WO2017143897A1 - Procédé, dispositif, et système de gestion d'attaques - Google Patents

Procédé, dispositif, et système de gestion d'attaques Download PDF

Info

Publication number
WO2017143897A1
WO2017143897A1 PCT/CN2017/072087 CN2017072087W WO2017143897A1 WO 2017143897 A1 WO2017143897 A1 WO 2017143897A1 CN 2017072087 W CN2017072087 W CN 2017072087W WO 2017143897 A1 WO2017143897 A1 WO 2017143897A1
Authority
WO
WIPO (PCT)
Prior art keywords
flow
attack
policy
description information
data
Prior art date
Application number
PCT/CN2017/072087
Other languages
English (en)
Chinese (zh)
Inventor
张晋
吴凤伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017143897A1 publication Critical patent/WO2017143897A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to an attack processing method, device, and system.
  • the firewall acts as a security gateway between the internal network and the external Internet, and plays a role of preventing the network elements in the internal network from being illegally attacked by external users.
  • the firewall allows the security data flow specified in the security policy to pass through the security gateway according to the security policy configured by the administrator, and prohibits the attack data flow specified in the security policy from passing through the security gateway.
  • the embodiment of the invention provides an attack processing method, device and system, which can solve the problem that the network is vulnerable to security attacks or normal data streams are blocked because the existing attack processing mechanism is prone to misoperation.
  • the first aspect provides an attack processing method, including: the service network element receives the data flow, and if the data flow is determined to be an attack flow, the attack information corresponding to the attack flow is sent to the policy control device, and the attack information includes the flow of the attack flow. Describe the attack type of the information and the attack flow; the policy control device determines the corresponding flow control policy according to the attack type, and sends the flow description information and the flow control policy of the attack flow to the SDN controller; the SDN controller matches the flow control policy according to the flow control policy The stream of the flow description information of the attack stream is processed.
  • the second aspect provides a policy control device, including: a receiving unit, configured to receive attack information corresponding to an attack flow sent by a service network element, where the attack information includes a flow description information of the attack flow and an attack type to which the attack flow belongs; a unit, configured to determine a flow control policy corresponding to an attack type received by the receiving unit, and the flow control policy includes a flow processing policy and an execution policy, and a sending unit, configured to determine, by the determining unit, flow description information of the attack flow received by the receiving unit
  • the flow control policy is sent to the software defined network SDN controller, so that the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy.
  • a software-defined network SDN controller including: a receiving unit, configured to receive flow description information and a flow control policy of an attack flow sent by a policy control device, where the flow control policy includes a flow processing policy and an execution policy; And a processing unit, configured to process, according to the flow control policy received by the receiving unit, the data flow that conforms to the flow description information of the attack flow received by the receiving unit.
  • a fourth aspect provides a service network element, including: a receiving unit, configured to receive a data stream; a determining unit, configured to determine whether the data stream received by the receiving unit is an attack stream; and a sending unit, configured to determine, in the determining unit, the data stream
  • the attack information corresponding to the attack flow is sent to the policy control device, and the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.
  • the service network element can automatically identify the attack flow in the network, and the flow description information and the attack type of the identified attack flow are reported to the policy control device, and the policy control device automatically generates a flow control policy corresponding to the attack type, and
  • the flow description information and the flow control policy of the attack flow are sent to the SDN controller, and the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane.
  • the purpose of protecting the back-end network and the back-end network element of the SDN controller is to avoid the security problem caused by the manual pre-setting of the security policy.
  • the attack flow includes a network layer attack flow or a service layer attack flow.
  • the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow.
  • the method further includes at least one of the following: a destination IP address, a source port, a destination port, and a transport layer protocol number of the attack flow.
  • the determining, by the service network element, the data flow as the service layer attack flow includes: The signaling message and the media information in the flow determine that the data flow affects the security of the protected object at the service level, and then determine that the data flow is a service layer attack flow, and the service layer includes a control plane, a user plane, and a management layer. surface.
  • the determining unit is specifically configured to: by parsing the signaling message in the data stream The media information determines that the data flow affects the security of the protected object at the service level, and determines that the data flow is a service layer attack flow, where the service layer includes a control plane, a user plane, and a management plane.
  • the service network element can touch the signaling layer and the media data layer, the service network element can analyze whether the security of the protected object at the service level is threatened by analyzing the signaling message and the media information in the data stream, thereby When threatened, determine that the received data stream is an attack stream.
  • the flow processing policy includes deleting a data flow corresponding to the flow description information of the attack flow a flow table, redirecting a data flow that conforms to flow description information of the attack flow, or restricting traffic of a data flow that conforms to flow description information of the attack flow; and executing the policy includes performing immediately, periodically performing, or executing the flow within a specific time period Processing strategy.
  • the flow processing policy includes deleting a data flow corresponding to the flow description information of the attack flow. a flow table, redirecting a data flow that conforms to the flow description information of the attack flow, or restricting a data flow that conforms to the flow description information of the attack flow Traffic; execution policies include immediate execution, periodic execution, or execution of a flow processing policy for a specific time period.
  • the flow table corresponding to the data flow that matches the flow description information of the attack flow is deleted, Or directing a data flow conforming to the flow description information of the attack flow, or limiting a flow of the data flow conforming to the flow description information of the attack flow; the execution strategy includes performing immediately, periodically performing, or executing a flow processing policy within a specific time period.
