WO2020013439A1 - Dispositif et procédé de routage de commande dans un réseau sdn - Google Patents

Dispositif et procédé de routage de commande dans un réseau sdn Download PDF

Info

Publication number
WO2020013439A1
WO2020013439A1 PCT/KR2019/006242 KR2019006242W WO2020013439A1 WO 2020013439 A1 WO2020013439 A1 WO 2020013439A1 KR 2019006242 W KR2019006242 W KR 2019006242W WO 2020013439 A1 WO2020013439 A1 WO 2020013439A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
source terminal
transmitted
address
risk
Prior art date
Application number
PCT/KR2019/006242
Other languages
English (en)
Korean (ko)
Inventor
이솔
Original Assignee
삼성전자 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 삼성전자 주식회사 filed Critical 삼성전자 주식회사
Publication of WO2020013439A1 publication Critical patent/WO2020013439A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/70Routing based on monitoring results
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/72Routing based on the source address
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the present disclosure relates to a network control method and apparatus. More specifically, it relates to a method of controlling data packet transmission over a network.
  • the Software Defined Network separates the Control Plane from the Data Plane, and concentrates the Control Plane on one Controller, thereby simplifying the data plane. It is a technology that allows the controller to take charge of the data and decide where to send the data.
  • SDN technology can provide a variety of functions than the existing network because the controller provided in the form of software handles the packet control operation performed by the network equipment in the form of the existing hardware.
  • SDN networks can control and manage data transmission by abstracting the concept of networks in a distributed or cloud system.
  • SDN technology is a technology developed to improve the speed, stability, energy efficiency, and security in software in hardware-dependent network systems such as routers and switches, and is based on the concept of open flow.
  • Open Flow is a technology that provides network openness by separating the packet forwarding function and the controller function of a network device into a standard interface, and defines a protocol for data packet transmission between the controller and the switches.
  • a network control method and a network device with enhanced security in an SDN network may be provided.
  • a network control method and apparatus capable of efficiently utilizing resources based on risk may be provided.
  • a communication interface for communicating with a source terminal, a destination terminal and the routing device;
  • a storage unit for storing one or more instructions;
  • a processor that executes the one or more instructions.
  • a network control device including a may be provided.
  • the processor is further configured to: receive, from the source terminal, route information indicating a transmission path of a data packet to be transmitted from the source terminal to the destination terminal via the routing device by executing the one or more instructions; Determine a risk level of the received route information; The transmission path of the data packet to which the data packet is transmitted from the source terminal to the destination terminal may be controlled according to the determined degree of risk.
  • the processor determines whether to examine the data packet to be transmitted from the source terminal to the destination terminal based on the determined degree of risk by executing the one or more instructions and based on the determination of the data packet. You can change the transmission path.
  • the processor determines not to inspect the data packet based on the determined degree of risk by executing the one or more instructions, the data from the source terminal to the destination terminal via the at least one routing device.
  • the transmission path of the data packet may be determined such that the packet is transmitted.
  • the processor determines to inspect the data packet based on the determined degree of risk by executing the one or more instructions, the processor receives the data packet from the source terminal to inspect the data packet, and the data The transmission path of the data packet may be changed to receive the packet and to transmit the data packet from the source terminal to the destination terminal via the at least one routing device.
  • the processor determines to inspect the data packet based on the determined degree of risk by executing the one or more instructions, receiving the data packet from the source terminal, inspecting the received data packet,
  • the transmission path of the data packet may be changed such that the inspected data packet is transmitted from the network controller to the destination terminal.
  • the processor determines to inspect the data packet based on the determined degree of risk by executing the one or more instructions, receiving the data packet from the source terminal, inspecting the received data packet, The inspected data packet may be blocked from being transmitted from the network controller to the destination terminal.
  • the processor may inspect the received data packet by executing the one or more instructions, and block transmission of the data packet being transmitted from the source terminal to the destination terminal based on a result of the inspection of the data packet.
  • the route information includes at least one of a source IP address indicating a network address of the source terminal and a destination IP address indicating a network address of the destination terminal, and the degree of risk is transmitted from a source terminal corresponding to the source IP address.
  • the data packet or the data packet to be transmitted to the destination terminal corresponding to the destination IP address may indicate a probability of including abnormal data.
  • the network device may include a software-defined networking (SDN) management device.
  • SDN software-defined networking
  • a network control method representing a transmission path of a data packet to be transmitted from a source terminal to a destination terminal via at least one routing device among a plurality of routing devices.
  • a network control method including a may be provided.
  • the network control method may further include determining whether to inspect the data packet to be transmitted from the source terminal to the destination terminal based on the determined degree of risk; The control method may further include transmitting the data packet based on the determination.
  • the data packet is transmitted from the source terminal to the destination terminal via at least one routing device among the plurality of routing devices. It is possible to determine the transmission path of the data packet so that it is transmitted.
  • the data packet when the data packet is determined to be inspected based on the determined degree of risk, the data packet is received from the source terminal to inspect the data packet, and the data packet is received.
  • the transmission path of the data packet may be changed such that the data packet is transmitted from the source terminal to the destination terminal via at least one routing device.
  • the controlling step when it is determined that the data packet is inspected based on the determined degree of risk, the data packet is received from the source terminal, the received data packet is inspected, and the inspected data packet is determined.
  • the transmission path of the data packet may be changed to be transmitted from the network controller to the destination terminal.
