if set to FROM_PKT_IN, prevents the application from issuing any data layer packets (ie, not packets that respond to packet_in).
- attribute dimensions can also include actions, ownership, priority, table size, and package outflow.
- the flow filter can limit the visibility or operability of the flow table.
- Topology Filter The topology filter checks the switches and links that an application sees and operates.
- a topology filter can work in a physical topology or it can work in a virtual topology created.
- the topology filter may further include: a physical topology filter and a virtual topology filter.
- the physical topology filter can expose a subset of physical switches and links to an application.
- a virtual topology filter can treat the entire network as a large switch or split the entire network into multiple virtual networks.
- attribute dimension can also include a physical topology and a virtual topology.
- event callback filter can be used to check the behavior of two specific applications in the event callback, respectively 1) intercept callback events, 2) modify the order in which callback events are handled by the application .
- the event callback filter may further include: an event listening filter and an event sequence filter.
- the event listener filter can check whether an application can intercept the callback event, that is, prevent the event from being processed by other applications.
- the event sequence filter can check if the API call attempts to modify the order in which the callback event is processed by the application.
- attribute dimensions can also include event listeners and event sequences.
- statistical filter can limit the visible data of an application to one or several of the three levels, including three levels: flow level (FLOW_LEVEL), port level (PORT_LEVEL) and switch level (SWITCH_LEVEL ). As you can see, the statistic filter is the only filter that effectively acts on the read_statistics privilege.
- group table filter You can set whether the APP can issue the permission of the group table.
- group tables can be used for multicast, multipath, fault recovery, and so on.
- IP_DST 10.13.0.0 MASK 255.255.0.0
- Restrictions can only insert group table entries (group_table_entry) for a specific subnet.
- Traffic Shaping Filter It can restrict the APP to perform traffic shaping only for specific ports of a specific switch. In openflow, the controller can shape the flow in the network, such as limiting the port rate of 10M to 3M.
- the rights filter when the rights filter includes a plurality of atom filters, the plurality of atom filters are connected by a logical operator.
- the logical operators include (AND), OR (OR), and NO (NOT).
- the controller may generate a permission list by using the permission filter.
- the controller may include a constraint engine, and the constraint engine generates a permission list.
- the list of permissions corresponding to the application refers to a set of a range of rights that the controller opens to the application.
- the access request in 101 may be an APP access request to the API. Then, after 101, the controller can correspond to the specific authority according to the access request of the pair of APIs.
- the controller may pre-store the corresponding relationship of “API/Permission”, so that the controller can look up the correspondence and determine the authority corresponding to the access request.
- the correspondence may be as shown in Table 2.
- the controller determines whether the access request belongs to the permission list, and may include: the controller determining whether the permission corresponding to the access request belongs to the permission list.
- 102 if the access request is an access request to an attribute dimension of the API call, then 102 can be compared to the filter expression of the corresponding atom filter in the permission list.
- atomic filters can be compared directly.
- the same atomic filter needs to compare specific parameters, such as corresponding statistical filters, which need to be compared to FLOW_LEVEL, PORT_LEVEL or SWITCH_LEVEL.
- SWITCH_LEVEL contains FLOW_LEVEL and PORT_LEVEL
- PORT_LEVEL contains FLOW_LEVEL
- 102 may be compared to a corresponding filter expression of a plurality of atomic filters connected by the logical operator in the list of rights. Then, 102 may include: converting the access request into a disjunction paradigm, and converting the permission list into a conjunction paradigm; determining whether the disjunction paradigm belongs to the conjunction paradigm.
- determining whether the access request belongs to the permission list can be equivalent to determining whether A contains B.
- A is transformed into a conjunction paradigm (a and b and c and%), which converts B into a disjunction paradigm (x or y or z or).
- not(a and b) >(not a)or(not b).
- not(a or b) >(not a)and(not b).
- A is converted into a conjunction paradigm
- B is converted into a disjunction.
- the manner of the paradigm can be referred to the prior art, and to avoid repetition, it will not be repeated here.
- the second step is to determine whether the conjunction paradigm contains an extraction paradigm.
- x1 x11 and x12. Then, when judging whether a1 includes x1, it is necessary to satisfy that a11 includes x11 and a11 includes x12; or a12 includes x11 and a12 includes x12.
- the permission list can be represented as A and the access request can be represented as B.
- a and B can be expressed as follows.
- the authority engine may be included in the controller, and the judgment process in 102 is performed by the authority engine.
- the controller determines whether the access of the application is legal by determining whether the access request belongs to the permission list. If it is determined that the access request belongs to the permission list, then 103 can be performed.
- FIG. 2 is a flow chart of a method of controlling application rights according to an embodiment of the present invention. If the controller in the 102 determines that the access request does not belong to the permission list, the execution may be further performed 104, that is, the controller does not allow the application to access.
- the controller determines that the access request does not belong to the permission list, it can be considered that the application access is illegal, that is, the application may have a possibility of maliciously attacking the controller, and the application is blocked. Further access, in turn, can ensure the security of the network.
- FIG. 3 is a block diagram showing the structure of a controller in accordance with an embodiment of the present invention.
- the controller 300 shown in FIG. 3 includes a receiving unit 301, a judging unit 302, and an executing unit 303.
- the receiving unit 301 is configured to receive an access request of the application.
- the determining unit 302 is configured to determine whether the access request received by the receiving unit 301 belongs to a permission list corresponding to the application, where the permission list refers to a right to operate on a resource.
- the executing unit 303 is configured to allow the application to access when the determining unit 302 determines that the access request belongs to the permission list.
- the controller determines whether the access request of the application belongs to the permission list corresponding to the application, so that the access permission of the application is restricted according to the permission list, thereby preventing malicious attacks of the application and ensuring network security.
- the access of the application to the controller includes accessing the resource, where the resource includes at least one of the following: a flow table, a topology, a statistical information and an error, a group table, a traffic shaping, and an operating system. , Packet_in and Packet_out.
- the operation on the resource can be a read or write or an event callback.
- a list of permissions corresponding to the application is stored in the controller.
- the list of permissions can be pre-configured by the administrator or pre-configured by the controller based on the scope of its own open permissions.
- the receiving unit 301 is further configured to receive the application
- the permission request sent by the execution unit 303 is further configured to generate the permission list corresponding to the application according to the permission request.
- the permission list may be used to indicate the authority to operate the resource.