  • processing the data flow that conforms to the flow description information of the attack flow includes: processing, according to the flow control policy, the data flow whose source IP address is the source IP address in the flow description information of the attack flow.
  • the processing unit is specifically configured to: process, according to the flow control policy, a data flow whose source IP address is a source IP address in the flow description information of the attack flow.
  • a system comprising any one of the third aspect to the fourth possible implementation manner of the third aspect, the second aspect to the third possible implementation of the second aspect Any one of the foregoing policy control devices, and any one of the foregoing fourth aspect to the third possible implementation manner of the fourth aspect.
  • PCEF Policy and Charging Enforcement Function
  • PCEF Policy and Charging Rules Function
  • LTE Long Term Evolution
  • UMTS Universal Mobile Telecommunications System
  • EPC Full name Evolved Packet Core, which refers to the 4G core network.
  • Gx interface an interface defined in the 3GPP standard, an interface between a PCEF and a PCRF in an LTE/EPC network, used for charging control and policy control.
  • SDN Software Defined Network
  • IP network protocol
  • Five-tuple source IP address, source port number, transport layer protocol number, destination IP address, and destination port number.
  • a network element that is mainly processed by services (such as voice service and media service) in the communication network may be a Home Location Register (HLR) in the core network, and a home subscription user.
  • HLR Home Location Register
  • SPR Subscription Profile Repository
  • AS Application Server
  • Network layer attack The external malicious IP attack, including the Layer 2 attack address resolution protocol (ARP) attack, the Internet Control Message Protocol (ICMP) attack, the IP attack, and the transmission control protocol.
  • ARP Layer 2 attack address resolution protocol
  • ICMP Internet Control Message Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • IGMP Internet Group Management Protocol
  • Service layer attack refers to the behavior of the service layer to attack objects that the system wants to protect, including control plane attacks, user plane attacks, and management plane attacks.
  • the control plane attack may include an attack that consumes important resources, a signaling storm, a Denial of Service (DoS)/Distributed Denial of Service (DDoS) flood attack, an abnormal registration behavior, a malformed message, Attacks such as illegal media address attacks and information disclosure; user-side attacks may include Real-time Transport Protocol (RTP) session injection, bandwidth theft RTP malformed packet attack, and Message Session Relay Protocol (The Message Session Relay Protocol).
  • RTP Real-time Transport Protocol
  • MSRP MSRP packet attack
  • firewall traversal attack media codec conversion consumption
  • pirate call call eavesdropping
  • management plane attacks can include user account security threats, signaling transmission security threats, access control security threats, Web (Internet) Attack types such as security threats, syslog management threats, illicit operational threats, data storage loss, and business disruption threats.
  • FIG. 1 is a schematic diagram of a basic network architecture provided in the prior art
  • FIG. 2 is a schematic diagram of another basic network architecture provided in the prior art
  • FIG. 3 is a schematic diagram of a basic network architecture according to an embodiment of the present disclosure.
  • FIG. 4 is a flowchart of an attack processing method according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a policy control device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an SDN controller according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a service network element according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another policy control device according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of another SDN controller according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another service network element according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 2 A schematic diagram of the basic architecture of a communication network can be seen in FIG.
  • the data in the network is between the access network 1 and the access network 2, and the data packet is forwarded and forwarded according to the IP address, and the network between the two access networks may be referred to as an IP bearer network, that is, IP.
  • IP IP bearer network
  • the bearer network is actually equivalent to the public network in the network system.
  • the Gx interface of the PCEF such as the PCRF and the PDN GW-Packet Data Network Gateway (PGW) and the Broadband Remote Access Server (BRAS) has been implemented, and the access network is In the access process such as wireless access and fixed access, resource control and security policy control are performed.
  • PGW Packet Data Network Gateway
  • BRAS Broadband Remote Access Server
  • the following embodiment of the present invention will add an interface between the PCRF and the SDN controller (SDN Controller) in the IP bearer network based on the existing network architecture shown in FIG. 2, and provide resources for the IP bearer network.
  • Control and security policy control which can increase resource control and security policy control of the IP bearer network based on existing access network resource control and security policy control, and achieve true end-to-end network resource control and security policy control.
  • the PCRF will be upgraded to a centralized and end-to-end resource and policy control center (PC)/policy control device.
  • PC resource and policy control center
  • the data stream is sent from the access network corresponding to the source end to the IP bearer network, the data stream is processed by the QoS controller in the policy control device and the IP bearer network, and according to the The IP address is routed and forwarded to the processed access network, and then transmitted to the destination end.
  • the following embodiment of the present invention automatically identifies the attack flow in the network by the service network element, and reports the flow description information and the attack type corresponding to the identified attack flow to the policy control device; the policy control device automatically generates the flow control corresponding to the attack type.
  • the policy sends the flow description information and the flow control policy to the SDN controller; the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane.
  • an embodiment of the present invention provides an attack processing method, which may include:
  • the service network element receives the data stream.
  • the service network element receives the data stream from the network.
  • the source end of the data stream may be any other network element in the network.
  • it may be a user equipment UE.
  • the data stream may be transmitted in the form of a data packet in the network.
  • the network element with data forwarding function in the network forwards the data packet by parsing the IP address and other information in the packet header to finally send the data stream to the destination end.
  • the attack information corresponding to the attack flow is sent to the policy control device, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.