  • the controlling step when it is determined that the data packet is inspected based on the determined degree of risk, the data packet is received from the source terminal, the received data packet is inspected, and the inspected data packet is determined. It is possible to block transmission from the network controller to the destination terminal.
  • the controlling may examine the received data packet and block transmission of the data packet being transmitted from the source terminal to the destination terminal based on a result of the inspection of the data packet.
  • the determining may include packet transmission history transmitted from the source terminal corresponding to the source IP address, packet transmission history transmitted to the destination terminal corresponding to the destination IP address, and data packet to be transmitted from the source terminal to the destination terminal.
  • the risk may be determined using at least one of a transmission history of at least one routing device via the data packet, public information related to the source IP address, and public information related to the destination IP address.
  • Network control method characterized in that.
  • the network control method determines to inspect the data packet based on the determined risk level
  • the network control method receives the data packet from the source terminal to inspect the data packet, inspects the received data packet, Updating a risk level of the route information based on the test result; Further, the risk level of the route information may be stored in accordance with the transmission path to which the data packet is transmitted from the source terminal to the destination terminal.
  • the network controller may control the transmission path of the data packet based on the degree of danger of the data packet.
  • FIG. 1 is a diagram illustrating a process of controlling a data packet transmission from a source terminal to a destination terminal by at least one routing device according to an embodiment of the present disclosure.
  • FIG. 2 is a diagram illustrating a process of controlling a data packet transmission from a source terminal to a destination terminal through a plurality of routing devices, according to another embodiment of the present disclosure.
  • FIG. 3 is a block diagram of a network control apparatus according to an embodiment of the present disclosure.
  • FIG. 4 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • FIG. 5 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • FIG. 6 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • FIG. 7 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • FIG. 8 is a flowchart illustrating a network control method according to an embodiment of the present disclosure. It is a figure which shows the structure of a shielding part.
  • path information indicating a transmission path of a data packet to be transmitted from a source terminal to a destination terminal via at least one routing device among a plurality of routing devices is provided.
  • a network control method including a may be provided.
  • a network control apparatus for controlling data packet transmission through at least one routing device, comprising: a communication interface communicating with a source terminal, a destination terminal, and the routing device; A storage unit for storing one or more instructions; And a processor that executes the one or more instructions.
  • the processor is further configured to: receive, from the source terminal, route information indicating a transmission path of a data packet to be transmitted from the source terminal to the destination terminal via the routing device by executing the one or more instructions; Determine a risk level of the received route information; According to the determined degree of risk, a network control apparatus for controlling a transmission path of the data packet to which the data packet is transmitted from the source terminal to the destination terminal may be provided.
  • a recording medium comprising: receiving from the source terminal path information indicating a transmission path of a data packet to be transmitted from a source terminal to a destination terminal via at least one routing device among a plurality of routing devices; Determining a degree of danger of the received route information; And controlling a transmission path of the data packet to which the data packet is to be transmitted from the source terminal to the destination terminal according to the determined degree of risk.
  • a computer readable recording medium having recorded thereon a program for executing a network control method comprising a computer may be provided.
  • any part of the specification is to “include” any component, this means that it may further include other components, except to exclude other components unless otherwise stated.
  • the terms “... unit”, “module”, etc. described in the specification mean a unit for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software. .
  • FIG. 1 illustrates a process in which the network control apparatus 10 controls a data packet transmission from a source terminal 800 to a destination terminal 900 via at least one routing device 30 according to an embodiment of the present disclosure.
  • the network control device 10 controls the transmission of data packets to be transmitted from the source terminal 800 to the destination terminal 900 via at least one routing device 30.
  • the network control device 10 may include a software-defined networking (SDN) management device.
  • SDN software-defined networking
  • the network control device 10 and at least one routing device 30 may configure an SDN network, but are not limited thereto.
  • at least one routing device 30 may include a router or a switch.
  • the network control apparatus 10 may include a source IP (Source IP, SRC IP) address and a destination IP (Destination) of a data packet that the source terminal 800 intends to transmit from the source terminal 800 to the destination terminal 900.
  • IP, DST IP) address may be received.
  • the network control apparatus 10 may receive a source IP address or a destination IP address through the routing device 820 adjacent to the source terminal 800.
  • the route information may include a source IP (SRC IP) address and a destination IP (Destination IP, DST IP) address, respectively, or may include both the source IP and the destination IP.
  • the network control apparatus 10 receives at least one of an SRC IP address and a DST IP address of a data packet that the source terminal 800 intends to transmit to the destination terminal 900, and at least one of the received SRC IP address and the DST IP address.
  • the risk level of the SRC IP address and / or the DST IP address of the data packet to be transmitted from the source terminal 800 to the destination terminal 900 is determined using one, and the transmission path is controlled using the determined risk level. Can be.
  • the network control device 10 may use a SRC IP or a DST IP received from the source terminal 800 to route routing tables of at least one routing device 30 controlled by the network control device 10. Table) can be controlled to control the transmission of data packets.
  • the routing device 30 of the present invention includes a routing table, and the routing table may include information about all the routing devices that need to pass in order to reach the destination for all the destination information.
  • the routing device 30 of the present invention may control the routing table under the control of the network control device 10. Can be updated.