- the third column as shown in Table 1 above includes the rights defined by the embodiments of the present invention.
- the executing unit 303 is configured to generate the permission list by using a permission filter according to the permission request.
- the permission filter includes at least one atomic filter, and one of the at least one atomic filter is used to represent a filter expression of an attribute dimension of an API call to the controller.
- the permission filter may include a plurality of atom filters, and a plurality of atom filters are connected by logical operators.
- the executing unit 303 is specifically configured to determine, according to the security constraint, whether the permission request is legal, where the security constraint is used to indicate a scope of the authority opened by the controller; When the permission request is legal, the permission list is generated.
- the determining unit 302 is specifically configured to: convert the access request into a disjunction paradigm, and convert the permission list into a conjunction paradigm; determine whether the disjunction paradigm belongs to the Describe the paradigm.
- the executing unit 303 is specifically configured to: when the determining unit 302 determines that the extraction paradigm belongs to the conjunction paradigm, allow the application to access.
- the controller 300 can be used to implement the method performed by the controller in the foregoing embodiment of FIG. 1 or FIG. 2. To avoid repetition, details are not described herein again.
- the controller 400 shown in FIG. 4 includes a processor 401, a receiver 402, a transmitter 403, and a memory 404.
- the receiver 402 is configured to receive an access request of an application.
- the processor 401 is configured to determine whether the access request received by the receiver 402 belongs to a permission list corresponding to the application, where the permission list is used to indicate a permission for an operation of the resource.
- the processor 401 is further configured to allow the application to access when determining that the access request belongs to the permission list.
- the controller determines whether the access request of the application belongs to the permission list corresponding to the application, so that the access permission of the application is restricted according to the permission list, thereby preventing malicious attacks of the application and ensuring network security.
- bus system 405 which in addition to the data bus includes a power bus, a control bus, and a status signal bus.
- bus system 405 various buses are labeled as bus system 405 in FIG.
- Processor 401 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 401 or an instruction in a form of software.
- the processor 401 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), or the like. Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
- DSP digital signal processor
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 404, and the processor 401 reads the information in the memory 404 and completes the steps of the above method in combination with its hardware.
- the memory 404 in the embodiments of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
- the non-volatile memory may be a read-only memory (ROM), a programmable read only memory (PROM), an erasable programmable read only memory (Erasable PROM, EPROM), or an electric Erase programmable read only memory (EEPROM) or flash memory.
- the volatile memory can be a Random Access Memory (RAM) that acts as an external cache.
- RAM Random Access Memory
- many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (Synchronous DRAM), SDRAM.
- the memory 404 of the systems and methods described herein is intended to include, but is not limited to, these and any Other suitable types of memory.
- the transmitter 403 in the embodiment of the present invention can be used to send the execution result of the processor 401 to the device that communicates with the controller 400.
- the controller 400 For example, an application or a switch.
- the embodiments described herein can be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof.
- the processing unit can be implemented in one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processing (DSP), Digital Signal Processing Equipment (DSP Device, DSPD), programmable Programmable Logic Device (PLD), Field-Programmable Gate Array (FPGA), general purpose processor, controller, microcontroller, microprocessor, other for performing the functions described herein In an electronic unit or a combination thereof.
- ASICs Application Specific Integrated Circuits
- DSP Digital Signal Processing
- DSP Device Digital Signal Processing Equipment
- PLD programmable Programmable Logic Device
- FPGA Field-Programmable Gate Array
- a code segment can represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software group, a class, or any combination of instructions, data structures, or program statements.
- a code segment can be combined into another code segment or hardware circuit by transmitting and/or receiving information, data, arguments, parameters or memory contents. Information, arguments, parameters, data, etc. can be communicated, forwarded, or transmitted using any suitable means including memory sharing, messaging, token passing, network transmission, and the like.
- the techniques described herein can be implemented by modules (eg, procedures, functions, and so on) that perform the functions described herein.
- the software code can be stored in a memory unit and executed by the processor.
- the memory unit can be implemented in the processor or external to the processor, in the latter case the memory unit can be communicatively coupled to the processor via various means known in the art.
- the access of the application to the controller includes accessing the resource, where the resource includes at least one of the following: a flow table, a topology, a statistical information and an error, a group table, a traffic shaping, and an operating system. , Packet_in and Packet_out.
- the operation on the resource can be a read or write or an event callback.
- a list of permissions corresponding to the application is stored in the controller.
- the list of permissions can be pre-configured by the administrator or pre-configured by the controller based on the scope of its own open permissions.
- the receiver 402 is further configured to receive a permission request sent by the application
- the processor 401 is further configured to generate, according to the permission request, the permission corresponding to the application. List.
- the permission list may be used to indicate the authority to operate the resource.
- the third column as shown in Table 1 above includes the rights defined by the embodiments of the present invention.
- the processor 401 is configured to generate the permission list by using a permission filter according to the permission request.
- the permission filter includes at least one atomic filter, and one of the at least one atomic filter is used to represent a filter expression of an attribute dimension of an API call to the controller.
- the permission filter may include a plurality of atom filters, and a plurality of atom filters are connected by logical operators.
- the processor 401 is specifically configured to determine, according to a security constraint, whether the permission request is legal, where the security constraint is used to indicate a scope of the authority opened by the controller; When the permission request is legal, the permission list is generated.
- the processor 401 is specifically configured to: convert the access request into a disjunction paradigm, and convert the permission list into a conjunction paradigm; determine whether the disjunction paradigm belongs to the Take the paradigm. The application is allowed to access when it is determined that the extraction paradigm belongs to the conjunction paradigm.
- the controller 400 can be used to implement the method performed by the controller in the foregoing embodiment of FIG. 1 or FIG. 2. To avoid repetition, details are not described herein again.