  • the service network element After receiving the data stream, the service network element can determine whether the received data stream is an attack stream, thereby performing phase Should be handled. If the attack flow is determined, the service network element may send the attack information corresponding to the attack flow to the policy control device, so that the policy control device determines the corresponding flow processing policy and execution policy according to the attack information of the attack flow, thereby performing attack processing. . If the received data stream does not belong to the attack flow, the service network element performs normal service processing.
  • the firewall in the prior art is responsible for identifying whether the data flow of all the network elements in the protected internal network is an attack flow and is responsible for filtering and forwarding the data flow, the performance requirement of the firewall device is high. As a result, deployment costs are high and performance bottlenecks can occur.
  • the attack flow identification is distributed on each service network element in the network, so that there is no problem of performance bottleneck.
  • the attack flow that the service network element can identify may include a network layer attack flow or a service layer attack flow.
  • the attack flow that the service network element can identify may also include other types, which are not specifically limited herein.
  • the network layer attack flow is usually related to the protocol in the network transmission process, and usually has a fixed attack mode, such as an ARP attack, an ICMP attack, an IP attack, a TCP attack, a UDP attack, etc., and thus is easily recognized.
  • a fixed attack mode such as an ARP attack, an ICMP attack, an IP attack, a TCP attack, a UDP attack, etc.
  • the firewall in the prior art can identify the network layer attack flow and perform attack processing in time to protect the security of the internal network and the network elements in the network.
  • the service network element can not only identify the network layer attack flow, but also identify the service layer attack flow by parsing the signaling message and the media information, thereby identifying the service layer attack flow, and then identifying the attack stream.
  • the flow description information and the attack type of the attack flow are reported to the policy control device, so that the policy control device generates a flow control policy corresponding to the attack flow according to the attack type.
  • the service network element can also customize the attack feature for certain specific services, so as to quickly identify the attack flow according to the corresponding service.
  • the service network element determining that the data flow is a service layer attack flow may include:
  • the service network element determines that the data flow affects the security of the protected object at the service level by analyzing the signaling message and the media information in the data flow, determining that the data flow is a service layer attack flow.
  • the protected object at the service level can refer to the protected resources in the service layer. By ensuring the security of the protected object, all services in the network can be guaranteed to operate normally.
  • the business level can include the control plane, user plane, and management plane.
  • the object to be protected by the control plane may include system key resources, normal service flow, service logic, user account, network topology information, and signaling content
  • the objects to be protected on the user plane may include normal services, bandwidth resources, and Quality of service, etc.
  • objects that need to be protected by the management plane may include user account information, user sensitive information, gateway data, logs, transmission pipelines, and authentication information.
  • the service network element can analyze whether the protected object in the service layer is threatened by analyzing the signaling message and the media information in the data flow, that is, whether the data flow affects the security of any protected object in the service layer. Sex, when the security of any protected object is affected, it can be determined that the received data stream is an attack stream. Illustratively, when the service network element parses the signaling message and the media information in the data stream, it is found that the Session Initiation Protocol (SIP) packet in the data stream is distorted, for example, a time-out SIP fragment message, If the service network element processes the packets, the service network element may process the packets, and the service network element may process the data all the time. A crash occurs, which protects protected objects such as critical resources and normal traffic, and thus can determine that the received data stream is Business layer attack flow.
  • SIP Session Initiation Protocol
  • the service network element finds that the initialization message received in the unit time period (for example, 1 s) exceeds the preset number threshold (for example, 50), the service network element can consider the unit time as the unit time.
  • the number of initialization messages received in the segment is too large, which may threaten the protected normal service, bandwidth resources, etc., so that the data stream containing the initialization message exceeding the preset number threshold is received as the service layer attack flow.
  • the service network element may also determine the attack information corresponding to the attack flow, and report the attack information to the policy control device.
  • the attack information may include flow description information of the attack flow and an attack type to which the attack flow belongs.
  • the attack information reported by the service network element to the policy control device may also include other content, which is not specifically limited herein.
  • the flow description information of the attack flow may include at least the source network protocol IP address of the attack flow, and may also include at least one of the following: the destination IP address of the attack flow, the source port, the destination port, and the transport layer protocol number.
  • the attack flow can be divided into multiple types of attacks.
  • the attack behavior of the attack flow is a malicious attack against IP
  • the attack flow belongs to the network layer attack; when the attack behavior of the attack flow is directed to the protected object at the service level
  • the attack flow belongs to the business layer attack.
  • the network layer attack and the service layer attack can respectively include multiple types of attacks. For details, refer to the detailed description of network layer attacks and service layer attacks.
  • the service network element can determine the specific attack type to which the attack flow belongs according to the specific attack characteristics of the attack behavior of the attack flow.
  • the attack flow is a plurality of signaling messages
  • the signaling message request exceeds the processing capability of the signaling resources of the service network element service layer
  • the service network element may be in a problem, and thus the attack may be determined.
  • the flow belongs to the type of signaling storm attack in the service layer attack.
  • the time-out SIP fragmentation packet may cause the service network element to generate an error when processing the packet.
  • the service network element processes the data all the time, and finally the service network element is crashed, so that the protected object such as the key resources and the normal service flow at the service level is threatened. Therefore, the time-out SIP fragment packet is a malformed message.