  • the network control device 10 receives at least one of the SRC IP and the DST IP from the source terminal 800, and uses the received at least one SRC IP and the DST IP to route routing tables of the routing devices 30.
  • the transmission path of the data packet to be transmitted from the source terminal 800 to the destination terminal 900 can be controlled by changing the routing table of the routing devices 30.
  • FIG. 2 is a diagram illustrating a process of controlling a data packet transmission from a source terminal to a destination terminal through a plurality of routing devices, according to another embodiment of the present disclosure.
  • the network control device 10 may include an SDN controller 400, an analysis server 500, and an inspection server.
  • each of the SDN controller 400, the analysis server 500, and the inspection server may configure one network control device. That is, the network control method may be performed on individual network devices classified into the SDN controller 400, the analysis server 500, and the inspection server, but the SDN controller 400 and the analysis server may be performed.
  • Server, 500) and inspection server can be performed in a single network device.
  • the inspection server may include a communication interface for communicating with a source terminal, a destination terminal, and a plurality of routing devices, a storage for storing one or more instructions, and a processor for executing one or more instructions stored in the storage.
  • the storage unit may be implemented as a database 700, and the storage unit may configure the network control device 10, but may be connected to the network control device 10 outside the network control device 10.
  • the processor may perform the same functions as the SDN controller 400, the analysis server 500, and the inspection server 600 by executing one or more instructions stored in the storage unit.
  • the SDN controller 400 controls a plurality of routing devices by using a routing rule.
  • the SDN controller 400 may define a communication method between routing devices using a routing protocol.
  • the SDN controller 400 receives at least one of the SRC IP address and the DST IP address of the data packet to be transmitted from the source terminal 800, and the degree of risk of the received at least one SRC IP address and the DST IP address.
  • the SDN controller 400 may receive from the source terminal path information indicating a transmission path of a data packet to be transmitted from the source terminal 800 to the destination terminal 900 via the routing device 30. have.
  • the SDN controller 400 may receive path information indicating a transmission path of a data packet through the routing device 820 adjacent to the source terminal 800.
  • the route information includes a source IP address and / or a destination IP address and represents information related from where to where data packets can be sent.
  • the path information may indicate a transmission path through which the data packet is transmitted.
  • the SDN controller 400 may determine the degree of danger of the path information of the received data packet. For example, the SDN controller 400 may transmit a risk score inquiry request for the SRC IP address and / or the DST IP address received from the source terminal 800 to the analysis server 500. The SDN controller 400 receives a risk score for the SRC IP address and / or the DST IP address transmitted by the analysis server 500 in response to the risk score inquiry request, and receives the SRC IP address and / or the DST IP. The degree of risk of the path information of the data packet may be determined using a risk score for the address.
  • the SDN controller 400 requests the public information inquiry related to the SRC IP address and / or the public information inquiry request related to the DST IP address in order to determine the degree of risk of the path information of the data packet received by the analysis server 500. Can be transmitted.
  • the SDN controller 400 may disclose the public information related to the SRC IP address or the public information related to the SRC IP address transmitted by the analysis server 500 in response to the public information inquiry request related to the SRC IP address or the public information inquiry request related to the DST IP address.
  • the degree of risk may be determined by receiving the information and using at least one of the public information related to the received SRC IP address and the public information related to the DST IP address.
  • the SDN controller 400 may categorize the risk score received from the analysis server 500 according to a preset method, and determine the degree of risk of the path information of the received data packet using the categorized risk score. .
  • the SDN controller 400 may categorize the received risk score into two sections divided by a first threshold. If the risk score received by the SDN controller 400 from the analysis server 500 is less than the first threshold value, the risk of the path information of the received data packet may be determined to be low, and the risk received from the analysis server 500 may be determined. If the score is larger than the first threshold value, the degree of risk of the path information of the received data packet may be determined to be high.
  • the SDN controller 400 may categorize the received risk score into three sections divided into a first threshold value and a second threshold value.
  • the first threshold may be smaller than the second threshold. If the risk score received by the SDN controller 400 from the analysis server 500 is less than the first threshold value, the risk of the path information of the received data packet may be determined to be low, and the risk received from the analysis server 500 may be determined. If the score is greater than the first threshold and less than the second threshold, the risk level of the path information of the received data packet may be determined as a medium, and the risk score received from the analysis server 500 is greater than the second threshold. If large, the risk of the path information of the received data packet may be determined to be high.
  • the method of categorizing the risk score received by the SDN controller 400 from the analysis server 500 is not limited to the above-described method, and may use more detailed categorized risk score.
  • the SDN controller 400 may include a packet transmission history transmitted from a source terminal corresponding to a source IP address, a packet transmission history transmitted to a destination terminal corresponding to the destination IP address, and the data packet to be transmitted.
  • the source terminal 800 using at least one of a transmission history of at least one routing device via the data packet between the source terminal and the destination terminal, public information related to the source IP address, and public information related to the destination IP address.
  • the degree of risk may indicate a probability that a data packet to be transmitted from a source terminal corresponding to the source IP address or a data packet to be transmitted to a destination terminal corresponding to the destination IP address includes abnormal data.
  • the SDN controller 400 determines whether to inspect the data packet to be transmitted from the source terminal to the destination terminal based on the determined degree of risk, and uses a routing protocol based on the determination, thereby transmitting the data path of the data packet. Can be changed. For example, the SDN controller 400 may determine to inspect the data packet when the determined risk level is high, and may determine not to inspect the data packet when the determined risk level is low.