- the disclosed systems, devices, and methods may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- Another point that is shown or discussed between each other The coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
- the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
- the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
一种控制应用程序权限的方法,本方法应用于SDN领域,包括:控制器接收应用程序的访问请求(101),所述控制器判断所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限(102);如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问(103)。本控制应用程序权限的方法中,控制器判断应用程序的访问请求是否属于与该应用程序对应的权限清单,这样根据权限清单限制该应用程序的访问权限,进而能够避免应用程序的恶意攻击,保障网络安全。
Description
本发明实施例涉及通信领域,并且更具体地,涉及一种控制应用程序权限的方法及控制器。
软件定义网络(Software Define Network,SDN)是一种控制和转发相分离的网络架构,将网络的控制功能集中在控制器上,并在控制器的上层部署应用程序(Application,APP)。这样,上层的应用程序可以通过控制器实现对网络的访问。
但是,由于应用程序的来源众多,且控制器无法获知应用程序的来源是否可靠,这样容易导致非安全的应用程序对控制器的攻击,并造成对网络的恶意的破坏,从而可能会带来网络安全威胁。
发明内容
本发明实施例提供一种控制应用程序权限的方法,能够避免应用程序的恶意攻击,保障网络安全。
第一方面,提供了一种控制应用程序权限的方法,包括:控制器接收应用程序的访问请求;所述控制器判断所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限;如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问。
结合第一方面,在第一方面的第一种可能的实现方式中,在所述控制器接收应用程序的访问请求之前,还包括:
所述控制器接收所述应用程序发送的权限请求;
所述控制器根据所述权限请求,生成与所述应用程序对应的所述权限清单。
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述根据所述权限请求,生成与所述应用程序对应的所述权限清单,包括:
根据所述权限请求,采用权限过滤器,生成所述权限清单;
其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的应用程序接口API调用的一个属性维度的过滤表达式。
结合上述第一方面的任一种可能的实现方式,在第一方面的第三种可能的实现方式中,所述根据所述权限请求,生成与所述应用程序对应的所述权限清单,包括:根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
结合第一方面或者上述第一方面的任一种可能的实现方式,在第一方面的第四种可能的实现方式中,
所述判断所述访问请求是否属于与所述应用程序对应的权限清单,包括:
将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;
判断所述析取范式是否属于所述合取范式;
所述如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问,包括:
如果所述析取范式属于所述合取范式,所述控制器允许所述应用程序进行访问。
第二方面,提供了一种控制器,包括:
接收单元,用于接收应用程序的访问请求;
判断单元,用于判断所述接收单元接收的所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限;
执行单元,用于在所述判断单元确定所述访问请求属于所述权限清单时,允许所述应用程序进行访问。
结合第二方面,在第二方面的第一种可能的实现方式中,所述接收单元,还用于接收所述应用程序发送的权限请求;所述执行单元,还用于根据所述权限请求,生成与所述应用程序对应的所述权限清单。
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述执行单元,具体用于:根据所述权限请求,采用权限过滤器,生成所述权限清单;
其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过
滤器中的一个原子过滤器用于表示对所述控制器的应用程序接口API调用的一个属性维度的过滤表达式。
结合第二方面的任意一种可能的实现方式,在第二方面的第三种可能的实现方式中,所述执行单元,具体用于:
根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
结合第二方面或者上述第二方面的任意一种可能的实现方式,在第二方面的第四种可能的实现方式中,
所述判断单元,具体用于:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式;
所述执行单元,具体用于:在所述判断单元确定所述析取范式属于所述合取范式时,允许所述应用程序进行访问。
本发明实施例中,控制器判断应用程序的访问请求是否属于与该应用程序对应的权限清单,这样根据权限清单限制该应用程序的访问权限,进而能够避免应用程序的恶意攻击,保障网络安全。
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1是本发明一个实施例的控制应用程序权限的方法的流程图。
图2是本发明另一个实施例的控制应用程序权限的方法的流程图。
图3是本发明一个实施例的控制器的结构框图。
图4是本发明另一个实施例的控制器的结构框图。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创
造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
图1是本发明一个实施例的控制应用程序权限的方法的流程图。图1所示的方法包括:
101,控制器接收应用程序的访问请求。
102,所述控制器判断所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限。
103,如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问。
本发明实施例中,控制器判断应用程序的访问请求是否属于与该应用程序对应的权限清单,这样根据权限清单限制该应用程序的访问权限,进而能够避免应用程序的恶意攻击,保障网络安全。
可理解,本发明实施例所示的方法应用于SDN领域,相应地,本发明实施例所示的控制器是指SDN中的控制器。
可选地,控制器中存储有与所述应用程序对应的权限清单。该权限清单可以是由管理员进行预配置的,或者是由控制器根据自身所开放的权限范围进行预配置的。
应注意,本发明对权限清单的形式不作限定。例如,权限清单可以是清单的形式,或者可以是列表的形式,或者也可以是集合的形式,等等。本发明实施例不应该将权限清单的名称作为对其形式的限定。
或者,可选地,在101之前,还可以包括:控制器生成与所述应用程序对应的权限清单。作为一例,控制器可以接收所述应用程序发送的权限请求;根据所述权限请求,生成与所述应用程序对应的所述权限清单。
本发明实施例中,应用程序对控制器的访问包括对资源的访问,其中,所述资源包括以下中的至少一种:流表、拓扑、统计信息和错误、组表、流量整形、操作系统、入包(Packet_in)和出包(Packet_out)。如表一所示。对资源的操作可以是读或写或事件回调。
本发明实施例中,权限清单可以用于表示对资源的操作的权限。如表一所示的第三列包括本发明实施例所定义的权限。
表一
为了对表一所示的权限的范围进行限定,本发明实施例定义了权限语言,具体地,权限语言及其含义如下所述:
PERM:声明权限的名称;
LIMITING:声明开始限定权限;
AND:与操作,二元操作符,两个均为真时才为真;
OR:或操作,二元操作符,只要有一个为真时即为真;
NOT:否定操作,一元操作符,表示当前的否定;
IP_SRC(V6或V4):IP源地址,其值可以是一个整型变量,也可以是一个IP格式的字符串;
IP_DST(V6或V4):IP目的地址,其值可以是一个整型变量,也可以是一个IP格式的字符串;
TCP_SRC:TCP源地址,其值可以是一个整型变量,也可以是一个IP格式的字符串;