  • the data flow containing the timeout SIP fragment packet belongs to the malformed packet attack type in the control plane attack.
  • the attack flow in the embodiment of the present invention is automatically identified by each service network element in the network, and is reported to the policy control device, so that the policy control device can be based on the information about the attack flow reported by the service network element.
  • the flow control policy corresponding to the attack type of the attack flow and the attack flow is automatically generated, and the flow control policy here is the security policy. Therefore, it can be more accurate than the artificially pre-configured security policy, and does not cause misoperation due to pre-configuration errors as in the firewall attack processing mechanism, thereby accurately blocking the attack flow and ensuring that the normal data flow passes safely.
  • the method provided by the embodiment of the present invention does not require manual configuration and maintenance, the processing procedure is simple and reliable, and the usability is strong.
  • the policy control device receives attack information corresponding to the attack flow sent by the service network element.
  • the policy control device receives the attack information of the attack flow reported by the service network element, and the attack information may include the flow description information of the attack flow and the attack type to which the attack flow belongs. For the description of the flow description information and the attack type, refer to step 102 above.
  • the policy control device determines a flow control policy corresponding to the attack type, where the flow control policy includes a flow processing policy and an execution policy.
  • the policy control device can determine the corresponding attack type according to different attack types to which different attack flows belong.
  • the flow control policy that is, the policy control device automatically generates a corresponding security policy according to the attack type.
  • the flow control policy may include a flow processing policy and an execution policy, and may further include other processing policies, which are not specifically limited herein.
  • the policy control device may store the mapping relationship between the preset attack type and the flow processing policy and the execution policy, and determine the attack type to which the attack flow belongs in the service network element.
  • the policy control device may generate a flow processing policy and an execution policy corresponding to the attack type for the attack flow.
  • the flow control policy automatically generated by the policy control device according to the attack type of the attack flow is a security policy specifically corresponding to the attack type of the attack flow. Therefore, the attack flow of different attack types can pass a special security policy. Better handle the attack stream.
  • the existing firewall attack processing mechanism does not perform specific security policy configuration for different attack types. Instead, all the attack types are pre-configured with a common security policy for attack processing, so the anti-attack effect is not good. .
  • the flow processing policy is used to process the attack flow.
  • the flow processing policy may include deleting a flow table corresponding to the data flow that matches the flow description information of the attack flow, redirecting the data flow that conforms to the flow description information of the attack flow, or limiting the flow that matches the attack flow.
  • the flow of the data stream describing the flow of information For example, for a malicious packet attack type, a flow table corresponding to the data flow that matches the flow description information of the attack flow may be deleted by adding a blacklist. For the malformed packet attack type, the deletion conformance may also be adopted.
  • the flow table corresponding to the data flow of the flow description information of the attack flow refuses to receive the subsequent message; for the type of the signaling storm attack, the flow control mode may be adopted to limit the flow of the data flow that conforms to the flow description information of the attack flow; For the bandwidth theft attack, a processing manner of limiting the traffic of the data flow that conforms to the flow description information of the attack flow may be adopted.
  • the execution policy is used to describe how the flow processing policy is executed.
  • the execution of the policy may include immediate execution, periodic execution, or execution of a flow processing policy within a specific time period.
  • the specific flow processing policy and the execution policy may be customized on the policy control device side according to the individualization requirements of the single user and the personalized features of the single service, thereby Personalized processing to meet the customized business experience of single-user single service.
  • the firewall attack processing mechanism in the prior art uses a general security policy to process the attack stream, and cannot be personalized for a specific user or a specific service.
  • the policy control device sends the flow description information and the flow control policy of the attack flow to the software-defined network SDN controller, so that the SDN controller matches the flow description information of the attack flow according to the flow control policy.
  • the data stream is processed.
  • the policy control device can send the flow description information and the flow control policy of the attack flow to the software-defined network SDN controller through the interface between the policy control device and the SDN controller in the architecture shown in FIG. 3, so that the SDN controller can be timely And processing, according to the flow control policy, a data flow that conforms to flow description information of the attack flow.
  • the SDN controller receives the flow description information and the flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy.
  • the SDN controller receives the flow description information and the flow control policy of the attack flow sent by the policy control device through an interface with the policy control device.
  • the flow description information refer to the description in the foregoing step 102.
  • the flow control policy, the flow processing policy, and the execution policy refer to the description in step 104 above.
  • the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy.
  • the SDN controller can process the data flow that conforms to the flow description information of the attack flow according to the received flow control policy, and can obtain the data flow of the back-end network and the back-end network element through the SDN controller. For normal communication data flow.
  • the flow description information of the attack flow includes at least the source network protocol IP address of the attack flow, and the step 107 may specifically include:
  • the service network element processes the data stream of the source IP address in the flow description information of the attack flow according to the flow control policy.
  • the attack flow is usually an aggressive continuous data flow
  • the data flow subsequently sent by the IP address may also be an attack flow
  • the SDN controller may
  • the received flow control policy processes the data stream sent by the IP address in time to prevent the back-end network and the back-end network element of the SDN controller from continuing to be attacked.