  • the SDN controller 400 determines that the path information of the received data packet is dangerous, the data packet output from the source terminal 800 is not transmitted to the destination terminal 900, but to the inspection server 600.
  • the transmission path can be controlled to be transmitted.
  • the SDN controller 400 determines that the path information of the received data packet is not dangerous, the SDN controller 400 controls the transmission path so that the data packet output from the source terminal 800 is transmitted to the destination terminal 900. can do.
  • the SDN controller 400 controls the transmission path so that the data packet is transmitted from the source terminal 800 to the destination terminal 900 when the risk degree of the path information of the received data packet is medium.
  • the transmission path may be controlled such that the data packet is also transmitted to the inspection server 600.
  • the SDN controller 400 may block transmission of the data packet being transmitted from the source terminal 8000 to the destination terminal 900 when it is determined that the inspection server 600 is dangerous as a result of the inspection of the data packet.
  • the SDN controller 400 may determine a potential threat that may be included in the data packet at the network level, and may prevent a data packet including information that may be a real threat from being transmitted to the destination terminal 900. . Accordingly, the network control device 10 may process data packets that may pose a threat to the destination terminal 900 in advance in the routing step.
  • the analysis server 500 receives a result of inspecting the data packet from the inspection server 600, and uses the received data packet inspection result to determine a risk score for the SRC IP address and / or the DST IP address of the corresponding data packet. Score) can be calculated.
  • the analysis server 500 may store a risk score for the SRC IP address and / or the DST IP address of the calculated data packet in the database 700.
  • the analysis server 500 may store a risk score for the SRC IP address and / or DST IP address of the calculated data packet in the storage unit 200 in the analysis server 500.
  • the analysis server 500 may match the calculated risk score with the SRC IP address and / or the DST IP address and store the calculated score in the database 700.
  • the analysis server 500 may synchronize a risk score for the calculated SRC IP address and / or a DST IP address with a risk score previously stored in the database.
  • the analysis server 500 may store, in the database 700, a risk degree value indicating a risk level of the path information determined by the SDN controller 400 based on the risk score.
  • the degree of danger of the path information determined by the SDN controller 400 based on the risk score may be matched with a transmission path through which the data packet is transmitted and stored in the database 700.
  • the analysis server 500 receives a risk score inquiry request for at least one of the SRC IP address and the DST IP address of the data packet to be transmitted from the source terminal 800 to the destination terminal 900 from the SDN controller 400, Search for the SRC IP address and DST IP address that are identical to the SRC IP address and DST IP address of the corresponding data packet, obtain a Risk Score matching the found SRC IP address and DST IP address, and obtain the obtained Risk Score from the SDN controller (400). ) Can be sent.
  • the SDN controller 400 may determine a risk level of at least one of the SRC IP address and the DST IP address of the data packet to be transmitted by the source terminal 800 using the risk score received from the analysis server 500. .
  • the analysis server 500 may match the public information related to the SRC IP address or the public information related to the DST IP address with the SRC IP address and / or the DST IP address and store it in the database 700.
  • the analysis server 500 may store the public information related to the SRC IP address or the public information related to the DST IP address in the storage 200 in the analysis server 500.
  • the analysis server 500 may synchronize the public information related to the SRC IP address, the public information related to the DST IP address with the public information related to the SRC IP address previously stored in the database, and the public information related to the DST IP address.
  • the analysis server 500 may make a public information inquiry request relating to at least one of an SRC IP address and a DST IP address of a data packet to be transmitted from the SDN controller 400 to the source terminal 800 from the source terminal 800. If received, retrieves the SRC IP address and DST IP address that is the same as the SRC IP address and DST IP address of the corresponding data packet, obtains public information matching the retrieved SRC IP address and DST IP address, and obtains the obtained public information. It may transmit to the SDN controller 400. The SDN controller 400 may determine the degree of risk for at least one of the SRC IP address and the DST IP address of the data packet to be transmitted by the source terminal 800 using the public information received from the analysis server 500. .
  • the analysis server 500 may receive a data packet inspection result from the inspection server 600 and update the risk score stored in the database 700 based on the received data packet inspection result. . According to another embodiment, the analysis server 500 may update a risk value indicating a risk level of the path information determined by the SDN controller 400 stored in the database 700.
  • the inspection server 600 may receive a data packet and inspect the received data packet under the control of the SDN controller 400. For example, the inspection server 600 may inspect the received data packet using a preset security algorithm. The inspection server 600 may inspect the header or payload of the data packet, and may inspect the data packet at the application layer level.
  • the inspection server 600 may generate a data packet inspection result by inspecting the data packet, and transmit the generated data packet inspection result to the analysis server 500. Since the inspection server 600 scans the data packet using a predetermined security algorithm, even if the inspection packet 600 is scanned for a data packet infected with malicious code or malware, the malicious code or malware does not affect other devices except the inspection server. .
  • the security algorithm may include a deep packet inspection (DPI) or SAND BOX algorithm.
  • the degree of risk may include abnormal data in the data packet to be transmitted from the source terminal 800 corresponding to the source IP address or the data packet to be transmitted to the destination terminal 920 corresponding to the destination IP address. It can represent the probability. For example, when the SDN controller 400 determines that the risk corresponding to the source IP address is high, the data packets to be transmitted from the source terminal 800 having the corresponding source IP address may have a high probability of including abnormal data. . In addition, when the SDN controller 400 determines that the risk level corresponding to the destination IP address is high, data packets to be transmitted to the destination terminal (920) 900 having the corresponding destination IP address have a high probability of containing abnormal data. Can mean. Abnormal data in the present invention may include malicious code, malware and malware, communication information of the malware, DDoS attack packet, information that the user does not agree to the transmission.