TCP_DST:TCP目的地址,其值可以是一个整型变量,也可以是一个IP格式的字符串;
MASK:子网掩码,其值可以是一个整型变量,也可以是一个IP格式的字符串;
WILDCARD:通配符匹配;
DROP:丢弃当前包;
FORWARD:转发当前包;
MODIFY:修改当前包,具体使用时需要限定可以修改的域;
OWN_FLOWS:所有权权限,只允许查看和修改APP自身创建的流表规则;
ALL_FLOWS:所有权权限,允许查看和修改所有的流表规则;
GROUP_FLOW:所有权权限,只允许查看和修改APP自身创建的组表规则;
ALL_GROUP_FLOWS:所有权权限,允许查看和修改所有的组表规则;
METER_FLOW:所有权权限,只允许查看和修改APP自身创建的meter_table规则;
ALL_METER_FLOWS:所有权权限,允许查看和修改所有的meter_table规则;
MAX_PRIORITY:限制可以创建或修改的规则的最大优先级;
MIN_PRIORITY:限制可以创建或修改的规则的最小优先级;
MAX_RULE_COUNT:限制在一个交换机上的规则的数目;
FROM_PKT_IN:只允许在回复packet-in消息时对外发送数据包;
ARBITRARY:允许在任何情况下对外发送数据包;
SWITCH:限定可以操作的交换机,具体使用时可以是一个或者一组交换机,同时与LINK合用,限定可以操作的链路;
LINK:限定可以操作的链路,具体使用时可以是一条或一组链路;
ALL_SWITCHES:允许操作所有的交换机;
BORDER_SWITCHES:允许操作边界交换机;
VIRTUAL:限定可以操作的虚拟交换机;
SINGLE_BIG_SWITCH:限定为单个虚拟的交换机;
ALL_ADJACENT_LINKS:限定为所有与该交换机直接相邻的链路;
PATHS_AS_LINKS:限定为该交换机直接或间接相邻的链路;
EVENT_INTERCEPTION:允许监听截获回调事件;
MODIFY_EVENT_ORDER:允许修改回调事件被APP处理的顺序;
FLOW_LEVEL:允许查看流级别的统计信息;
PORT_LEVEL:允许查看端口级别的统计信息;
SWITCH_LEVEL:允许查看交换机级别的统计信息;
这样,可以利用上述权限语言,来描述和定义应用程序的访问权限。
具体地,本发明实施例中,控制器在生成权限清单时,可以先根据安全约束判断权限请求是否合法;当确定所述权限请求合法时,生成所述权限清单。其中,所述安全约束用于表示所述控制器所开放的权限的范围。这里,控制器所开放的权限的范围可以是由管理员预先定义并配置在该控制器上的。
可理解,若控制器确定所述权限请求不合法时,不生成权限清单,进而不允许该应用程序进行访问。
本发明实施例中,应用程序的权限请求可以理解为一种粗略的权限清单,是一种全有或全无的授权方式,即全部通过或者全部不通过,粒度较粗。那么,相应地,控制器所生成的权限清单可以理解为一种细化后的权限清单,用于限制权限的范围。
进一步地,控制器生成权限清单可以包括:根据所述权限请求,采用预定义的权限语法规则,生成所述权限清单。
具体地,控制器可以根据权限请求以及所述安全约束,采用预定义的权限语法规则,生成所述权限清单。
这里,所述预定义的权限语法规则可以表示为权限过滤器。那么,可理
解,控制器生成权限清单可以包括:控制器根据所述权限请求,采用权限过滤器,生成所述权限清单。或者,控制器可以根据权限请求以及所述安全约束,采用权限过滤器,生成所述权限清单。
本发明实施例中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的应用程序接口(Application Interface,API)调用的一个属性维度的过滤表达式。
原子过滤器可以为过滤表达式的构建块。应用程序对控制器的API调用通常与一定数量的参数和运行时的属性相关联,例如流表项的匹配字段和目标交换机。原子过滤器可以根据API调用的特定属性维度划分API调用。不同的原子过滤器检查不同的属性维度,因此不同的原子过滤器是相互独立的。通常情况下,一个原子过滤器是一个包含特定属性的权限的子集。
应注意,本发明实施例对属性维度的划分方式不作限定,举例来说,可以按照如表一所示的资源确定属性维度。例如,属性维度可以包括:流、拓扑、事件回调、统计、组表和流量整形。
原子过滤器可以进一步包括:流过滤器、拓扑过滤器、事件回调过滤器、统计过滤器、组表过滤器和流量整形过滤器。具体地,这些过滤器的含义可以如下所述。
(a)、流过滤器:流过滤器作用于特定流参数的API调用。因此,流过滤器可以与权限管理中流表的资源相关联。流过滤器检查几种类型的输入。
具体地,可以将API调用时的参数与过滤器参数进行比较。过滤器参数值可为一个特定值或者一个范围,范围可以使用逐位掩码来表示。
例如:
PERM read_flow_table LIMITING
IP_DST 10.13.0.0 MASK 255.255.0.0
那么这个应用程序只能看到在特定子网的流表项。
此外,还可以提供对通配字段的检查。当与read_flow_table权限相关联时,应用程序可以看到的流表项的匹配字段的位数。当与insert_flow或delete_flow权限相关联时,可以确保应用程序产生恰当的通配位。例如,一个只处理数据包低8位IP目的地址的负载平衡APP应具有以下权限:
PERM insert_flow LIMITING
WILDCARD IP_DST 255.255.255.0
表示任何新插入的规则的IP目的地址的高24位必须是通配符,只有该IP目的地址的低8位的可以被指定。因此任何数据包的IP目的地址的高24为都不能被该APP修改,而只有该IP目的地址的低8位可以被该APP进行修改。
本发明实施例中,流过滤器可以进一步包括:动作过滤器、所有权过滤器、优先级过滤器、表大小过滤器和包流出过滤器。
其中,动作过滤器标识的是在一个特定域丢弃、转发和修改流的行为。所有权过滤器识别和跟踪所有现有流的发行人。优先级过滤器限制了一个应用程序可以设置其流规则的最大/最小优先级值。表大小过滤器限制应用程序可以放到一个交换机的规则的最大数量。包流出过滤器,如果设置为FROM_PKT_IN,可以防止应用程序发行任意的数据层的数据包(即不是回应packet_in的数据包)。
可理解,属性维度也可以包括动作、所有权、优先级、表大小和包流出。
可见,本发明实施例中,流过滤器可以限制流表的可见性或操作性。
(b)、拓扑过滤器:拓扑过滤器检查一个应用程序看到并操作的交换机和链接。拓扑过滤器可以工作在物理拓扑结构,或者也可以工作在所创建的一个虚拟拓扑结构。
本发明实施例中,拓扑过滤器可以进一步包括:物理拓扑过滤器和虚拟拓扑过滤器。
其中,物理拓扑过滤器可以将物理交换机和链路的子集暴露给一个应用程序。
例如:
PERM visible_topology LIMITING
SWITCH BORDER_SWITCHES LINK PATHS_AS_LINKS
允许应用程序查看包括拓扑结构中所有的边界交换机和他们之间的每对路径。
虚拟拓扑过滤器可以将整个网络看成一个大型交换机,或者将整个网络分割成多个虚拟网络。
例如:
PERM visible_topology LIMITING
VIRTUAL SINGLE_BIG_SWITCH LINK ALL_ADJACENT_LINKS
允许应用程序将网络拓扑结构看作一个单一的大型交换机。
可理解,属性维度也可以包括物理拓扑和虚拟拓扑。
(c)、事件回调过滤器:事件回调过滤器可以用于检查在事件回调的过程中两个特定的应用程序行为,分别为1)拦截回调事件,2)修改回调事件被应用程序处理的顺序。
本发明实施例中,事件回调过滤器可以进一步包括:事件侦听过滤器和事件顺序过滤器。
其中,事件侦听过滤器可以检查一个应用程序是否可以拦截回调事件,即防止事件被其他应用程序处理。事件顺序过滤器可以检查API调用是否尝试修改回调事件被应用程序处理的顺序。
可理解,属性维度也可以包括事件侦听和事件顺序。
(d)、统计过滤器:可以限制一个应用程序的可见数据到三个级别中的一个或几个,其中,三个级别包括:流级(FLOW_LEVEL)、端口级(PORT_LEVEL)和交换机级(SWITCH_LEVEL)。可见,统计过滤器是唯一有效地作用在read_statistics权限上的过滤器。
(e)、组表过滤器:可以设置APP是否可以下发组表的权限。在开放流(openflow)中,组表可用于组播、多路径、故障恢复等。
例如:
PERM insert_group_table_entry LIMITING
IP_DST 10.13.0.0 MASK 255.255.0.0
限制只能对特定的子网才可以插入(insert)组表项(group_table_entry)
(f)、流量整形过滤器:可以限制APP只有对特定的交换机的特定端口才可以进行流量整形。在openflow中,控制器可对网络中的流进行整形,如将10M的端口限速为3M。
例如:
PERM insert_meter_table_entry LIMITING SWITCH 1
限制只有对交换机1才可以插入meter表项。
本发明实施例中,当权限过滤器包括多个原子过滤器时,所述多个原子过滤器之间通过逻辑运算符进行连接。
其中,逻辑运算符包括和(AND)、或(OR)、否(NOT)。
例如,可以授予APP read_flow_table的权限,但只限制到先前由该APP
发布的流,或影响子网10.13.0.0/16:
PERM read_flow_table LIMITING OWN_FLOWSOR
IP_SRC 10.13.0.0 MASK 255.255.0.0 OR IP_DST 10.13.0.0 MASK255.255.0.0
这样,本发明实施例中,控制器可以利用权限过滤器生成权限清单。
例如:
ERM pkt_in LIMITTING EVENT_INTERCEPTION ANDFROM_PKT_IN
允许监听截获回调事件,允许在回复pkt-in消息的前提下发送pkt-out消息。
再例如:
PERM pkt_in LIMITTING EVENT_INTERCEPTION AND ARBITRARY
允许监听截获回调事件,允许在任何情况下发送pkt-out消息。
具体地,本发明实施例中,控制器中可以包括约束引擎,并由该约束引擎生成权限清单。
可理解,与应用程序对应的权限清单是指:控制器对该应用程序所开放的一系列权限范围的集合。
在图1所示的实施例中,101中的访问请求可以是APP对API的访问请求。那么,在101之后,控制器可以根据该对API的访问请求对应到特定的权限上。
具体地,控制器中可以预存储有“API/权限”的对应关系,这样,控制器可以查找该对应关系,确定与访问请求所对应的权限。
举例来说,该对应关系可以如表二所示。
表二
API | 对应的权限 |
OFSwitchImpl.write(OFType.FLOW_MOD) | insert flow |
addOFMessageListener | read pkt in payload |
…… | …… |
相应地,可以理解,在102中,控制器判断访问请求是否属于权限清单,可以包括:控制器判断与访问请求所对应的权限是否属于权限清单。
102中,如果访问请求是对API调用的一个属性维度的访问请求,那么102可以与权限清单中的对应的原子过滤器的过滤表达式进行比较。
也就是说,原子过滤器可以直接比较。例如,同一种原子过滤器,需要比较具体参数,如对应统计过滤器,需要比较属于FLOW_LEVEL、PORT_LEVEL或者SWITCH_LEVEL。
不同种类的原子过滤器显然不相同。对于不同种类的原子过滤器,判断包含的规则也不完全相同,如统计过滤器SWITCH_LEVEL包含了FLOW_LEVEL和PORT_LEVEL,而PORT_LEVEL包含了FLOW_LEVEL。而流过滤器中的action过滤中DROP和FORWARD就不能互相包含。
应注意,本发明实施例中,对原子过滤器之间的比较的方式不再赘述。
如果访问请求是对API调用的多个属性维度的访问请求,那么102可以与权限清单中的对应的由逻辑运算符连接的多个原子过滤器的过滤表达式进行比较。那么,102可以包括:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式。
例如:假设权限清单可以表示为A,访问请求可以表示为B。那么,判断访问请求是否属于权限清单可以等价为,判断A是否包含B。
第一步,将A转化为合取范式(a and b and c and…),将B转化为析取范式(x or y or z or…)。
其中,转化过程是通过利用离散数学中命题公式的双重否定律、德摩根定律和分配律等来完成的。
(1)将A转化为合取范式。
先运用否定律,递归分解not操作。
例如:not(a and b)=>(not a)or(not b)。
再运用分配律,递归分解or操作。
例如:(a and b)or c=>(a or c)and(b or c)。
(2)将B转化为析取范式。
先运用否定律,递归分解not操作。
例如:not(a or b)=>(not a)and(not b)。
再运用分配率,递归分解or操作。
例如:(a or b)and c=>(a and c)or(b and c)。
应注意,本发明实施例中,将A转化为合取范式,将B的转化为析取
范式的方式可以参见现有技术,为避免重复,这里不再赘述。
第二步,判断合取范式是否包含析取范式。
具体地,需判断合取范式的每一个子句是否都包含析取范式的每一个子句。
例如,假设合取范式表示为a1 and a2 and a3 and…的形式,析取范式表示为x1 or x2 or x3...的形式,那么,需判断是否满足ai包含xj。其中,i=1,2,3…;j=1,2,3…。
应注意,若a1=a11 or a12,x1=x11 and x12。那么,在判断a1是否包括x1时,需要满足a11包括x11且a11包括x12;或者a12包括x11且a12包括x12。
应注意,本发明实施例中,关于判断合取范式是否包含析取范式的方式,可以参见与逻辑判断有关的现有技术,为避免重复,这里不再赘述。
作为一例,在102中,假设权限清单可以表示为A,访问请求可以表示为B。并且,A和B可以表示如下。
那么,判断B是否属于A,即判断是否满足B<=A。
首先可以将A转化为合取范式,即:
A=>(SWITCH_LEVEL)and(IP_DST 192.168.0.0 MASK 255.255.0.0);
将B转化为析取范式,即:
B=>(PORT_LEVEL and((IP_DST 192.168.1.0 MASK 255.255.255.0))or(PORT_LEVEL and((IP_DST 192.168.2.0 MASK 255.255.255.0))。
然后,便可以通过判断合取范式是否包含析取范式,来确定A是否包含B,进而确定访问请求是否属于权限清单。
具体地,本发明实施例中,控制器中可以包括权限引擎,并由该权限引擎执行102中的判断过程。
这样,控制器通过判断访问请求是否属于权限清单,来判断应用程序的访问是否合法。如果确定访问请求属于权限清单,便可以执行103。
图2是本发明实施例的控制应用程序权限的方法的流程图。其中,如果102中控制器经过判断之后,确定访问请求不属于权限清单,可以进一步执行104,即,控制器不允许该应用程序进行访问。
或者,也可以理解为,若控制器确定访问请求不属于权限清单,可以认为该应用程序的访问不合法,即该应用程序可能存在对控制器进行恶意攻击的可能性,便阻止该应用程序的进一步访问,进而能够保障网络的安全。
图3是本发明一个实施例的控制器的结构框图。图3所示的控制器300包括接收单元301、判断单元302和执行单元303。
接收单元301,用于接收应用程序的访问请求。
判断单元302,用于判断接收单元301接收的所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限。
执行单元303,用于在判断单元302确定所述访问请求属于所述权限清单时,允许所述应用程序进行访问。
本发明实施例中,控制器判断应用程序的访问请求是否属于与该应用程序对应的权限清单,这样根据权限清单限制该应用程序的访问权限,进而能够避免应用程序的恶意攻击,保障网络安全。
本发明实施例中,应用程序对控制器的访问包括对资源的访问,其中,所述资源包括以下中的至少一种:流表、拓扑、统计信息和错误、组表、流量整形、操作系统、入包(Packet_in)和出包(Packet_out)。对资源的操作可以是读或写或事件回调。
可选地,控制器中存储有与所述应用程序对应的权限清单。该权限清单可以是由管理员进行预配置的,或者是由控制器根据自身所开放的权限范围进行预配置的。
可选地,作为一个实施例,接收单元301,还用于接收所述应用程序发
送的权限请求;执行单元303,还用于根据所述权限请求,生成与所述应用程序对应的所述权限清单。
本发明实施例中,权限清单可以用于表示对资源的操作的权限。如前述的表一所示的第三列包括本发明实施例所定义的权限。
具体地,执行单元303,用于根据所述权限请求,采用权限过滤器,生成所述权限清单。
其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的API调用的一个属性维度的过滤表达式。
可理解,所述权限过滤器可以包括多个原子过滤器,并且多个原子过滤器之间通过逻辑运算符连接。
可选地,作为另一个实施例,执行单元303具体用于根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
可选地,作为另一个实施例,判断单元302,具体用于:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式。执行单元303,具体用于:在判断单元302确定所述析取范式属于所述合取范式时,允许所述应用程序进行访问。
控制器300能够用于实现前述图1或图2的实施例中由控制器执行的方法,为避免重复,这里不再赘述。