  • the network element at the back end of the SDN controller may include a service network element, and may also include other network elements.
  • the flow control policy includes a flow processing policy and an execution policy
  • the source IP address of the attack flow included in the flow description information is the IP address 1
  • the attack type of the attack flow is a SIP malformed packet attack
  • the packet sent by the IP address 1 to the data stream of any service network element in the network may also be a SIP malformed packet, which may cause an attack on the destination network element. Therefore, the SDN controller may adopt an immediate (execution policy) deletion.
  • the flow table (flow processing policy) refuses to receive the packets sent by the IP address 1 so that the attack packets sent by the IP address 1 cannot be sent to the SDN controller, and cannot be sent to the service network element at the back end of the SDN controller. Therefore, the SDN controller back-end network and the back-end network element can be prevented from continuing to be attacked by the IP address 1.
  • the flow description information of the attack flow may further include at least one of the following: a source port, a destination port, and a transport layer protocol number of the attack flow.
  • the flow description information of the attack flow includes a source IP address and a destination IP address of the attack flow
  • the step 107 may specifically include:
  • the service network element processes the data source in the flow description information of the attack flow, and the destination IP address is the data flow of the destination IP address in the flow description information of the attack flow, according to the flow control policy.
  • the SDN controller can process the data stream sent from the source IP address to the destination IP address in time according to the received flow control policy, thereby blocking the attack flow sent by the source IP address. Attacks on the back-end network and back-end network elements of the SDN controller.
  • the flow description information of the attack flow includes a quintuple of the attack flow
  • the step 107 may specifically include:
  • the service network element uses the source IP address as the source IP address in the flow description of the attack flow according to the flow control policy.
  • the source port is the source port in the flow description information of the attack flow
  • the destination IP address is the flow description information of the attack flow.
  • the destination IP address, the destination port is the destination port in the flow description information of the attack flow
  • the transport layer protocol number is the data flow of the transport layer protocol number in the flow description information of the attack flow.
  • the attack flow is usually an aggressive continuous data flow
  • the data flow corresponding to the quintuple in the network is highly likely to be an attack flow.
  • the SDN controller can According to the received flow control policy, the data stream that conforms to the quintuple is processed in time, so that the attack flow corresponding to the quintuple is prevented from continuing to attack the SDN controller back-end network and the back-end network element.
  • the SDN controller processes the data flow corresponding to the flow description information of the attack flow according to the flow control policy sent by the policy control device, and can block the attack flow from the IP layer forwarding plane, thereby achieving protection SDN control.
  • the purpose of the backend network and the backend network element Specifically, the SDN controller forwards and processes the attack stream at the IP layer, and can be processed by the SDN controller in time when the attack flow enters the IP bearer network from the source end, and thus does not occupy the backend network of the SDN controller. And the bandwidth in the back-end network element, thereby reducing the consumption of the network bandwidth of the operator and improving the network transmission performance.
  • the firewall can isolate the identified attack flow from the firewall, but still occupy the physical bandwidth of the IP bearer network and the network element outside the firewall.
  • the method provided by the embodiment of the present invention can improve the attack defense capability of the back-end network and the back-end network element of the SDN controller, especially the attack defense capability of the network element in the core network. Since the core network has a large influence range in the network, it is of great value and significance to improve the anti-attack capability of the network element in the core network.
  • the method provided by the embodiment of the present invention can open the interface between the policy control device and the SDN controller on the basis of the existing Gx interface, and implement end-to-end network resource (air interface, IP data flow) policy control. Including QoS policy control, IP data flow path adjustment policy control, attack flow processing policy control, etc. Moreover, since the flow control policy can be automatically generated during the process, a personalized security policy suitable for a specific user can be generated and automatically executed according to the service requirements of the single-user single service.
  • the attack processing method provided by the embodiment of the present invention automatically identifies the attack flow in the network by the service network element, and reports the flow description information and the attack type of the identified attack flow to the policy control device, and the policy control device automatically generates and attacks the attack type.
  • Corresponding flow control policy, and sending the flow description information and the flow control policy of the attack flow to the SDN controller, and the SDN controller processes the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the IP layer can be processed from the IP layer.
  • the forwarding plane blocks the attack flow and protects the back-end network and the back-end network element of the SDN controller. Therefore, it can solve the problem that the existing attack processing mechanism is prone to misoperation, so that the network is vulnerable to security attacks or the normal data flow is blocked. Broken problem.
  • the policy control device 500 may include:
  • the receiving unit 501 is configured to receive attack information corresponding to the attack flow sent by the service network element, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.
  • the determining unit 502 is configured to determine a flow control policy corresponding to the attack type received by the receiving unit 501, where the flow control policy includes a flow processing policy and an execution policy.
  • the sending unit 503 is configured to send the flow description information of the attack flow received by the receiving unit 501 and the flow control policy determined by the determining unit 502 to the software-defined network SDN controller, so that the SDN controller matches the attack according to the flow control policy.
  • the stream of stream description information is processed.
  • the SDN controller processes the data flow that conforms to the flow description information of the attack flow according to the flow control policy, and blocks the attack flow from the IP layer forwarding plane to achieve the purpose of protecting the back-end network and the back-end network element of the SDN controller.
  • the flow description information of the attack flow may include at least the source network protocol IP address of the attack flow, and may also include at least one of the following: the destination IP address of the attack flow, the source port, the destination port, and the transport layer protocol number.