  • FIG. 3 is a block diagram of a network control apparatus 10 according to an embodiment of the present disclosure.
  • the network control apparatus 10 may include a communication interface 100, a storage unit 200, and a processor 300.
  • the processor 300 included in the single network control device is The SDN controller 400 may perform all the functions of the analysis server 500 and the inspection server 600.
  • the functions of the SDN controller 400, the analysis server 500, and the inspection server 600 illustrated in FIG. 2 are not a single network device, but the SDN controller 400, the analysis server 500, and the like.
  • the SDN controller 400, the analysis server 500, and the test server 600 may each include a communication interface, a storage unit, and a processor. That is, the SDN controller 400, the analysis server 500, and the inspection server 600 each include at least one processor, and may perform a network control method based on a risk score using the processors included in each. have.
  • the function of the SDN controller 400 and the function of the analysis server 500 may be performed in the first network device, and the function of the inspection server 600 may be performed in the second network device.
  • the first network device may include at least one processor, and may perform functions of the SDN controller 400 and functions of the analysis server 500 using the included processors
  • the second network device may include at least one processor. Including processors, the included processors may perform a function of the test server 600.
  • the communication interface 100 may communicate with the source terminal 800, the destination terminal 900, and the routing devices 30.
  • the communication interface 100 may receive the SRC IP address and / or the DST IP address through the routing device 820 adjacent to the source terminal 800 under the control of the processor.
  • the communication interface 100 may communicate with all routing devices 30 controlled by the network control device 10.
  • the communication interface 100 may include one or more components that enable communication with an external device, and may include, for example, at least one of a short range communication module, a wired communication module, and a wireless communication module.
  • a short-range wireless communication module of the present disclosure may be a Bluetooth communication module, a Bluetooth low energy (BLE) communication module, a near field communication module (Near Field Communication Module), a WLAN (Wi-Fi) communication module, Zigbee ( A Zigbee communication module, an infrared data association (IrDA) communication module, a Wi-Fi Direct (WFD) communication module, a UWB () communication module, an Ant + communication module, and the like, but are not limited thereto.
  • the storage unit 200 may store one or more instructions.
  • the instructions stored by the storage unit 200 may be a set of instructions executable by a computer for the network control apparatus 10 to control a routing path in an SDN network.
  • the storage unit 200 may include an internal memory or an external memory.
  • internal memory may be volatile memory (e.g., dynamic RAM, DRAM, static RAM, or synchronous dynamic RAM, etc.), non-volatile memory (e.g., OTPROM (one). time programmable ROM (PROM), programmable ROM (PROM), erasable and programmable ROM (EPROM), electrically erasable and programmable ROM (EEPROM), mask ROM, flash ROM, flash memory (such as NAND flash or NOR flash), hard drives, Or it may include at least one of a solid state drive (SSD).
  • volatile memory e.g., dynamic RAM, DRAM, static RAM, or synchronous dynamic RAM, etc.
  • non-volatile memory e.g., OTPROM (one).
  • the external memory may be a flash drive such as compact flash (CF), secure digital (SD), micro secure digital (Micro-SD), mini secure digital (Mini-SD), extreme digital (XD), It may include a multi-media card (MMC) or a memory stick.
  • the external memory may be functionally and / or physically connected to the network control device 10 through various interfaces.
  • the processor 300 may execute one or more instructions stored in the storage 200. For example, the processor 300 executes one or more instructions stored in the storage 200 to control the at least one routing device 30 through the communication interface 100 and from the source terminal 800 to the above.
  • Path information indicating a transmission path of a data packet to be transmitted to the destination terminal 900 may be received from the source terminal.
  • the route information may include a source IP address and / or a destination IP address and may indicate a transmission path of a data packet.
  • the processor 300 shown in FIG. 3 may be a single processor, but may also be a plurality of processors.
  • the network control apparatus 10 may include a plurality of processors, and may perform the functions of the SDN controller 400, the analysis server 500, and the inspection server 600 described above using a plurality of processors. have.
  • FIG. 4 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • a transmission path of the data packet may be determined such that the data packet is transmitted from the source terminal 800 to the destination terminal 900.
  • the SDN controller 400 receives a risk score for the path information of the received data packet from the analysis server 500, and if the received risk score is less than the first threshold, the risk of the path information It can be judged that the degree is low. If the SDN controller 400 determines that the risk level of the received route information is low, it is determined that the data packet is not inspected and the data packet is transmitted from the source terminal 800 to the destination terminal 900 (path 702). The transmission path of the data packet can be controlled.
  • the network The control device 10 may determine not to inspect the data packet based on the degree of danger of the path information of the data packet received from the source terminal 800. If the network control device 10 determines not to inspect the data packet, the network control device 10 transmits the data packet so that the data packet is transmitted from the source terminal 800 to the destination terminal 900 (path 702). You can control the path.
  • FIG. 5 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • the SDN controller 400 determines to inspect the data packet at the inspection server 600 based on the degree of danger of the path information of the data packet received from the source terminal 800, at least one routing Through the devices 820, 920, the data packet is sent from the source terminal 800 to the destination terminal 900 (path 702) while the data packet is inspected to inspect the data packet. It is possible to change the transmission path of the data packet to be transmitted (path 704).
  • the SDN controller 400 receives a risk score for the path information of the received data packet from the analysis server 500, the risk score of the received path information is greater than the first threshold value, the second If it is smaller than the threshold value, the degree of risk of route information may be determined to be moderate.