图4是本发明另一个实施例的控制器的结构框图。图4所示的控制器400包括处理器401、接收器402、发送器403和存储器404。
接收器402,用于接收应用程序的访问请求。
处理器401,用于判断接收器402接收的所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单用于表示对资源的操作的权限。
处理器401,还用于在确定所述访问请求属于所述权限清单时,允许所述应用程序进行访问。
本发明实施例中,控制器判断应用程序的访问请求是否属于与该应用程序对应的权限清单,这样根据权限清单限制该应用程序的访问权限,进而能够避免应用程序的恶意攻击,保障网络安全。
控制器400中的各个组件通过总线系统405耦合在一起,其中总线系统405除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图4中将各种总线都标为总线系统405。
上述本发明实施例揭示的方法可以应用于处理器401中,或者由处理器401实现。处理器401可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器401中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器401可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application SpecificIntegrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器404,处理器401读取存储器404中的信息,结合其硬件完成上述方法的步骤。
可以理解,本发明实施例中的存储器404可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(SynchronousDRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data RateSDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(EnhancedSDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DRRAM)。本文描述的系统和方法的存储器404旨在包括但不限于这些和任意
其它适合类型的存储器。
可以理解,本发明实施例中的发送器403可以用于将处理器401的执行结果发送至与该控制器400进行通信的设备。例如,应用程序或者交换机等。
可以理解的是,本文描述的这些实施例可以用硬件、软件、固件、中间件、微码或其组合来实现。对于硬件实现,处理单元可以实现在一个或多个专用集成电路(Application Specific Integrated Circuits,ASIC)、数字信号处理器(Digital Signal Processing,DSP)、数字信号处理设备(DSP Device,DSPD)、可编程逻辑设备(Programmable Logic Device,PLD)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)、通用处理器、控制器、微控制器、微处理器、用于执行本申请所述功能的其它电子单元或其组合中。
当在软件、固件、中间件或微码、程序代码或代码段中实现实施例时,它们可存储在例如存储部件的机器可读介质中。代码段可表示过程、函数、子程序、程序、例程、子例程、模块、软件分组、类、或指令、数据结构或程序语句的任意组合。代码段可通过传送和/或接收信息、数据、自变量、参数或存储器内容来稿合至另一代码段或硬件电路。可使用包括存储器共享、消息传递、令牌传递、网络传输等任意适合方式来传递、转发或发送信息、自变量、参数、数据等。
对于软件实现,可通过执行本文所述功能的模块(例如过程、函数等)来实现本文所述的技术。软件代码可存储在存储器单元中并通过处理器执行。存储器单元可以在处理器中或在处理器外部实现,在后一种情况下存储器单元可经由本领域己知的各种手段以通信方式耦合至处理器。
本发明实施例中,应用程序对控制器的访问包括对资源的访问,其中,所述资源包括以下中的至少一种:流表、拓扑、统计信息和错误、组表、流量整形、操作系统、入包(Packet_in)和出包(Packet_out)。对资源的操作可以是读或写或事件回调。
可选地,控制器中存储有与所述应用程序对应的权限清单。该权限清单可以是由管理员进行预配置的,或者是由控制器根据自身所开放的权限范围进行预配置的。
可选地,作为一个实施例,接收器402,还用于接收所述应用程序发送的权限请求;处理器401,还用于根据所述权限请求,生成与所述应用程序对应的所述权限清单。
本发明实施例中,权限清单可以用于表示对资源的操作的权限。如前述的表一所示的第三列包括本发明实施例所定义的权限。
具体地,处理器401,用于根据所述权限请求,采用权限过滤器,生成所述权限清单。
其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的API调用的一个属性维度的过滤表达式。
可理解,所述权限过滤器可以包括多个原子过滤器,并且多个原子过滤器之间通过逻辑运算符连接。
可选地,作为另一个实施例,处理器401具体用于根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
可选地,作为另一个实施例,处理器401具体用于:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式。在确定所述析取范式属于所述合取范式时,允许所述应用程序进行访问。
控制器400能够用于实现前述图1或图2的实施例中由控制器执行的方法,为避免重复,这里不再赘述。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间
的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。
Claims (10)
- 一种控制应用程序权限的方法,其特征在于,包括:控制器接收应用程序的访问请求;所述控制器判断所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限;如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问。
- 根据权利要求1所述的方法,其特征在于,在所述控制器接收应用程序的访问请求之前,还包括:所述控制器接收所述应用程序发送的权限请求;所述控制器根据所述权限请求,生成与所述应用程序对应的所述权限清单。
- 根据权利要求2所述的方法,其特征在于,所述根据所述权限请求,生成与所述应用程序对应的所述权限清单,包括:根据所述权限请求,采用权限过滤器,生成所述权限清单;其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的应用程序接口API调用的一个属性维度的过滤表达式。
- 根据权利要求2或3所述的方法,其特征在于,所述根据所述权限请求,生成与所述应用程序对应的所述权限清单,包括:根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
- 根据权利要求1至4任一项所述的方法,其特征在于,所述判断所述访问请求是否属于与所述应用程序对应的权限清单,包括:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式;所述如果所述访问请求属于所述权限清单,所述控制器允许所述应用程序进行访问,包括:如果所述析取范式属于所述合取范式,所述控制器允许所述应用程序进 行访问。
- 一种控制器,其特征在于,包括:接收单元,用于接收应用程序的访问请求;判断单元,用于判断所述接收单元接收的所述访问请求是否属于与所述应用程序对应的权限清单,其中所述权限清单是指对资源的操作的权限;执行单元,用于在所述判断单元确定所述访问请求属于所述权限清单时,允许所述应用程序进行访问。
- 根据权利要求6所述的控制器,其特征在于,所述接收单元,还用于接收所述应用程序发送的权限请求;所述执行单元,还用于根据所述权限请求,生成与所述应用程序对应的所述权限清单。
- 根据权利要求7所述的控制器,其特征在于,所述执行单元,具体用于:根据所述权限请求,采用权限过滤器,生成所述权限清单;其中,所述权限过滤器包括至少一个原子过滤器,所述至少一个原子过滤器中的一个原子过滤器用于表示对所述控制器的应用程序接口API调用的一个属性维度的过滤表达式。
- 根据权利要求7或8所述的控制器,其特征在于,所述执行单元,具体用于:根据安全约束判断所述权限请求是否合法,其中,所述安全约束用于表示所述控制器所开放的权限的范围;当确定所述权限请求合法时,生成所述权限清单。