  • the flow processing policy herein may include deleting a flow table corresponding to the data flow corresponding to the flow description information of the attack flow, redirecting the data flow conforming to the flow description information of the attack flow, or limiting the traffic of the data flow conforming to the flow description information of the attack flow.
  • the execution strategy may include immediate execution, periodic execution, or execution of a flow processing policy within a specific time period.
  • the policy control device receives the attack information of the attack flow sent by the service network element, and determines the corresponding flow control policy according to the attack type in the attack information, and the flow control policy and the attack information are
  • the flow description information is sent to the SDN controller, so that the SDN controller can process the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane to protect the SDN controller.
  • the purpose of the back-end network and the back-end network element is to avoid security problems caused by manual pre-set security policies that are prone to misuse.
  • the SDN controller 600 may include:
  • the receiving unit 601 is configured to receive flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy.
  • the flow control policy sent by the policy control device received by the receiving unit 601 of the SDN controller 600 is determined by the policy control device according to the attack type corresponding to the attack flow sent by the service network element, and the receiving unit 601 of the SDN controller 600 is configured.
  • the flow description information of the attack flow sent by the received policy control device is received from the service network element.
  • the processing unit 602 is configured to process, according to the flow control policy received by the receiving unit 601, a data flow that conforms to the flow description information of the attack flow received by the receiving unit 601.
  • the SDN controller 600 processes the data flow conforming to the flow description information of the attack flow according to the flow control policy, and blocks the attack flow from the IP layer forwarding plane to protect the back end network and the back end network element of the SDN controller 600.
  • the flow description information of the attack flow includes at least a source network protocol IP address of the attack flow
  • the processing unit 602 may be specifically configured to:
  • the data stream whose source IP address is the source IP address in the flow description information of the attack flow is processed.
  • the flow description information of the attack flow herein may further include at least one of the following: a source port, a destination port, and a transport layer protocol number of the attack flow.
  • An SDN controller receives a flow control policy and flow description information of an attack flow sent by a policy control device, and processes a data flow that conforms to the flow description information according to the flow control policy, so that The IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.
  • the service network element 700 may include:
  • the receiving unit 701 can be configured to receive a data stream.
  • the determining unit 702 can be configured to determine whether the data stream received by the receiving unit 701 is an attack stream.
  • the attack flow may include a network layer attack flow or a service layer attack flow.
  • the sending unit 703 may be configured to: when the determining unit 702 determines that the data stream is an attack flow, send the attack information corresponding to the attack flow to the policy control device, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.
  • the service network element 700 sends the attack information corresponding to the determined attack flow to the policy control device by using the sending unit 703, so that the policy control device determines the corresponding flow control policy according to the attack type in the attack information, and the flow control policy and the attack
  • the flow description information in the information is sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane, and the SDN control is protected.
  • Backend network and backend network elements are used to send the attack information corresponding to the determined attack flow to the policy control device by using the sending unit 703, so that the policy control device determines the corresponding flow control policy according to the attack type in the attack information, and the flow control policy and the attack
  • the flow description information in the information is sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane
  • determining, by the determining unit 702, that the data stream is a service layer attack flow may include:
  • the data flow is determined to be a service layer attack flow
  • the service plane includes a control plane, a user plane, and a management plane.
  • the flow description information of the attack flow at least includes the source network protocol IP address of the attack flow, and may also include at least one of the following: a destination IP address, a source port, a destination port, and a transport layer protocol number.
  • the service network element After the service network element is determined to be an attack flow, the service network element sends the attack information corresponding to the attack flow to the policy control device, so that the policy control device can determine the corresponding attack type according to the attack type in the attack information.
  • a flow control policy and the flow control policy and the flow description information in the attack information are sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that
  • the IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.
  • the policy control device 800 can adopt a general computer system structure.
  • the program code for executing the solution of the present invention is stored in the memory 803 and controlled by the processor 802.
  • Execution may include a bus 801, a processor 802, a memory 803, and a communication interface 804.
  • the bus 801 includes a path for transferring information between various components of the computer;
  • the memory 803 is for holding an operating system and a program for executing the solution of the present invention.
  • the operating system is a program that controls the running of other programs and manages system resources.
  • the program code for carrying out the inventive arrangement is stored in memory 803 and is controlled by processor 802 for execution.
  • the communication interface 804 may be configured to receive the attack information corresponding to the attack flow sent by the service network element, where the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs; the processor 802 may And determining, according to the flow description information and the attack type, a corresponding flow control policy, where the flow control policy includes a flow processing policy and an execution policy, and the communication interface 804 is further configured to send the flow description information and the flow control policy of the attack flow to the software definition.
  • the network SDN controller so that the SDN controller processes the data stream that conforms to the flow description information of the attack flow according to the flow control policy.
  • the policy control device receives the attack information of the attack flow sent by the service network element, determines the corresponding flow control policy according to the attack type in the attack information, and uses the flow control policy and the flow in the attack information.
  • the description information is sent to the SDN controller, so that the SDN controller can process the data flow conforming to the flow description information of the attack flow according to the flow control policy, so that the attack flow can be blocked from the IP layer forwarding plane to protect the SDN controller.
  • the purpose of the end network and the back end network element is to avoid the security problem caused by the manual pre-setting of the security policy and the misoperation.
  • the SDN controller 900 can adopt a general-purpose computer system structure, and program code for executing the solution of the present invention is stored in the memory 903, and is processed by the processor. 902 to control execution, which may include a bus 901, a processor 902, a memory 903, and a communication interface 904.
  • the bus 901 includes a path for transferring information between various components of the computer;
  • the memory 903 is for storing the operating system and The procedure for carrying out the solution of the invention.
  • the operating system is a program that controls the running of other programs and manages system resources.
  • the program code for carrying out the inventive arrangement is stored in memory 903 and is controlled by processor 902 for execution.
  • the communication interface 904 may be configured to receive flow description information and a flow control policy of the attack flow sent by the policy control device, where the flow control policy includes a flow processing policy and an execution policy; the processor 902 may be configured to: According to the flow control policy, the data flow that conforms to the flow description information of the attack flow is processed.
  • An SDN controller receives a flow control policy and flow description information of an attack flow sent by a policy control device, and processes a data flow that conforms to the flow description information according to the flow control policy, so that The IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.
  • the service network element 1000 can adopt a general computer system structure.
  • the program code for executing the solution of the present invention is stored in the memory 1003 and controlled by the processor 1002.
  • Execution may include bus 1001, processor 1002, memory 1003, and communication interface 1004.
  • the bus 1001 includes a path for transferring information between various components of the computer; the memory 1003 is for storing an operating system and a program for executing the solution of the present invention.
  • the operating system is a program that controls the running of other programs and manages system resources.
  • the program code for carrying out the inventive arrangement is stored in the memory 1003 and controlled by the processor 1002 for execution.
  • the communication interface 1004 may be configured to receive a data stream; the processor 1002 may be configured to determine whether the data stream is an attack stream, and the communication interface 1004 may be further configured to: if the data stream is determined to be an attack stream, The attack information corresponding to the attack flow is sent to the policy control device.
  • the attack information includes the flow description information of the attack flow and the attack type to which the attack flow belongs.
  • the service network element After the service network element is determined to be an attack flow, the service network element sends the attack information corresponding to the attack flow to the policy control device, so that the policy control device can determine the corresponding attack type according to the attack type in the attack information.
  • a flow control policy and the flow control policy and the flow description information in the attack information are sent to the SDN controller, so that the SDN controller can process the data flow that conforms to the flow description information according to the flow control policy, so that
  • the IP layer forwarding plane blocks the attack flow and achieves the purpose of protecting the back-end network and the back-end network element of the SDN controller, and avoids the security problem caused by manual operation of the security policy.
  • a further embodiment of the present invention provides a system 1100.
  • the system 1100 may include a policy control device as shown in FIG. 5 or FIG. 8, an SDN controller as shown in FIG. 6 or FIG. 9, and 7 or the service network element shown in FIG.
  • processors 802, 902, and 1002 may be a general-purpose central processing unit (CPU), a microprocessor, and an application-specific integrated circuit application- An integrated integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above described program of the present invention.
  • CPU central processing unit
  • ASIC application-specific integrated circuit application- An integrated integrated circuit
  • the memories 803, 903, and 1003 may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or information and instructions. Other types of dynamic storage devices can also be disk storage.
  • ROM read-only memory
  • RAM random access memory
  • Other types of dynamic storage devices can also be disk storage.
  • Communication interfaces 804, 904, and 1004 which may include a receiving interface and a transmitting interface, may use devices such as any transceiver to communicate with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), wireless local area networks ( WLAN) and so on.
  • RAN Radio Access Network
  • WLAN wireless local area networks
  • the disclosed apparatus, methods, and systems may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
  • the software functional units described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform portions of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory RAM, a magnetic disk, or an optical disk, and the like, which can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention se rapporte au champ technique de la communication. Selon un mode de réalisation, l'invention concerne un procédé, un dispositif, et un système de gestion d'attaques. L'invention peut aborder le problème d'une susceptibilité d'un réseau à une attaque de sécurité ou à une obstruction de l'écoulement normal des données causée par une haute probabilité d'utilisation d'une opération incorrecte dans un système actuel de gestion d'attaques. Le procédé consiste : en ce qu'un élément de réseau de services reçoit un flux de données, si le flux de données est déterminé comme étant un flux attaquant, alors à envoyer, à un dispositif de contrôle de stratégie, des informations d'attaque correspondant au flux attaquant, les informations d'attaque comprenant des informations de description de flux du flux attaquant et un type d'attaque du flux attaquant; en ce que le dispositif de contrôle de stratégie détermine, sur la base du type d'attaque, une stratégie de contrôle de flux, et envoie, à un contrôleur SDN, les informations de description de flux et la stratégie de contrôle de flux; en ce que le contrôleur SDN gère, sur la base de la stratégie de contrôle de flux, un flux de données apparié aux informations de description du flux attaquant. Le mode de réalisation selon l'invention sert à gérer les attaques.
PCT/CN2017/072087 2016-02-26 2017-01-22 Procédé, dispositif, et système de gestion d'attaques WO2017143897A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610109680.X 2016-02-26
CN201610109680.XA CN107135185A (zh) 2016-02-26 2016-02-26 一种攻击处理方法、设备及系统

Publications (1)

Publication Number Publication Date
WO2017143897A1 true WO2017143897A1 (fr) 2017-08-31

Family

ID=59684719

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/072087 WO2017143897A1 (fr) 2016-02-26 2017-01-22 Procédé, dispositif, et système de gestion d'attaques

Country Status (2)

Country Link
CN (1) CN107135185A (fr)
WO (1) WO2017143897A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448929A (zh) * 2019-09-02 2021-03-05 中国电力科学研究院有限公司 一种通讯网络动态方防护方法及平台
CN113938301A (zh) * 2021-10-12 2022-01-14 中国电信股份有限公司 生成针对网络攻击的运维策略的方法、装置及存储介质

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110674479B (zh) * 2019-09-29 2021-09-03 武汉极意网络科技有限公司 异常行为数据实时处理方法、装置、设备及存储介质
CN113891340B (zh) * 2020-07-02 2023-10-27 中国移动通信集团安徽有限公司 自适应流控方法、装置、计算设备和存储介质
CN114448679B (zh) * 2022-01-04 2024-05-24 深圳萨摩耶数字科技有限公司 攻击链构建方法、装置、电子设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060130146A1 (en) * 2004-11-24 2006-06-15 Yang Seo Choi Network packet generation apparatus and method having attack test packet generation function for information security system test
CN101170402A (zh) * 2007-11-08 2008-04-30 华为技术有限公司 一种采用网流技术防御tcp攻击的方法和系统
CN104580168A (zh) * 2014-12-22 2015-04-29 华为技术有限公司 一种攻击数据包的处理方法、装置及系统
CN104954376A (zh) * 2015-06-17 2015-09-30 华为技术有限公司 一种自适应防攻击方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060130146A1 (en) * 2004-11-24 2006-06-15 Yang Seo Choi Network packet generation apparatus and method having attack test packet generation function for information security system test
CN101170402A (zh) * 2007-11-08 2008-04-30 华为技术有限公司 一种采用网流技术防御tcp攻击的方法和系统
CN104580168A (zh) * 2014-12-22 2015-04-29 华为技术有限公司 一种攻击数据包的处理方法、装置及系统
CN104954376A (zh) * 2015-06-17 2015-09-30 华为技术有限公司 一种自适应防攻击方法及装置

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448929A (zh) * 2019-09-02 2021-03-05 中国电力科学研究院有限公司 一种通讯网络动态方防护方法及平台
CN113938301A (zh) * 2021-10-12 2022-01-14 中国电信股份有限公司 生成针对网络攻击的运维策略的方法、装置及存储介质
CN113938301B (zh) * 2021-10-12 2024-01-30 中国电信股份有限公司 生成针对网络攻击的运维策略的方法、装置及存储介质

Also Published As

Publication number Publication date
CN107135185A (zh) 2017-09-05

Similar Documents

Publication Publication Date Title
WO2017143897A1 (fr) Procédé, dispositif, et système de gestion d'attaques
AU2015255980B2 (en) System and methods for reducing impact of malicious activity on operations of a wide area network
US9825870B2 (en) System and method for reporting packet characteristics in a network environment
EP1737189B1 (fr) Dispositif et procédé pour atténuer des attaques de deni de service sur des appareils de communication
US7764612B2 (en) Controlling access to a host processor in a session border controller
US8881281B1 (en) Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data
US20060272025A1 (en) Processing of packet data in a communication system
JP2006517066A (ja) サービス妨害攻撃の軽減
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
EP3485608B1 (fr) Procédés et serveurs de gestion de politiques de direction de trafic
KR20120060655A (ko) 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크
US9258213B2 (en) Detecting and mitigating forwarding loops in stateful network devices
CN106656648B (zh) 基于家庭网关的应用流量动态保护方法、系统及家庭网关
US20200084300A1 (en) Packet fragmentation control
WO2014075485A1 (fr) Procédé de traitement pour une technologie de traduction d'adresse de réseau, dispositif de traduction d'adresse de réseau (nat) et dispositif de passerelle de réseau à large bande (bng)
JP2016507922A (ja) モバイル・ネットワークを保護するシステム
JP4602158B2 (ja) サーバ装置保護システム
WO2019096104A1 (fr) Prévention contre les attaques
KR101065800B1 (ko) 네트워크 관리 장치 및 그 방법과 이를 위한 사용자 단말기및 그의 기록 매체
Tupakula et al. Security techniques for counteracting attacks in mobile healthcare services
KR101466895B1 (ko) VoIP 불법 검출 방법, 이를 수행하는 VoIP 불법 검출 장치 및 이를 저장하는 기록매체
KR20110071774A (ko) 스마트 경계 라우터 및 이를 이용한 플로우 정보 전송 방법
JP2006023934A (ja) サービス拒絶攻撃防御方法およびシステム
KR101800861B1 (ko) Ⅴoip 보안 시스템 및 보안 처리 방법
KR102299225B1 (ko) Sdn/nfv 기반 ip 통화 서비스 보안 시스템 및 보안 시스템의 동작 방법

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17755726

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17755726

Country of ref document: EP

Kind code of ref document: A1