  • the SDN controller 400 determines the degree of risk of the received route information to a medium level, the SDN controller 400 checks the data packet while allowing the data packet to be transmitted from the source terminal 800 to the destination terminal 900. In order to transmit the data packet to the inspection server 600, the transmission path of the data packet may be changed.
  • the SDN controller 400 may block transmission of the data packet being transmitted from the source terminal to the destination terminal when it is determined that the data packet is dangerous based on the result of the inspection server 600 inspecting the data packet. .
  • the SDN controller 400 may also block the transmission of data packets from the inspection server 600 to the destination terminal 900.
  • the network The control device 10 may determine to inspect the data packet based on the degree of danger of the path information of the data packet received from the source terminal 800.
  • the network control apparatus 10 may determine the degree of risk of the route information to a medium level.
  • the network controller 10 determines the degree of risk of the received route information to a medium degree, the network controller 10 causes the data packet to be transmitted from the source terminal 800 to the destination terminal 900 and at the same time, the data. The data packet may be received to examine the packet.
  • the network control apparatus 10 inspects the received data packet, and when it is determined that the data packet is dangerous as a result of the inspection of the data packet, the network control apparatus 10 of the data packet being transmitted from the source terminal 800 to the destination terminal 900. You can block the transmission. Of course, the network control device 10 does not transmit the data packet received from the source terminal 800 to the destination terminal 900 to examine the data packet.
  • FIG. 6 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • the SDN controller 400 determines to inspect the data packet at the inspection server 600 based on the degree of danger of the path information of the data packet received from the source terminal 800, the SDN controller 400.
  • the data packet is transmitted from the source terminal 800 to the inspection server 600 (path 704), and the inspected data packet is transmitted from the inspection server 600 to the destination terminal 900. It is possible to control the transmission path of the data packet as much as possible (path 706).
  • the SDN controller 400 determines to inspect the data packet at the inspection server 600 based on the degree of danger of the path information of the data packet received from the source terminal 800, the data packet is determined by the source terminal ( At the same time, the transmission path is controlled so that the data packet is transmitted from the source terminal 800 to the inspection server 600 (path 704). Can be.
  • the SDN controller 400 may transmit the data packet from the inspection server 600 to the destination terminal 900 when the inspection server 600 determines that the data packet is not dangerous based on the inspection result of the inspection of the data packet ( Path 706 may control a transmission path of the data packet.
  • the SDN controller 400 receives a risk score for the path information of the received data packet from the analysis server 500, and if the received risk score is greater than the second threshold, the risk of the path information We can judge that degree is high.
  • the SDN controller 400 determines that the degree of risk of the received route information is high, it may be determined to examine the data packet.
  • the SDN controller 400 determines to inspect the data packet, the SDN controller 400 blocks the data packet from being transmitted from the source terminal 800 to the destination terminal 900, and at the same time, the data packet is transmitted to the source terminal.
  • the transmission path may be controlled to be transmitted from 800 to the inspection server 600 (path 704).
  • the SDN controller 400 may transmit the data packet from the inspection server 600 to the destination terminal 900 (path 706).
  • the transmission path of the data packet can be controlled.
  • the network The control device 10 may determine to inspect the data packet based on the degree of danger of the path information of the data packet received from the source terminal 800. For example, when determining that the risk level of the path information of the data packet received from the source terminal 800 is high, the network control apparatus 10 may determine to inspect the data packet.
  • the network control device 10 determines to inspect the data packet
  • the network control device 10 blocks the transmission of the data packet from the source terminal 800 to the destination terminal 900, and simultaneously drops the data packet. Received from the source terminal 800, the received data packet can be inspected. If the network control apparatus 10 determines that the data packet is not dangerous as a result of the inspection of the data packet, the network control apparatus 10 determines that the inspected data packet is received by the destination terminal [800] 900 from the network apparatus 10. It is possible to change the transmission path of the data packet so as to be transmitted.
  • FIG. 7 is a diagram illustrating a routing path according to various embodiments of the present disclosure.
  • the SDN controller 400 determines to inspect the data packet at the inspection server 600 based on the degree of danger of the path information of the data packet received from the source terminal 800
  • the SDN controller 400 May control the transmission path of the data packet so that the data packet is sent from the source terminal 800 to the inspection server 600 (path 704).
  • the SDN controller 400 determines to inspect the data packet at the inspection server 600 based on the degree of danger of the path information of the data packet received from the source terminal 800, the data packet is determined by the source terminal ( At the same time, the transmission path may be controlled such that the data packet is transmitted from the source terminal 800 to the inspection server 600 (path 704) while being blocked from being transmitted from the 800 to the destination terminal 900.
  • the SDN controller 400 blocks the transmission of the data packet from the inspection server 600 to the destination terminal 900 when it is determined that the data packet is dangerous based on the result of the inspection server 600 inspecting the data packet. Can be.
  • the SDN controller 400 receives a risk score for the path information of the received data packet from the analysis server 500, and if the received risk score is greater than the second threshold, the risk of the path information We can judge that degree is high.
  • the SDN controller 400 determines that the degree of risk of the received route information is high, it may be determined to examine the data packet.
  • the SDN controller 400 determines to inspect the data packet, the SDN controller 400 blocks the data packet from being transmitted from the source terminal 800 to the destination terminal 900, and at the same time, the data packet is transmitted to the source terminal.
  • the transmission path may be controlled to be transmitted from 800 to the inspection server 600 (path 704).
  • the SDN controller 400 may block the data packet from being transmitted from the inspection server 600 to the destination terminal 900 when it is determined that the data packet is dangerous based on the result of the inspection server 600 inspecting the data packet. Can be.