- 根据权利要求6至9任一项所述的控制器,其特征在于,所述判断单元,具体用于:将所述访问请求转化为析取范式,并将所述权限清单转化为合取范式;判断所述析取范式是否属于所述合取范式;所述执行单元,具体用于:在所述判断单元确定所述析取范式属于所述合取范式时,允许所述应用程序进行访问。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP15881716.3A EP3236382A4 (en) | 2015-02-09 | 2015-07-08 | Method and controller for controlling application permissions |
US15/667,635 US10785226B2 (en) | 2015-02-09 | 2017-08-03 | Method for controlling permission of application program and controller |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510064799 | 2015-02-09 | ||
CN201510064799.5 | 2015-02-09 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/667,635 Continuation US10785226B2 (en) | 2015-02-09 | 2017-08-03 | Method for controlling permission of application program and controller |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016127555A1 true WO2016127555A1 (zh) | 2016-08-18 |
Family
ID=56614186
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/083522 WO2016127555A1 (zh) | 2015-02-09 | 2015-07-08 | 控制应用程序权限的方法及控制器 |
Country Status (4)
Country | Link |
---|---|
US (1) | US10785226B2 (zh) |
EP (1) | EP3236382A4 (zh) |
CN (1) | CN105871811B (zh) |
WO (1) | WO2016127555A1 (zh) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018171092A1 (zh) * | 2017-03-21 | 2018-09-27 | 华为技术有限公司 | 权限更新方法和终端设备 |
CN111740770B (zh) * | 2019-03-25 | 2022-12-02 | 北京京东乾石科技有限公司 | 一种通讯方法及系统 |
US11113096B2 (en) | 2019-05-13 | 2021-09-07 | Hewlett Packard Enterprise Development Lp | Permissions for a cloud environment application programming interface |
CN110443876A (zh) * | 2019-07-31 | 2019-11-12 | 新华三大数据技术有限公司 | 3d图像渲染方法及装置 |
WO2021185245A1 (en) * | 2020-03-17 | 2021-09-23 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Access-control method and electronic device |
CN113271344A (zh) * | 2021-04-30 | 2021-08-17 | 中国人民解放军战略支援部队信息工程大学 | 一种基于访问控制的sdn应用程序安全管理方法及架构 |
CN113268300B (zh) * | 2021-05-25 | 2023-04-18 | 维沃移动通信(杭州)有限公司 | 信息显示方法及装置 |
US20230015697A1 (en) * | 2021-07-13 | 2023-01-19 | Citrix Systems, Inc. | Application programming interface (api) authorization |
CN113688419B (zh) * | 2021-07-22 | 2023-05-19 | 成都鲁易科技有限公司 | 数据保护方法及装置、存储介质、计算机设备 |
CN113761486B (zh) * | 2021-09-10 | 2023-09-05 | 上海熙菱信息技术有限公司 | 一种基于语法糖解析的一键式代码混淆方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095701A (zh) * | 2013-01-11 | 2013-05-08 | 中兴通讯股份有限公司 | 开放流表安全增强方法及装置 |
CN104113839A (zh) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | 基于sdn的移动数据安全保护系统及方法 |
US20140359697A1 (en) * | 2013-06-04 | 2014-12-04 | Hangzhou H3C Technologies Co., Ltd. | Active Security Defense for Software Defined Network |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6779112B1 (en) * | 1999-11-05 | 2004-08-17 | Microsoft Corporation | Integrated circuit devices with steganographic authentication, and steganographic authentication methods |
US7818780B1 (en) * | 2004-04-01 | 2010-10-19 | Cisco Technology, Inc. | Method and compiler for routing policy |
US9455955B2 (en) * | 2006-05-17 | 2016-09-27 | Richard Fetik | Customizable storage controller with integrated F+ storage firewall protection |
CN1949774B (zh) * | 2006-11-02 | 2010-04-07 | 华为技术有限公司 | 一种Web应用程序会话管理方法与装置 |
US20090006618A1 (en) * | 2007-06-28 | 2009-01-01 | Richard Hayton | Methods and systems for access routing and resource mapping using filters |
US8677453B2 (en) * | 2008-05-19 | 2014-03-18 | Cisco Technology, Inc. | Highly parallel evaluation of XACML policies |
US8555378B2 (en) * | 2009-03-11 | 2013-10-08 | Sas Institute Inc. | Authorization caching in a multithreaded object server |
US8250628B2 (en) | 2009-08-28 | 2012-08-21 | International Business Machines Corporation | Dynamic augmentation, reduction, and/or replacement of security information by evaluating logical expressions |
US9705918B2 (en) * | 2012-05-22 | 2017-07-11 | Sri International | Security mediation for dynamically programmable network |