  • the network The control device 10 may determine to inspect the data packet based on the degree of danger of the path information of the data packet received from the source terminal 800. For example, when determining that the risk level of the path information of the data packet received from the source terminal 800 is high, the network control apparatus 10 may determine to inspect the data packet.
  • the network control device 10 determines to inspect the data packet, the network control device 10 blocks the transmission of the data packet from the source terminal 800 to the destination terminal 900, and simultaneously drops the data packet. Received from the source terminal 800, the received data packet can be inspected. If the network control apparatus 10 determines that the data packet is dangerous as a result of checking the data packet, the network control apparatus 10 indicates that the inspected data packet is transmitted from the network apparatus 10 to the destination terminal 800. You can block.
  • FIG. 8 is a flowchart illustrating a network control method according to an embodiment of the present disclosure.
  • the network control method performed by the network control apparatus 10 includes the following steps performed in time series in the network apparatus 10.
  • the SDN controller 400 may receive, from the source terminal 800, path information indicating a transmission path of a data packet to be transmitted from a source terminal to a destination terminal via at least one routing device among a plurality of routing devices. Can be.
  • the route information may include the SRC IP address and / or the DST IP address of the data packet.
  • the SDN controller 400 determines the degree of danger of the received route information. For example, the SDN controller 400 may transmit a risk score inquiry request for the SRC IP address and / or the DST IP address received from the source terminal 800 to the analysis server 500. The SDN controller 400 receives a risk score for the SRC IP address and / or the DST IP address transmitted by the analysis server 500 in response to the risk score inquiry request, and receives the SRC IP address and / or the DST IP. The degree of risk of the path information of the data packet may be determined using a risk score for the address.
  • the SDN controller 400 may determine a public information inquiry request and / or a DST IP address related to the SRC IP address in order to determine the degree of risk of the path information of the data packet received by the analysis server 500.
  • the relevant public information inquiry request can be sent.
  • the SDN controller 400 may disclose the public information related to the SRC IP address or the public information related to the SRC IP address transmitted by the analysis server 500 in response to the public information inquiry request related to the SRC IP address or the public information inquiry request related to the DST IP address.
  • the degree of risk may be determined by receiving the information and using at least one of the public information related to the received SRC IP address and the public information related to the DST IP address.
  • the SDN controller 400 determines whether to inspect the data packet to be transmitted from the source terminal to the destination terminal based on the determined degree of danger.
  • the SDN controller 400 may change the transmission path of the data packet based on the determination regarding whether to inspect the data packet.
  • step S400 the SDN controller 400 controls a transmission path of the data packet to which the data packet is transmitted from the source terminal to the destination terminal according to the determined degree of danger.
  • the SDN controller 400 determines that the path information of the data packet to be transmitted from the source terminal 800 to the destination terminal 900 is not dangerous, the SDN controller 400 passes through at least one routing device among the plurality of routing devices.
  • the transmission path of the data packet may be determined such that the data packet is transmitted from the source terminal 800 to the destination terminal 900.
  • the SDN controller 400 transmits the data packet to the inspection server 600.
  • the transmission path of the data packet may be controlled so that the data packet is transmitted from the source terminal 800 to the destination terminal 900.
  • the SDN controller 400 determines that the data packet to be transmitted from the source terminal 800 to the destination terminal 900 is dangerous, based on the data packet inspection result of the inspection server 600, the SDN controller 400 from the source terminal 800. Transmission of the data packet being transmitted to the destination terminal 900 may be blocked.
  • the SDN controller 400 may transmit the data packet to the inspection server 600.
  • the transmission path of the data packet can be controlled. For example, when it is determined that the path information of the data packet is dangerous, the SDN controller 400 blocks the data packet from being transmitted from the source terminal 800 to the destination terminal 900 and at the same time, the data packet is transmitted to the source terminal.
  • the transmission path may be controlled to be transmitted from 800 to the inspection server 600 (path 704).
  • the SDN controller 400 may transmit the received data packet from the inspection server 600 to the destination terminal 900.
  • the transmission path can be controlled.
  • the SDN controller 400 does not transmit the received data packet from the inspection server 600 to the destination terminal 900 when it is determined that the data packet is actually dangerous based on the inspection result of the inspection server 600.
  • the SDN controller 400 may determine not to inspect the data packet. In addition, when the SDN controller determines that the risk level of the path information of the data packet to be transmitted from the source terminal 800 to the destination terminal 900 is high or moderate, it may be determined that the SDN controller examines the data packet.
  • Method according to an embodiment is implemented in the form of program instructions that can be executed by various computer means may be recorded on a computer readable medium.
  • the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • Program instructions recorded on the media may be those specially designed and constructed for the purposes of this disclosure, or they may be of the kind well-known and available to those having skill in the computer software arts.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks.
  • Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de commande de réseau et un dispositif de commande de réseau. L'invention concerne un procédé de commande de réseau consistant : à recevoir, en provenance d'un terminal source, des informations de trajet indiquant un trajet de transmission d'un paquet de données à transmettre depuis le terminal source vers un terminal de destination par l'intermédiaire d'au moins un dispositif de routage parmi une pluralité de dispositifs de routage ; à déterminer le degré de risque des informations de trajet reçues ; et à commander, en fonction du degré de risque déterminé, le trajet de transmission de paquet de données par l'intermédiaire duquel le paquet de données doit être transmis depuis le terminal source vers le terminal de destination.
PCT/KR2019/006242 2018-07-11 2019-05-24 Dispositif et procédé de routage de commande dans un réseau sdn WO2020013439A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2018-0080657 2018-07-11
KR1020180080657A KR102585874B1 (ko) 2018-07-11 2018-07-11 Sdn네트워크에서 라우팅 제어 장치 및 방법

Publications (1)

Publication Number Publication Date
WO2020013439A1 true WO2020013439A1 (fr) 2020-01-16

Family

ID=69142726

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/006242 WO2020013439A1 (fr) 2018-07-11 2019-05-24 Dispositif et procédé de routage de commande dans un réseau sdn

Country Status (2)

Country Link
KR (1) KR102585874B1 (fr)
WO (1) WO2020013439A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114237246A (zh) * 2021-12-16 2022-03-25 东软集团股份有限公司 最优巡检路径确定方法、装置、介质和设备
CN115150312A (zh) * 2021-03-31 2022-10-04 华为技术有限公司 一种路由方法及设备
CN114237246B (zh) * 2021-12-16 2024-05-24 东软集团股份有限公司 最优巡检路径确定方法、装置、介质和设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102439880B1 (ko) * 2022-01-26 2022-09-05 프라이빗테크놀로지 주식회사 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법
KR102460693B1 (ko) * 2022-02-23 2022-10-31 프라이빗테크놀로지 주식회사 애플리케이션의 파일 송신 및 수신을 제어하기 위한 시스템 및 그에 관한 방법
KR102609368B1 (ko) * 2023-02-22 2023-12-05 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7869352B1 (en) * 2002-08-26 2011-01-11 Juniper Networks, Inc. Adaptive network router
US20120030302A1 (en) * 2004-05-25 2012-02-02 Google Inc. Electronic message source reputation information system
US20160248806A1 (en) * 2015-02-23 2016-08-25 Level 3 Communications, Llc Managing traffic control in a network mitigating ddos
US20160330236A1 (en) * 2015-05-08 2016-11-10 Citrix Systems, Inc. Combining internet routing information with access logs to assess risk of user exposure
KR20170133790A (ko) * 2016-05-26 2017-12-06 한국전자통신연구원 상황인지 기반 의심 트래픽 대응 장치 및 방법

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102118687B1 (ko) * 2013-11-15 2020-06-03 삼성전자주식회사 SDN(Software-defined networking)에서 네트워크 장애 해소를 위한 컨트롤러 및 스위치의 동작 방법과, 이를 위한 컨트롤러 및 스위치

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7869352B1 (en) * 2002-08-26 2011-01-11 Juniper Networks, Inc. Adaptive network router
US20120030302A1 (en) * 2004-05-25 2012-02-02 Google Inc. Electronic message source reputation information system
US20160248806A1 (en) * 2015-02-23 2016-08-25 Level 3 Communications, Llc Managing traffic control in a network mitigating ddos
US20160330236A1 (en) * 2015-05-08 2016-11-10 Citrix Systems, Inc. Combining internet routing information with access logs to assess risk of user exposure
KR20170133790A (ko) * 2016-05-26 2017-12-06 한국전자통신연구원 상황인지 기반 의심 트래픽 대응 장치 및 방법

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150312A (zh) * 2021-03-31 2022-10-04 华为技术有限公司 一种路由方法及设备
CN115150312B (zh) * 2021-03-31 2024-05-17 华为技术有限公司 一种路由方法及设备
CN114237246A (zh) * 2021-12-16 2022-03-25 东软集团股份有限公司 最优巡检路径确定方法、装置、介质和设备
CN114237246B (zh) * 2021-12-16 2024-05-24 东软集团股份有限公司 最优巡检路径确定方法、装置、介质和设备

Also Published As

Publication number Publication date
KR20200006824A (ko) 2020-01-21
KR102585874B1 (ko) 2023-10-06

Similar Documents

Publication Publication Date Title
WO2020013439A1 (fr) Dispositif et procédé de routage de commande dans un réseau sdn
US9407602B2 (en) Methods and apparatus for redirecting attacks on a network
US6496935B1 (en) System, device and method for rapid packet filtering and processing
US6854063B1 (en) Method and apparatus for optimizing firewall processing
WO2015152436A1 (fr) Système de chaînage de services basé sur un réseau sdn
WO2012153913A1 (fr) Procédé de défense contre une attaque par usurpation d'identité à l'aide d'un serveur de blocage
WO2012108687A2 (fr) Procédé de détection d'attaques par usurpation arp à l'aide d'un verrouillage arp et support d'enregistrement lisible par ordinateur stockant un programme servant à exécuter le procédé
JP6994123B2 (ja) コンテナネットワークのためのセキュリティ
WO2021020934A1 (fr) Procédé de réponse à une intrusion basé sur un rptd pour réseau embarqué, et système l'utilisant
WO2015034241A1 (fr) Procédé et système pour configurer un pare-feu de passerelle domestique intelligente
WO2023085791A1 (fr) Système de contrôle de l'accès au réseau basé sur un contrôleur et procédé associé
WO2022235007A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et son procédé
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
WO2020130158A1 (fr) Système de réseau fronthaul ouvert
WO2015194829A2 (fr) Procédé de détection d'un certain nombre de dispositifs sélectionnés parmi une pluralité de terminaux clients dans un réseau privé à l'aide du même ip public par un serveur web doté d'un nom de domaine non spécifié supplémentaire à partir d'un trafic de demandes d'accès à l'internet du terminal client faisant une demande d'accès à l'internet, et système de détection sélective pour un dispositif dans un état dans lequel un ip public est partagé
WO2017026840A1 (fr) Dispositif de connexion internet, serveur de gestion central, et procédé de connexion internet
WO2014077615A1 (fr) Système anti-programmes malveillants, procédé de traitement de paquet dans ledit système, et dispositif informatique
WO2019182219A1 (fr) Système de réseau de confiance basé sur une chaîne de blocs
WO2016200232A1 (fr) Système et procédé destinés à un serveur à distance en cas de défaillance d'un serveur de rétablissement
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2013151376A1 (fr) Système de sécurité utilisant un double os et procédé associé
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2019107794A1 (fr) Appareil et procédé de gestion de communication
WO2011062342A1 (fr) Procédé et appareil pour la commande d'un réseau par l'analyse d'un paquet réseau d'un ordinateur personnel
WO2019221346A1 (fr) Procédé d'inspection de réseau effectuant un stockage de paquets et système permettant de mettre en œuvre ce procédé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19833883

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19833883

Country of ref document: EP

Kind code of ref document: A1