US9197548B2 (en) * | 2012-08-15 | 2015-11-24 | Dell Products L.P. | Network switching system using software defined networking applications |
WO2014143025A1 (en) * | 2013-03-15 | 2014-09-18 | Hewlett-Packard Development Company, L.P. | Secure path determination between devices |
US9471798B2 (en) * | 2013-09-20 | 2016-10-18 | Oracle International Corporation | Authorization policy objects sharable across applications, persistence model, and application-level decision-combining algorithm |
CN103685580B (zh) | 2013-12-18 | 2016-09-07 | 武汉邮电科学研究院 | 基于软件定义网络的北向接口接入系统及方法 |
US20150180872A1 (en) * | 2013-12-20 | 2015-06-25 | Cube, Co. | System and method for hierarchical resource permissions and role management in a multitenant environment |
-
2015
- 2015-07-08 WO PCT/CN2015/083522 patent/WO2016127555A1/zh active Application Filing
- 2015-07-08 EP EP15881716.3A patent/EP3236382A4/en active Pending
-
2016
- 2016-02-03 CN CN201610077940.XA patent/CN105871811B/zh active Active
-
2017
- 2017-08-03 US US15/667,635 patent/US10785226B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095701A (zh) * | 2013-01-11 | 2013-05-08 | 中兴通讯股份有限公司 | 开放流表安全增强方法及装置 |
US20140359697A1 (en) * | 2013-06-04 | 2014-12-04 | Hangzhou H3C Technologies Co., Ltd. | Active Security Defense for Software Defined Network |
CN104113839A (zh) * | 2014-07-14 | 2014-10-22 | 蓝盾信息安全技术有限公司 | 基于sdn的移动数据安全保护系统及方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3236382A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP3236382A4 (en) | 2017-12-13 |
EP3236382A1 (en) | 2017-10-25 |
CN105871811A (zh) | 2016-08-17 |
US10785226B2 (en) | 2020-09-22 |
CN105871811B (zh) | 2019-04-26 |
US20170359350A1 (en) | 2017-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016127555A1 (zh) | 控制应用程序权限的方法及控制器 | |
US9553845B1 (en) | Methods for validating and testing firewalls and devices thereof | |
EP2991304B1 (en) | Conflict detection and solving method and device | |
US9071604B2 (en) | Methods, systems, and computer program products for invoking trust-controlled services via application programming interfaces (APIs) respectively associated therewith | |
US8040895B2 (en) | Method and system for removing dead access control entries (ACEs) | |
CN113169975A (zh) | 用于网络微分段和纳分段的安全规则的自动生成 | |
WO2015120783A9 (en) | System and method for securing source routing using public key based digital signature | |
EP3494682A1 (en) | Security-on-demand architecture | |
US10193890B2 (en) | Communication apparatus to manage whitelist information | |
US9462001B2 (en) | Computer network access control | |
US11025639B2 (en) | Security access for a switch device | |
Seeber et al. | Improving network security through SDN in cloud scenarios | |
US10320839B2 (en) | Automatic anti-spoof for multicast routing | |
Lai et al. | Design and implementation of cloud security defense system with software defined networking technologies | |
WO2016185513A1 (ja) | パケットフィルタ装置、及びパケットフィルタ方法 | |
US9455957B2 (en) | Map sharing for a switch device | |
Balagopal et al. | NetWatch: Empowering software-defined network switches for packet filtering | |
US20170331838A1 (en) | Methods and computing devices to regulate packets in a software defined network | |
Chalyy et al. | A simple Information Flow Security Model for Software-Define Networks | |
Andreev et al. | Generalized net model of implementation of port knocking on RouterOS | |
CN114422214B (zh) | 一种访问信息处理方法、装置、设备及计算机存储介质 | |
US20240348652A1 (en) | Sd-wan iot security posture management | |
WO2021098380A1 (zh) | 处理报文的方法、装置及系统 | |
US20240146694A1 (en) | Automatic firewall configuration for control systems in critical infrastructure | |
Tupakula et al. | Software Enabled Security Architecture for Counteracting Attacks in Control Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15881716 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2015881716 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |