WO2024021495A1 - Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium - Google Patents

Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium Download PDF

Info

Publication number
WO2024021495A1
WO2024021495A1 PCT/CN2022/141869 CN2022141869W WO2024021495A1 WO 2024021495 A1 WO2024021495 A1 WO 2024021495A1 CN 2022141869 W CN2022141869 W CN 2022141869W WO 2024021495 A1 WO2024021495 A1 WO 2024021495A1
Authority
WO
WIPO (PCT)
Prior art keywords
cloud platform
network
virtual
parsing
switch
Prior art date
Application number
PCT/CN2022/141869
Other languages
French (fr)
Chinese (zh)
Inventor
肖玮勇
Original Assignee
天翼云科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天翼云科技有限公司 filed Critical 天翼云科技有限公司
Publication of WO2024021495A1 publication Critical patent/WO2024021495A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present invention relates to the field of network security, and in particular to a method, device, equipment and storage medium for identifying flood attacks in a cloud platform.
  • TCP Transmission Control Protocol
  • SYN Sequence Numbers
  • a border firewall is set up at the network exit of the cloud platform, and the border firewall is used to uniformly identify whether network packets passing through the network exit are undergoing TCP SYN flooding attacks. At this time, if the traffic of network packets is too large, the performance pressure on the border firewall will be greater.
  • This application provides a method, device, equipment and storage medium for identifying flood attacks in a cloud platform.
  • the technical solution is as follows.
  • a method for identifying flood attacks in a cloud platform is provided.
  • the method is executed by a controller provided in the cloud platform.
  • the method includes:
  • a method for identifying flood attacks in a cloud platform is provided.
  • the method is executed by a virtual switch provided in the cloud platform.
  • the method includes:
  • a device for identifying flood attacks in a cloud platform includes:
  • An analysis result receiving module configured to receive analysis results of network messages sent by different virtual switches in the cloud platform
  • a statistics module configured to analyze the parsing results of network messages from the different virtual switches within the current statistical period, and obtain a count value corresponding to the same parsing result
  • a flooding attack identification module is configured to identify a flooding attack in the cloud platform when the count value exceeds a threshold.
  • the parsing result includes the following fields:
  • the network message includes:
  • Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
  • the user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
  • Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
  • the Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  • a device for identifying flood attacks in a cloud platform includes:
  • a network packet collection module used to collect network packets flowing through the virtual switch
  • a parsing module used to parse the network message and obtain the parsing result of the network message
  • An analysis result sending module configured to send the analysis result of the network message to the controller in the cloud platform, so that the controller can analyze network messages from different virtual switches within the current statistical period.
  • the parsing results are analyzed to obtain a count value corresponding to the same parsing result, and when the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
  • the parsing result includes the following fields:
  • the network message includes:
  • Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
  • the user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
  • Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
  • the Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  • a controller in yet another aspect, includes a processor and a memory.
  • the memory stores at least one instruction, at least a program, a code set or an instruction set.
  • the at least one instruction, at least a section The program, code set or instruction set is loaded and executed by the processor to implement the above-mentioned identification method of flooding attacks in the cloud platform.
  • a virtual switch in another aspect, includes a processor and a memory.
  • the memory stores at least one instruction, at least a program, a code set or an instruction set.
  • the at least one instruction, at least a section The program, code set or instruction set is loaded and executed by the processor to implement the above-mentioned identification method of flooding attacks in the cloud platform.
  • a computer-readable storage medium in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the above-mentioned method for identifying flood attacks in a cloud platform.
  • a computer program product or computer program includes computer instructions stored in a computer-readable storage medium.
  • the processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the above-mentioned method for identifying flood attacks in the cloud platform.
  • the virtual switch parses the network packets flowing through it, and reports the parsing results of the network packets to the controller in the cloud platform.
  • the controller calculates the counts based on the same parsing results. value to determine whether there is a flooding attack in the current cloud platform.
  • the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively.
  • each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
  • Figure 1 is a schematic architectural diagram of a cloud platform according to an exemplary embodiment.
  • Figure 2 is a method flow chart of a method for identifying flooding attacks in a cloud platform according to an exemplary embodiment.
  • Figure 3 is a structural block diagram of an apparatus for identifying flood attacks in a cloud platform according to an exemplary embodiment.
  • Figure 4 is a structural block diagram of a device for identifying flood attacks in a cloud platform according to an exemplary embodiment.
  • Figure 5 is a schematic diagram of a controller provided according to an exemplary embodiment of the present application.
  • Figure 6 is a schematic diagram of a virtual machine switch provided according to an exemplary embodiment of the present application.
  • the "instruction” mentioned in the embodiments of this application may be a direct instruction, an indirect instruction, or an association relationship.
  • a indicates B which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation.
  • correlate can mean that there is a direct correspondence or indirect correspondence between the two, it can also mean that there is an associated relationship between the two, or it can mean indicating and being instructed, configuration and being. Configuration and other relationships.
  • predefinition can be achieved by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal equipment and network equipment).
  • devices for example, including terminal equipment and network equipment.
  • TCP SYN flood attack It is an attack that takes advantage of the three-way handshake characteristics of the TCP protocol.
  • This attack uses the characteristics of the three-way handshake of the TCP protocol.
  • the attacker sends TCP SYN to make a TCP connection.
  • SYN is the first packet in the TCP three-way handshake.
  • the server returns ACK and the attacker does not reconfirm it, then the TCP connection is in a suspended state, which is the so-called semi-connected state. If the server cannot receive the re-confirmation, it will repeatedly send ACK to the attacker, which will further waste the server's resources.
  • the attacker sends a very large number of such TCP connections to the server. Since each TCP connection cannot complete the three-way handshake, on the server, these TCP connections will consume the central processing unit (Central Processing) because they are in a suspended state. Unit, CPU) and memory, resulting in the server possibly crashing and being unable to provide services to normal users.
  • Central Processing Central Processing
  • a border firewall is set up at the network exit of the cloud platform, and the border firewall is used to uniformly identify whether network packets passing through the network exit are undergoing a TCP SYN flood attack. At this time, if the traffic of network packets is too large, the performance pressure on the border firewall will be greater.
  • embodiments of this application provide a flood attack identification method, which uses a virtual switch in the cloud platform to parse the network packets flowing through it and report the parsing results of the network packets.
  • the controller determines whether there is a flooding attack in the current cloud platform based on the count value obtained from the same analysis result.
  • the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively.
  • each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
  • Figure 1 shows a schematic architectural diagram of the cloud platform.
  • the cloud platform includes: multiple virtual switches and a controller.
  • the virtual switch is distributed on each computing server in the cloud platform and is a virtual network element that connects user virtual machines under the computing server with the physical network.
  • the virtual switch provides network forwarding capabilities for virtualization and is a bridge between user virtual machines and physical networks or between user virtual machines and user virtual machines.
  • user virtual machines communicate with the physical network through the virtual switch, and user virtual machines communicate with each other through the virtual switch. Communicate with other user virtual machines through virtual switches.
  • a traffic analysis module is embedded in the virtual switch.
  • the traffic analysis module is mainly responsible for the following two functions: 1) parsing the collected network messages and generating parsing results; 2) converting the parsing results Report to the controller.
  • the controller is a device deployed centrally in the cloud platform and is used to analyze and judge TCP SYN flooding attacks.
  • the virtual switch and the controller can communicate through the management network in the cloud platform.
  • the virtual switches in the cloud platform regularly report the parsing results of network packets to the controller through the management network, so that the controller can analyze TCP SYN flood attacks based on the parsing results of network packets received from different virtual switches. and judgment.
  • FIG. 2 is a method flow chart of a method for identifying flooding attacks in a cloud platform according to an exemplary embodiment. The method is performed by controllers and virtual switches in the cloud platform. As shown in Figure 2, the identification method of the flooding attack may include the following steps:
  • Step 210 The virtual switch collects network packets flowing through the virtual switch.
  • a virtual machine switch is connected to at least one user virtual machine, and the virtual switch is used to undertake the forwarding of network packets of these user virtual machines. Therefore, when user virtual machines send network packets or send network packets to these user virtual machines, the user packets will flow through the virtual switch, and the virtual machine switch will collect these network packets.
  • the virtual switch collects network packets sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform through forwarding by the virtual switch.
  • the virtual switch collects network packets sent by user virtual machines in the cloud platform to physical machines in the cloud platform through forwarding by the virtual switch.
  • the virtual switch collects network packets sent by user virtual machines in the cloud platform to the Internet outside the cloud platform through forwarding by the virtual switch.
  • the virtual switch collects network packets sent by physical machines in the cloud platform to user virtual machines in the cloud platform through forwarding by the virtual machine switch.
  • the virtual switch collects network packets sent from the Internet outside the cloud platform to user virtual machines in the cloud platform through forwarding by the virtual machine switch.
  • network messages sent by user virtual machines to other user virtual machines in the cloud platform, and between user virtual machines and physical machines in the cloud platform are The sent network messages can also be collected to ensure that subsequent flooding attacks in the cloud platform can also be identified, thereby providing security protection between user virtual machines in the same cloud platform.
  • Step 220 The virtual switch parses the network message and obtains the parsing result of the network message.
  • the virtual switch After collecting network messages, the virtual switch supports parsing the network messages to obtain the parsing results of the network messages.
  • the parsing result includes the following fields: source network address (Internet Protocol, IP), destination IP, TCP port, and SYN equal to 1. That is, when the virtual switch performs analysis, it uses the fields of source IP, destination IP, TCP port, and SYN equal to 1 to collect and collect information.
  • source network address Internet Protocol, IP
  • destination IP destination IP
  • TCP port destination IP
  • SYN SYN
  • Step 230 The virtual switch sends the analysis result of the network packet to the controller in the cloud platform.
  • the controller receives the parsing results of the network packets sent by the virtual switch. It should be understood that multiple virtual switches are generally deployed in a distributed manner in the cloud platform. Therefore, these virtual switches all send the analysis results of network packets to the controller in the cloud platform.
  • the virtual switch when the virtual switch and the controller establish a connection through the management network, the virtual switch sends the analysis result of the network message to the controller in the cloud platform through the management network.
  • the virtual switch corresponds to a reporting cycle, and the virtual switch regularly sends the analysis results of the network packets collected during the reporting cycle to the controller in the cloud platform.
  • Step 240 In the current statistical period, the controller analyzes the parsing results of network packets from different virtual switches and obtains a count value corresponding to the same parsing result.
  • the parsing results include the following fields: source IP, destination IP, TCP port, and SYN equal to 1.
  • the controller will correspond to the same group of source IP, destination IP, TCP port, and SYN equal to 1.
  • Network packets are counted to obtain a count value corresponding to the same parsing result.
  • Step 250 When the count value exceeds the threshold, the controller identifies that there is a flooding attack in the cloud platform.
  • the controller After the controller obtains the count value corresponding to the same parsing result, the controller compares the count value with the threshold, and when the count value exceeds the threshold, it determines that there is a flooding attack in the cloud platform memory.
  • the threshold is preset, or obtained by the controller through machine learning.
  • the controller can call the alarm interface to issue an alarm: there is a flooding attack in the current cloud platform memory.
  • the flood attack identification method uses a virtual switch in the cloud platform.
  • the virtual switch parses the network packets flowing through it, and reports the analysis results of the network packets to the cloud platform.
  • the controller in , based on the count value obtained by counting the same parsing results, determines whether there is a flooding attack in the current cloud platform.
  • the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively.
  • each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
  • the flood attack identification method provided by this embodiment uses virtual switches to collect network messages, so that user virtual machines can detect network messages sent by other user virtual machines in the cloud platform, and user virtual machines in the cloud platform. Network messages sent between the computer and the physical machine can also be collected to ensure that subsequent flooding attacks in the cloud platform can also be identified, thereby providing a link between user virtual machines and user virtual machines in the same cloud platform. room security.
  • Figure 3 is a structural block diagram of an apparatus for identifying flood attacks in a cloud platform according to an exemplary embodiment.
  • the device includes:
  • the analysis result receiving module 301 is used to receive the analysis results of network messages sent by different virtual switches in the cloud platform;
  • the statistics module 302 is configured to analyze the parsing results of network messages from the different virtual switches within the current statistical period, and obtain a count value corresponding to the same parsing result;
  • the flooding attack identification module 303 is configured to identify a flooding attack in the cloud platform when the count value exceeds a threshold.
  • the parsing result includes the following fields:
  • the network message includes:
  • Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
  • the user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
  • Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
  • the Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  • Figure 4 is a structural block diagram of a device for identifying flood attacks in a cloud platform according to an exemplary embodiment.
  • the device includes:
  • the network packet collection module 401 is used to collect network packets flowing through the virtual switch
  • the parsing module 402 is used to parse the network message and obtain the parsing result of the network message;
  • the analysis result sending module 403 is used to send the analysis result of the network message to the controller in the cloud platform, so that the controller can analyze the network messages from different virtual switches within the current statistical period. Analyze the parsing results to obtain a count value corresponding to the same parsing result, and identify a flooding attack in the cloud platform when the count value exceeds the threshold.
  • the parsing result includes the following fields:
  • the network message includes:
  • Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
  • the user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
  • Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
  • the Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  • the device for identifying flood attacks in the cloud platform provided by the above embodiments is only illustrated by taking the division of the above functional modules.
  • the above functions can be allocated to different functional modules as needed. Completion means dividing the internal structure of the device into different functional modules to complete all or part of the functions described above.
  • the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be described again here.
  • FIG. 5 is a schematic diagram of a controller provided according to an exemplary embodiment of the present application.
  • the controller includes a memory and a processor.
  • the memory is used to store a computer program.
  • the computer program is When the processor is executed, the above-mentioned identification method of flooding attacks in the cloud platform is implemented.
  • the processor may be a central processing unit (Central Processing Unit, CPU).
  • the processor can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
  • the memory can be used to store non-transitory software programs, non-transitory computer executable programs and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention.
  • the processor executes various functional applications and data processing of the processor by running non-transient software programs, instructions and modules stored in the memory, that is, implementing the method in the above method implementation.
  • the memory may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created by the processor, etc.
  • the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device.
  • the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
  • FIG. 6 is a schematic diagram of a virtual switch provided according to an exemplary embodiment of the present application.
  • the virtual switch includes a memory and a processor.
  • the memory is used to store a computer program.
  • the computer program is When the processor is executed, the above-mentioned identification method of flooding attacks in the cloud platform is implemented.
  • the processor may be a central processing unit (Central Processing Unit, CPU).
  • the processor can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
  • the memory can be used to store non-transitory software programs, non-transitory computer executable programs and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention.
  • the processor executes various functional applications and data processing of the processor by running non-transient software programs, instructions and modules stored in the memory, that is, implementing the method in the above method implementation.
  • the memory may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created by the processor, etc.
  • the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device.
  • the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
  • a computer-readable storage medium is also provided for storing at least one computer program.
  • the at least one computer program is loaded and executed by the processor to implement all or part of the steps in the above method.
  • the computer-readable storage medium can be read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), read-only compact disc (Compact Disc Read-Only Memory, CD-ROM), Tapes, floppy disks and optical data storage devices, etc.

Abstract

The present application relates to the field of network security, and relates to a method and apparatus for identifying a flooding attack in a cloud platform, and a device and a storage medium. The method is executed by a controller arranged in a cloud platform. The method comprises: receiving parsing results of network messages sent by different virtual switches in a cloud platform; within the current statistical period, analyzing the parsing results of the network messages from the different virtual switches, so as to obtain a count value corresponding to the same parsing result; and when the count value exceeds a threshold value, determining that there is a flooding attack in the cloud platform. The parsing work of network messages and the determination work of a flooding attack are respectively allocated to virtual switches and a controller for execution; in addition, since the virtual switches are deployed in a cloud platform in a distributed manner, the number of network messages that need to be analyzed by each virtual switch is not large, such that the performance requirements for a device during the identification process of a flooding attack can be reduced.

Description

云平台中的泛洪攻击的识别方法、装置、设备及存储介质Identification methods, devices, equipment and storage media for flooding attacks in cloud platforms 技术领域Technical field
本发明涉及网络安全领域,具体涉及一种云平台中的泛洪攻击的识别方法、装置、设备及存储介质。The present invention relates to the field of network security, and in particular to a method, device, equipment and storage medium for identifying flood attacks in a cloud platform.
背景技术Background technique
传输控制协议(Transmission Control Protocol,TCP)同步序列编号(Synchronize Sequence Numbers,SYN)泛洪攻击是影响网络安全的一种泛洪攻击方式。Transmission Control Protocol (TCP) Synchronize Sequence Numbers (SYN) flooding attack is a type of flooding attack that affects network security.
技术问题technical problem
相关技术中,通过在云平台的网络出口处设置边界防火墙,利用边界防火墙统一对经过网络出口处的网络报文是否在进行TCP SYN泛洪攻击进行识别。此时,如果网络报文的流量过大,则对边界防火墙的性能压力较大。In related technologies, a border firewall is set up at the network exit of the cloud platform, and the border firewall is used to uniformly identify whether network packets passing through the network exit are undergoing TCP SYN flooding attacks. At this time, if the traffic of network packets is too large, the performance pressure on the border firewall will be greater.
技术解决方案Technical solutions
本申请提供了一种云平台中的泛洪攻击的识别方法、装置、设备及存储介质,该技术方案如下。This application provides a method, device, equipment and storage medium for identifying flood attacks in a cloud platform. The technical solution is as follows.
一方面,提供了一种云平台中的泛洪攻击的识别方法,所述方法由设置于云平台中的控制器执行,所述方法包括:On the one hand, a method for identifying flood attacks in a cloud platform is provided. The method is executed by a controller provided in the cloud platform. The method includes:
接收所述云平台中的不同虚拟交换机发送的网络报文的解析结果;Receive parsing results of network messages sent by different virtual switches in the cloud platform;
在当前的统计周期内,对来自于所述不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值;Within the current statistical period, analyze the parsing results of network messages from the different virtual switches to obtain a count value corresponding to the same parsing result;
在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。When the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
一方面,提供了一种云平台中的泛洪攻击的识别方法,所述方法由设置于云平台中的虚拟交换机执行,所述方法包括:On the one hand, a method for identifying flood attacks in a cloud platform is provided. The method is executed by a virtual switch provided in the cloud platform. The method includes:
采集流经所述虚拟交换机的网络报文;Collect network packets flowing through the virtual switch;
对所述网络报文进行解析,得到所述网络报文的解析结果;Parse the network message and obtain the parsing result of the network message;
向所述云平台中的控制器发送所述网络报文的解析结果,以使得所述控制器在当前的统计周期内,对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值,并在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。Send the parsing results of the network messages to the controller in the cloud platform, so that the controller can analyze the parsing results of the network messages from different virtual switches within the current statistical period and obtain the corresponding Based on the count value of the same analysis result, and when the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
又一方面,提供了一种云平台中的泛洪攻击的识别装置,所述装置包括: In another aspect, a device for identifying flood attacks in a cloud platform is provided, and the device includes:
解析结果接收模块,用于接收所述云平台中的不同虚拟交换机发送的网络报文的解析结果;An analysis result receiving module, configured to receive analysis results of network messages sent by different virtual switches in the cloud platform;
统计模块,用于在当前的统计周期内,对来自于所述不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值;A statistics module, configured to analyze the parsing results of network messages from the different virtual switches within the current statistical period, and obtain a count value corresponding to the same parsing result;
泛洪攻击识别模块,用于在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。A flooding attack identification module is configured to identify a flooding attack in the cloud platform when the count value exceeds a threshold.
在一种可能的实现方式中,所述解析结果中包括如下字段:In a possible implementation, the parsing result includes the following fields:
源IP;Source IP;
目的IP;Destination IP;
TCP端口;TCP port;
SYN等于1。SYN equals 1.
在一种可能的实现方式中,所述网络报文包括:In a possible implementation, the network message includes:
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
或,or,
所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
又一方面,提供了一种云平台中的泛洪攻击的识别装置,所述装置包括:In another aspect, a device for identifying flood attacks in a cloud platform is provided, and the device includes:
网络报文采集模块,用于采集流经所述虚拟交换机的网络报文;A network packet collection module, used to collect network packets flowing through the virtual switch;
解析模块,用于对所述网络报文进行解析,得到所述网络报文的解析结果;A parsing module, used to parse the network message and obtain the parsing result of the network message;
解析结果发送模块,用于向所述云平台中的控制器发送所述网络报文的解析结果,以使得所述控制器在当前的统计周期内,对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值,并在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。An analysis result sending module, configured to send the analysis result of the network message to the controller in the cloud platform, so that the controller can analyze network messages from different virtual switches within the current statistical period. The parsing results are analyzed to obtain a count value corresponding to the same parsing result, and when the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
在一种可能的实现方式中,所述解析结果中包括如下字段:In a possible implementation, the parsing result includes the following fields:
源IP;Source IP;
目的IP;Destination IP;
TCP端口;TCP port;
SYN等于1。SYN equals 1.
在一种可能的实现方式中,所述网络报文包括:In a possible implementation, the network message includes:
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
或,or,
所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
再一方面,提供了一种控制器,所述控制器中包含处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、至少一段程序、代码集或指令集由处理器加载并执行以实现上述的云平台中的泛洪攻击的识别方法。In yet another aspect, a controller is provided. The controller includes a processor and a memory. The memory stores at least one instruction, at least a program, a code set or an instruction set. The at least one instruction, at least a section The program, code set or instruction set is loaded and executed by the processor to implement the above-mentioned identification method of flooding attacks in the cloud platform.
再一方面,提供了一种虚拟交换机,所述虚拟交换机中包含处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、至少一段程序、代码集或指令集由处理器加载并执行以实现上述的云平台中的泛洪攻击的识别方法。In another aspect, a virtual switch is provided. The virtual switch includes a processor and a memory. The memory stores at least one instruction, at least a program, a code set or an instruction set. The at least one instruction, at least a section The program, code set or instruction set is loaded and executed by the processor to implement the above-mentioned identification method of flooding attacks in the cloud platform.
又一方面,提供了一种计算机可读存储介质,所述存储介质中存储有至少一条指令,所述至少一条指令由处理器加载并执行以实现上述的云平台中的泛洪攻击的识别方法。In another aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the above-mentioned method for identifying flood attacks in a cloud platform. .
再一方面,提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述的云平台中的泛洪攻击的识别方法。In yet another aspect, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the above-mentioned method for identifying flood attacks in the cloud platform.
有益效果beneficial effects
利用在云平台中的虚拟交换机,由虚拟交换机对流经的网络报文进行解析,并将网络报文的解析结果上报给云平台中的控制器,由控制器基于对同一解析结果统计得到的计数值,对当前云平台中是否存在泛洪攻击进行判断。一方面,将网络报文的解析工作、泛洪攻击的判断工作分别分给虚拟交换机、控制器来执行,另一方面,由于虚拟交换机在云平台中是分布式部署的,每台虚拟交换机需要分析的网络报文的数量不多,因此,极大地降低了泛洪攻击的识别过程中对设备的性能要求。Using the virtual switch in the cloud platform, the virtual switch parses the network packets flowing through it, and reports the parsing results of the network packets to the controller in the cloud platform. The controller calculates the counts based on the same parsing results. value to determine whether there is a flooding attack in the current cloud platform. On the one hand, the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively. On the other hand, since virtual switches are deployed in a distributed manner in the cloud platform, each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
附图说明Description of drawings
为了更清楚地说明本申请具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the specific embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description The drawings illustrate some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.
图1是根据一示例性实施例示出的一种云平台的架构示意图。Figure 1 is a schematic architectural diagram of a cloud platform according to an exemplary embodiment.
图2是根据一示例性实施例示出的云平台中的泛洪攻击的识别方法的方法流程图。Figure 2 is a method flow chart of a method for identifying flooding attacks in a cloud platform according to an exemplary embodiment.
图3是根据一示例性实施例示出的一种云平台中的泛洪攻击的识别装置的结构方框图。Figure 3 is a structural block diagram of an apparatus for identifying flood attacks in a cloud platform according to an exemplary embodiment.
图4是根据一示例性实施例示出的一种云平台中的泛洪攻击的识别装置的结构方框图。Figure 4 is a structural block diagram of a device for identifying flood attacks in a cloud platform according to an exemplary embodiment.
图5是根据本申请一示例性实施例提供的一种控制器的示意图。Figure 5 is a schematic diagram of a controller provided according to an exemplary embodiment of the present application.
图6是根据本申请一示例性实施例提供的一种虚机交换机的示意图。Figure 6 is a schematic diagram of a virtual machine switch provided according to an exemplary embodiment of the present application.
本发明的实施方式Embodiments of the invention
下面将结合附图对本申请的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solution of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
应理解,在本申请的实施例中提到的“指示”可以是直接指示,也可以是间接指示,还可以是表示具有关联关系。举例说明,A指示B,可以表示A直接指示B,例如B可以通过A获取;也可以表示A间接指示B,例如A指示C,B可以通过C获取;还可以表示A和B之间具有关联关系。It should be understood that the "instruction" mentioned in the embodiments of this application may be a direct instruction, an indirect instruction, or an association relationship. For example, A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation.
在本申请实施例的描述中,术语“对应”可表示两者之间具有直接对应或间接对应的关系,也可以表示两者之间具有关联关系,也可以是指示与被指示、配置与被配置等关系。In the description of the embodiments of this application, the term "correspondence" can mean that there is a direct correspondence or indirect correspondence between the two, it can also mean that there is an associated relationship between the two, or it can mean indicating and being instructed, configuration and being. Configuration and other relationships.
本申请实施例中,“预定义”可以通过在设备(例如,包括终端设备和网络设备)中预先保存相应的代码、表格或其他可用于指示相关信息的方式来实现,本申请对于其具体的实现方式不做限定。In the embodiment of this application, "predefinition" can be achieved by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal equipment and network equipment). This application is specific to its The implementation method is not limited.
在对本申请所示的各个实施例进行说明之前,首先对本申请涉及到的概念进行介绍。Before describing each embodiment shown in this application, the concepts involved in this application are first introduced.
TCP SYN 泛洪攻击:是利用TCP协议三次握手的特性的一种攻击。 TCP SYN flood attack : It is an attack that takes advantage of the three-way handshake characteristics of the TCP protocol.
其发生在开放系统互联(Open System Interconnection,OSI)第四层,这种攻击利用TCP协议三次握手的特性,攻击者发送TCP SYN以进行TCP连接,SYN是TCP三次握手中的第一个数据包,当服务器返回ACK后,该攻击者不对其进行再确认,那这个TCP连接就处于挂起状态,也就是所谓的半连接状态。服务器在收不到再确认的情况下,还会重复发送ACK给攻击者,这样更加会浪费服务器的资源。It occurs on the fourth layer of the Open System Interconnection (OSI). This attack uses the characteristics of the three-way handshake of the TCP protocol. The attacker sends TCP SYN to make a TCP connection. SYN is the first packet in the TCP three-way handshake. , when the server returns ACK and the attacker does not reconfirm it, then the TCP connection is in a suspended state, which is the so-called semi-connected state. If the server cannot receive the re-confirmation, it will repeatedly send ACK to the attacker, which will further waste the server's resources.
攻击者对服务器发送非常大量的这种TCP连接,由于每一个TCP连接都没法完成三次握手,所以在服务器上,这些TCP连接会因为处于挂起状态而消耗中央处理器(Central Processing Unit,CPU)和内存,导致最后服务器可能死机,从而无法为正常用户提供服务。The attacker sends a very large number of such TCP connections to the server. Since each TCP connection cannot complete the three-way handshake, on the server, these TCP connections will consume the central processing unit (Central Processing) because they are in a suspended state. Unit, CPU) and memory, resulting in the server possibly crashing and being unable to provide services to normal users.
针对云平台中的TCP SYN泛洪攻击,相关技术中,通过在云平台的网络出口处设置边界防火墙,利用边界防火墙统一对经过网络出口处的网络报文是否在进行TCP SYN泛洪攻击进行识别。此时,如果网络报文的流量过大,则对边界防火墙的性能压力较大。For TCP in cloud platform SYN flood attack, in related technology, a border firewall is set up at the network exit of the cloud platform, and the border firewall is used to uniformly identify whether network packets passing through the network exit are undergoing a TCP SYN flood attack. At this time, if the traffic of network packets is too large, the performance pressure on the border firewall will be greater.
针对如上问题,本申请实施例中提供了一种泛洪攻击的识别方法,利用在云平台中的虚拟交换机,由虚拟交换机对流经的网络报文进行解析,并将网络报文的解析结果上报给云平台中的控制器,由控制器基于对同一解析结果统计得到的计数值,对当前云平台中是否存在泛洪攻击进行判断。一方面,将网络报文的解析工作、泛洪攻击的判断工作分别分给虚拟交换机、控制器来执行,另一方面,由于虚拟交换机在云平台中是分布式部署的,每台虚拟交换机需要分析的网络报文的数量不多,因此,极大地降低了泛洪攻击的识别过程中对设备的性能要求。In response to the above problems, embodiments of this application provide a flood attack identification method, which uses a virtual switch in the cloud platform to parse the network packets flowing through it and report the parsing results of the network packets. Provided to the controller in the cloud platform, the controller determines whether there is a flooding attack in the current cloud platform based on the count value obtained from the same analysis result. On the one hand, the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively. On the other hand, since virtual switches are deployed in a distributed manner in the cloud platform, each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
下面,结合如下实施例对本申请所提供的技术方案进行说明。Below, the technical solutions provided by this application will be described with reference to the following examples.
结合参考图1,其示出了云平台的架构示意图。在云平台中,包括:多台虚拟交换机以及一台控制器。Reference is made to Figure 1, which shows a schematic architectural diagram of the cloud platform. In the cloud platform, it includes: multiple virtual switches and a controller.
其中,虚拟交换机分布于云平台中的每台计算服务器,是一种将计算服务器下的用户虚机与物理网络连接在一起的虚拟网元。Among them, the virtual switch is distributed on each computing server in the cloud platform and is a virtual network element that connects user virtual machines under the computing server with the physical network.
具体地,虚拟交换机为虚拟化提供网络转发能力,是连接用户虚机与物理网络或者用户虚机与用户虚机之间的桥梁,比如:用户虚机通过虚拟交换机与物理网络通信,用户虚机通过虚拟交换机与其他用户虚机通信。Specifically, the virtual switch provides network forwarding capabilities for virtualization and is a bridge between user virtual machines and physical networks or between user virtual machines and user virtual machines. For example, user virtual machines communicate with the physical network through the virtual switch, and user virtual machines communicate with each other through the virtual switch. Communicate with other user virtual machines through virtual switches.
在本申请实施例中,在虚拟交换机中内嵌一个流量分析模块,该流量分析模块主要负责如下两个功能:1)对采集到的网络报文进行解析,生成解析结果;2)将解析结果上报给控制器。In the embodiment of this application, a traffic analysis module is embedded in the virtual switch. The traffic analysis module is mainly responsible for the following two functions: 1) parsing the collected network messages and generating parsing results; 2) converting the parsing results Report to the controller.
其中,控制器是在云平台中集中部署的一个设备,用于进行TCP SYN泛洪攻击的分析与判断。Among them, the controller is a device deployed centrally in the cloud platform and is used to analyze and judge TCP SYN flooding attacks.
在本申请实施例中,虚拟交换机与控制器之间可以通过云平台中的管理网进行通信。云平台中的虚拟交换机通过管理网,定时向控制器上报网络报文的解析结果,以使得控制器基于接收到的来自不同虚拟交换机的网络报文的解析结果,进行TCP SYN泛洪攻击的分析与判断。In this embodiment of the present application, the virtual switch and the controller can communicate through the management network in the cloud platform. The virtual switches in the cloud platform regularly report the parsing results of network packets to the controller through the management network, so that the controller can analyze TCP SYN flood attacks based on the parsing results of network packets received from different virtual switches. and judgment.
图2是根据一示例性实施例示出的云平台中的泛洪攻击的识别方法的方法流程图。该方法由云平台中的控制器和虚拟交换机执行。如图2所示,该泛洪攻击的识别方法可以包括如下步骤:Figure 2 is a method flow chart of a method for identifying flooding attacks in a cloud platform according to an exemplary embodiment. The method is performed by controllers and virtual switches in the cloud platform. As shown in Figure 2, the identification method of the flooding attack may include the following steps:
步骤210:虚拟交换机采集流经该虚拟交换机的网络报文。Step 210: The virtual switch collects network packets flowing through the virtual switch.
在云平台中,一台虚机交换机连接有至少一台用户虚机,该虚拟交换机用于承接这些用户虚拟的网络报文的转发工作。因此,在用户虚机发送网络报文,或者向这些用户虚机发送网络报文时,用户报文会流经虚拟交换机,并由虚机交换机采集到这些网络报文。In the cloud platform, a virtual machine switch is connected to at least one user virtual machine, and the virtual switch is used to undertake the forwarding of network packets of these user virtual machines. Therefore, when user virtual machines send network packets or send network packets to these user virtual machines, the user packets will flow through the virtual switch, and the virtual machine switch will collect these network packets.
在一种可能的实现方式中,虚拟交换机采集的是云平台中的用户虚机通过虚拟交换机的转发,向云平台中的其它用户虚机发送的网络报文。In one possible implementation, the virtual switch collects network packets sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform through forwarding by the virtual switch.
在一种可能的实现方式中,虚拟交换机采集的是云平台中的用户虚机通过虚拟交换机的转发,向云平台中的物理机发送的网络报文。In one possible implementation, the virtual switch collects network packets sent by user virtual machines in the cloud platform to physical machines in the cloud platform through forwarding by the virtual switch.
在一种可能的实现方式中,虚拟交换机采集的是云平台中的用户虚机通过虚拟交换机的转发,向云平台外的互联网发送的网络报文。In one possible implementation, the virtual switch collects network packets sent by user virtual machines in the cloud platform to the Internet outside the cloud platform through forwarding by the virtual switch.
在一种可能的实现方式中,虚拟交换机采集的是云平台中的物理机通过虚机交换机的转发,向云平台中的用户虚机发送的网络报文。In one possible implementation, the virtual switch collects network packets sent by physical machines in the cloud platform to user virtual machines in the cloud platform through forwarding by the virtual machine switch.
在一种可能的实现方式中,虚拟交换机采集的是云平台外的互联网通过虚机交换机的转发,向云平台中的用户虚机发送的网络报文。In one possible implementation, the virtual switch collects network packets sent from the Internet outside the cloud platform to user virtual machines in the cloud platform through forwarding by the virtual machine switch.
应理解的是,针对云平台内的用户虚机与用户虚机之间的网络报文的通信,或者云平台内的用户虚机与物理机之间的通信,由于流量不会经过网络出口,因此,基于相关技术中所采用的使用边界防火墙对流经网络出口的网络报文进行采集的技术方案,并不会采集到上述类型的网络报文。It should be understood that for the communication of network packets between user virtual machines in the cloud platform, or the communication between user virtual machines and physical machines in the cloud platform, since the traffic will not pass through the network exit, Therefore, based on the technical solution adopted in the related technology of using a border firewall to collect network packets flowing through the network egress, the above types of network packets will not be collected.
而在本申请实施例中,通过利用虚拟交换机进行网络报文的采集,使得用户虚机对云平台内的其他用户虚机发送的网络报文、云平台内的用户虚机与物理机之间发送的网络报文也可以被采集到,以保证后续在云平台内的泛洪攻击也能够被识别到,从而提供在同一云平台内的用户虚机与用户虚机之间的安全防护。In the embodiment of this application, by using virtual switches to collect network messages, network messages sent by user virtual machines to other user virtual machines in the cloud platform, and between user virtual machines and physical machines in the cloud platform are The sent network messages can also be collected to ensure that subsequent flooding attacks in the cloud platform can also be identified, thereby providing security protection between user virtual machines in the same cloud platform.
步骤220:虚拟交换机对网络报文进行解析,得到网络报文的解析结果。Step 220: The virtual switch parses the network message and obtains the parsing result of the network message.
在采集到网络报文后,虚拟交换机支持对网络报文进行解析,从而得到网络报文的解析结果。After collecting network messages, the virtual switch supports parsing the network messages to obtain the parsing results of the network messages.
在一种可能的实现方式中,解析结果中包括如下字段:源网络地址(Internet Protocol,IP)、目的IP、TCP端口、SYN等于1。也即,虚拟交换机在进行解析时,以源IP、目的IP、TCP端口、SYN等于1这些字段进行信息的采集与统计。 In a possible implementation, the parsing result includes the following fields: source network address (Internet Protocol, IP), destination IP, TCP port, and SYN equal to 1. That is, when the virtual switch performs analysis, it uses the fields of source IP, destination IP, TCP port, and SYN equal to 1 to collect and collect information.
步骤230:虚拟交换机向云平台中的控制器发送网络报文的解析结果。 Step 230: The virtual switch sends the analysis result of the network packet to the controller in the cloud platform.
相应的,控制器接收虚拟交换机发送的网络报文的解析结果。应理解的是,云平台中一般分布式地部署多台虚拟交换机,因此,这些虚机交换机均向云平台中的控制器发送网络报文的解析结果。Correspondingly, the controller receives the parsing results of the network packets sent by the virtual switch. It should be understood that multiple virtual switches are generally deployed in a distributed manner in the cloud platform. Therefore, these virtual switches all send the analysis results of network packets to the controller in the cloud platform.
示例性的,在虚拟交换机与控制器通过管理网建立连接的情况下,虚拟交换机通过管理网,向云平台中的控制器发送网络报文的解析结果。For example, when the virtual switch and the controller establish a connection through the management network, the virtual switch sends the analysis result of the network message to the controller in the cloud platform through the management network.
示例性的,虚拟交换机对应有上报周期,虚拟交换机定时地向云平台中的控制器发送上报周期内采集到的网络报文的解析结果。 For example, the virtual switch corresponds to a reporting cycle, and the virtual switch regularly sends the analysis results of the network packets collected during the reporting cycle to the controller in the cloud platform.
步骤240:在当前的统计周期内,控制器对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值。Step 240: In the current statistical period, the controller analyzes the parsing results of network packets from different virtual switches and obtains a count value corresponding to the same parsing result.
在解析结果中包括如下字段:源IP、目的IP、TCP端口、SYN等于1的情况下,控制器在当前的统计周期内,将对应于同一组源IP、目的IP、TCP端口、SYN等于1的网络报文进行计数,从而得到对应于同一解析结果的计数值。The parsing results include the following fields: source IP, destination IP, TCP port, and SYN equal to 1. In the current statistical period, the controller will correspond to the same group of source IP, destination IP, TCP port, and SYN equal to 1. Network packets are counted to obtain a count value corresponding to the same parsing result.
步骤250:控制器在计数值超过阈值的情况下,识别出云平台内存在泛洪攻击。Step 250: When the count value exceeds the threshold, the controller identifies that there is a flooding attack in the cloud platform.
在控制器统计得到对应于同一解析结果的计数值之后,控制器将计数值与阈值进行比较,并当计数值超过阈值时,判定云平台内存在泛洪攻击。After the controller obtains the count value corresponding to the same parsing result, the controller compares the count value with the threshold, and when the count value exceeds the threshold, it determines that there is a flooding attack in the cloud platform memory.
示例性的,阈值是预设的,或者,是控制器通过机器学习的方式得到的。For example, the threshold is preset, or obtained by the controller through machine learning.
示例性的,在识别出云平台内存在泛洪攻击后,控制器可以调用告警接口,从而发出告警:当前云平台内存在泛洪攻击。For example, after identifying that there is a flooding attack in the cloud platform memory, the controller can call the alarm interface to issue an alarm: there is a flooding attack in the current cloud platform memory.
综上所述,本实施例提供的泛洪攻击的识别方法,利用在云平台中的虚拟交换机,由虚拟交换机对流经的网络报文进行解析,并将网络报文的解析结果上报给云平台中的控制器,由控制器基于对同一解析结果统计得到的计数值,对当前云平台中是否存在泛洪攻击进行判断。一方面,将网络报文的解析工作、泛洪攻击的判断工作分别分给虚拟交换机、控制器来执行,另一方面,由于虚拟交换机在云平台中是分布式部署的,每台虚拟交换机需要分析的网络报文的数量不多,因此,极大地降低了泛洪攻击的识别过程中对设备的性能要求。To sum up, the flood attack identification method provided in this embodiment uses a virtual switch in the cloud platform. The virtual switch parses the network packets flowing through it, and reports the analysis results of the network packets to the cloud platform. The controller in , based on the count value obtained by counting the same parsing results, determines whether there is a flooding attack in the current cloud platform. On the one hand, the analysis of network packets and the judgment of flood attacks are assigned to virtual switches and controllers respectively. On the other hand, since virtual switches are deployed in a distributed manner in the cloud platform, each virtual switch needs The number of network packets analyzed is not large, therefore, the performance requirements for the device during the identification process of flooding attacks are greatly reduced.
此外,利用虚拟交换机对云平台内部的流量进行分布式的流量采集,在云平台内部的流量理解为横向流量的情况下,本技术方案的横向可扩展性高。In addition, virtual switches are used to collect distributed traffic within the cloud platform. When the traffic within the cloud platform is understood as horizontal traffic, this technical solution has high horizontal scalability.
此外,本实施例提供的泛洪攻击的识别方法,通过利用虚拟交换机进行网络报文的采集,使得用户虚机对云平台内的其他用户虚机发送的网络报文、云平台内的用户虚机与物理机之间发送的网络报文也可以被采集到,以保证后续在云平台内的泛洪攻击也能够被识别到,从而提供在同一云平台内的用户虚机与用户虚机之间的安全防护。In addition, the flood attack identification method provided by this embodiment uses virtual switches to collect network messages, so that user virtual machines can detect network messages sent by other user virtual machines in the cloud platform, and user virtual machines in the cloud platform. Network messages sent between the computer and the physical machine can also be collected to ensure that subsequent flooding attacks in the cloud platform can also be identified, thereby providing a link between user virtual machines and user virtual machines in the same cloud platform. room security.
需要说明的是,上述方法实施例可以单独实施例,也可以组合实施,本申请对此不加以限制。It should be noted that the above method embodiments can be implemented individually or in combination, and this application is not limited thereto.
图3是根据一示例性实施例示出的一种云平台中的泛洪攻击的识别装置的结构方框图。所述装置包括:Figure 3 is a structural block diagram of an apparatus for identifying flood attacks in a cloud platform according to an exemplary embodiment. The device includes:
解析结果接收模块301,用于接收所述云平台中的不同虚拟交换机发送的网络报文的解析结果;The analysis result receiving module 301 is used to receive the analysis results of network messages sent by different virtual switches in the cloud platform;
统计模块302,用于在当前的统计周期内,对来自于所述不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值;The statistics module 302 is configured to analyze the parsing results of network messages from the different virtual switches within the current statistical period, and obtain a count value corresponding to the same parsing result;
泛洪攻击识别模块303,用于在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。The flooding attack identification module 303 is configured to identify a flooding attack in the cloud platform when the count value exceeds a threshold.
在一种可能的实现方式中,所述解析结果中包括如下字段:In a possible implementation, the parsing result includes the following fields:
源IP;Source IP;
目的IP;Destination IP;
TCP端口;TCP port;
SYN等于1。SYN equals 1.
在一种可能的实现方式中,所述网络报文包括:In a possible implementation, the network message includes:
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
或,or,
所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
图4是根据一示例性实施例示出的一种云平台中的泛洪攻击的识别装置的结构方框图。所述装置包括:Figure 4 is a structural block diagram of a device for identifying flood attacks in a cloud platform according to an exemplary embodiment. The device includes:
网络报文采集模块401,用于采集流经所述虚拟交换机的网络报文;The network packet collection module 401 is used to collect network packets flowing through the virtual switch;
解析模块402,用于对所述网络报文进行解析,得到所述网络报文的解析结果;The parsing module 402 is used to parse the network message and obtain the parsing result of the network message;
解析结果发送模块403,用于向所述云平台中的控制器发送所述网络报文的解析结果,以使得所述控制器在当前的统计周期内,对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值,并在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。The analysis result sending module 403 is used to send the analysis result of the network message to the controller in the cloud platform, so that the controller can analyze the network messages from different virtual switches within the current statistical period. Analyze the parsing results to obtain a count value corresponding to the same parsing result, and identify a flooding attack in the cloud platform when the count value exceeds the threshold.
在一种可能的实现方式中,所述解析结果中包括如下字段:In a possible implementation, the parsing result includes the following fields:
源IP;Source IP;
目的IP;Destination IP;
TCP端口;TCP port;
SYN等于1。SYN equals 1.
在一种可能的实现方式中,所述网络报文包括:In a possible implementation, the network message includes:
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
或,or,
所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
或,or,
所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
需要说明的是:上述实施例提供的云平台中的泛洪攻击的识别装置,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的装置与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that the device for identifying flood attacks in the cloud platform provided by the above embodiments is only illustrated by taking the division of the above functional modules. In actual applications, the above functions can be allocated to different functional modules as needed. Completion means dividing the internal structure of the device into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be described again here.
请参阅图5,其是根据本申请一示例性实施例提供的一种控制器的示意图,所述控制器包括存储器和处理器,所述存储器用于存储计算机程序,所述计算机程序被所述处理器执行时,实现上述的云平台中的泛洪攻击的识别方法。Please refer to Figure 5, which is a schematic diagram of a controller provided according to an exemplary embodiment of the present application. The controller includes a memory and a processor. The memory is used to store a computer program. The computer program is When the processor is executed, the above-mentioned identification method of flooding attacks in the cloud platform is implemented.
其中,处理器可以为中央处理器(Central Processing Unit,CPU)。处理器还可以为其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等芯片,或者上述各类芯片的组合。The processor may be a central processing unit (Central Processing Unit, CPU). The processor can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
存储器作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序、非暂态计算机可执行程序以及模块,如本发明实施方式中的方法对应的程序指令/模块。处理器通过运行存储在存储器中的非暂态软件程序、指令以及模块,从而执行处理器的各种功能应用以及数据处理,即实现上述方法实施方式中的方法。As a non-transitory computer-readable storage medium, the memory can be used to store non-transitory software programs, non-transitory computer executable programs and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor executes various functional applications and data processing of the processor by running non-transient software programs, instructions and modules stored in the memory, that is, implementing the method in the above method implementation.
存储器可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储处理器所创建的数据等。此外,存储器可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可选包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created by the processor, etc. In addition, the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
请参阅图6,其是根据本申请一示例性实施例提供的一种虚拟交换机的示意图,所述虚拟交换机包括存储器和处理器,所述存储器用于存储计算机程序,所述计算机程序被所述处理器执行时,实现上述的云平台中的泛洪攻击的识别方法。Please refer to Figure 6, which is a schematic diagram of a virtual switch provided according to an exemplary embodiment of the present application. The virtual switch includes a memory and a processor. The memory is used to store a computer program. The computer program is When the processor is executed, the above-mentioned identification method of flooding attacks in the cloud platform is implemented.
其中,处理器可以为中央处理器(Central Processing Unit,CPU)。处理器还可以为其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等芯片,或者上述各类芯片的组合。The processor may be a central processing unit (Central Processing Unit, CPU). The processor can also be other general-purpose processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other Chips such as programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of these types of chips.
存储器作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序、非暂态计算机可执行程序以及模块,如本发明实施方式中的方法对应的程序指令/模块。处理器通过运行存储在存储器中的非暂态软件程序、指令以及模块,从而执行处理器的各种功能应用以及数据处理,即实现上述方法实施方式中的方法。As a non-transitory computer-readable storage medium, the memory can be used to store non-transitory software programs, non-transitory computer executable programs and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor executes various functional applications and data processing of the processor by running non-transient software programs, instructions and modules stored in the memory, that is, implementing the method in the above method implementation.
存储器可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储处理器所创建的数据等。此外,存储器可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可选包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created by the processor, etc. In addition, the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
在一示例性实施例中,还提供了一种计算机可读存储介质,用于存储有至少一条计算机程序,所述至少一条计算机程序由处理器加载并执行以实现上述方法中的全部或部分步骤。例如,该计算机可读存储介质可以是只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、只读光盘(Compact Disc Read-Only Memory,CD-ROM)、磁带、软盘和光数据存储设备等。In an exemplary embodiment, a computer-readable storage medium is also provided for storing at least one computer program. The at least one computer program is loaded and executed by the processor to implement all or part of the steps in the above method. . For example, the computer-readable storage medium can be read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), read-only compact disc (Compact Disc Read-Only Memory, CD-ROM), Tapes, floppy disks and optical data storage devices, etc.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求指出。Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary technical means in the technical field that are not disclosed in this application. . It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

  1. 一种云平台中的泛洪攻击的识别方法,其特征在于,所述方法由设置于云平台中的控制器执行,所述方法包括:A method for identifying flood attacks in a cloud platform, characterized in that the method is executed by a controller provided in the cloud platform, and the method includes:
    接收所述云平台中的不同虚拟交换机发送的网络报文的解析结果;Receive parsing results of network messages sent by different virtual switches in the cloud platform;
    在当前的统计周期内,对来自于所述不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值;Within the current statistical period, analyze the parsing results of network messages from the different virtual switches to obtain a count value corresponding to the same parsing result;
    在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。When the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
  2. 根据权利要求1所述的方法,其特征在于,所述解析结果中包括如下字段:The method according to claim 1, characterized in that the parsing result includes the following fields:
    源网络地址IP;Source network address IP;
    目的IP;Destination IP;
    传输控制协议TCP端口;Transmission Control Protocol TCP port;
    同步序列编号SYN等于1。The synchronization sequence number SYN is equal to 1.
  3. 根据权利要求1所述的方法,其特征在于,所述网络报文包括:The method according to claim 1, characterized in that the network message includes:
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
    或,or,
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
    或,or,
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
    所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
    或,or,
    所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  4. 一种云平台中的泛洪攻击的识别方法,其特征在于,所述方法由设置于云平台中的虚拟交换机执行,所述方法包括:A method for identifying flooding attacks in a cloud platform, characterized in that the method is executed by a virtual switch provided in the cloud platform, and the method includes:
    采集流经所述虚拟交换机的网络报文;Collect network packets flowing through the virtual switch;
    对所述网络报文进行解析,得到所述网络报文的解析结果;Parse the network message and obtain the parsing result of the network message;
    向所述云平台中的控制器发送所述网络报文的解析结果,以使得所述控制器在当前的统计周期内,对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值,并在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。Send the parsing results of the network messages to the controller in the cloud platform, so that the controller can analyze the parsing results of the network messages from different virtual switches within the current statistical period and obtain the corresponding Based on the count value of the same analysis result, and when the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
  5. 根据权利要求4所述的方法,其特征在于,所述解析结果中包括如下字段:The method according to claim 4, characterized in that the parsing result includes the following fields:
    源网络地址IP;Source network address IP;
    目的IP;Destination IP;
    传输控制协议TCP端口;Transmission Control Protocol TCP port;
    同步序列编号SYN等于1。The synchronization sequence number SYN is equal to 1.
  6. 根据权利要求4所述的方法,其特征在于,所述网络报文包括:The method according to claim 4, characterized in that the network message includes:
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的其它用户虚机发送的网络报文;Network messages sent by user virtual machines in the cloud platform to other user virtual machines in the cloud platform are forwarded by the virtual switch;
    或,or,
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台中的物理机发送的网络报文;The user virtual machine in the cloud platform forwards the network packet to the physical machine in the cloud platform through the forwarding of the virtual switch;
    或,or,
    所述云平台中的用户虚机通过所述虚拟交换机的转发,向所述云平台外的互联网发送的网络报文;The network packets sent by the user virtual machine in the cloud platform to the Internet outside the cloud platform through the forwarding of the virtual switch;
    所述云平台中的物理机通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文;Network messages sent by the physical machine in the cloud platform to the user virtual machine in the cloud platform are forwarded by the virtual machine switch;
    或,or,
    所述云平台外的互联网通过所述虚机交换机的转发,向所述云平台中的用户虚机发送的网络报文。The Internet outside the cloud platform forwards network packets to user virtual machines in the cloud platform through the forwarding of the virtual machine switch.
  7. 一种云平台中的泛洪攻击的识别装置,其特征在于,所述装置包括: A device for identifying flood attacks in a cloud platform, characterized in that the device includes:
    解析结果接收模块,用于接收所述云平台中的不同虚拟交换机发送的网络报文的解析结果;An analysis result receiving module, configured to receive analysis results of network messages sent by different virtual switches in the cloud platform;
    统计模块,用于在当前的统计周期内,对来自于所述不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值;A statistics module, configured to analyze the parsing results of network messages from the different virtual switches within the current statistical period, and obtain a count value corresponding to the same parsing result;
    泛洪攻击识别模块,用于在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。A flooding attack identification module is configured to identify a flooding attack in the cloud platform when the count value exceeds a threshold.
  8. 一种云平台中的泛洪攻击的识别装置,其特征在于,所述装置包括:A device for identifying flood attacks in a cloud platform, characterized in that the device includes:
    网络报文采集模块,用于采集流经所述虚拟交换机的网络报文;A network packet collection module, used to collect network packets flowing through the virtual switch;
    解析模块,用于对所述网络报文进行解析,得到所述网络报文的解析结果;A parsing module, used to parse the network message and obtain the parsing result of the network message;
    解析结果发送模块,用于向所述云平台中的控制器发送所述网络报文的解析结果,以使得所述控制器在当前的统计周期内,对来自于不同虚拟交换机的网络报文的解析结果进行分析,得到对应于同一解析结果的计数值,并在所述计数值超过阈值的情况下,识别出所述云平台内存在泛洪攻击。An analysis result sending module, configured to send the analysis result of the network message to the controller in the cloud platform, so that the controller can analyze network messages from different virtual switches within the current statistical period. The parsing results are analyzed to obtain a count value corresponding to the same parsing result, and when the count value exceeds the threshold, it is identified that there is a flooding attack in the cloud platform.
  9. 一种控制器,其特征在于,所述控制器中包含处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、至少一段程序、代码集或指令集由所述处理器加载并执行以实现如权利要求1至3任一所述的云平台中的泛洪攻击的识别方法。A controller, characterized in that the controller includes a processor and a memory, and the memory stores at least one instruction, at least a program, a code set or an instruction set, and the at least one instruction, at least a program, A code set or instruction set is loaded and executed by the processor to implement the method for identifying flooding attacks in a cloud platform as claimed in any one of claims 1 to 3.
  10. 一种虚拟交换机,其特征在于,所述虚拟交换机中包含处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、至少一段程序、代码集或指令集由所述处理器加载并执行以实现如权利要求4至6任一所述的云平台中的泛洪攻击的识别方法。A virtual switch, characterized in that the virtual switch includes a processor and a memory, and the memory stores at least one instruction, at least a program, a code set or an instruction set, and the at least one instruction, at least a program, A code set or instruction set is loaded and executed by the processor to implement the method for identifying flooding attacks in a cloud platform as claimed in any one of claims 4 to 6.
PCT/CN2022/141869 2022-07-29 2022-12-26 Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium WO2024021495A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210906674.2 2022-07-29
CN202210906674.2A CN115484047A (en) 2022-07-29 2022-07-29 Method, device, equipment and storage medium for identifying flooding attack in cloud platform

Publications (1)

Publication Number Publication Date
WO2024021495A1 true WO2024021495A1 (en) 2024-02-01

Family

ID=84422162

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/141869 WO2024021495A1 (en) 2022-07-29 2022-12-26 Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium

Country Status (2)

Country Link
CN (1) CN115484047A (en)
WO (1) WO2024021495A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115484047A (en) * 2022-07-29 2022-12-16 天翼云科技有限公司 Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN117061440B (en) * 2023-10-11 2024-02-09 苏州元脑智能科技有限公司 Network flooding control method, device, equipment, system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170353490A1 (en) * 2016-06-03 2017-12-07 Ciena Corporation Method and system of mitigating network attacks
US20210409433A1 (en) * 2020-06-30 2021-12-30 Vmware, Inc. Network attack identification, defense, and prevention
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method
CN115484047A (en) * 2022-07-29 2022-12-16 天翼云科技有限公司 Method, device, equipment and storage medium for identifying flooding attack in cloud platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170353490A1 (en) * 2016-06-03 2017-12-07 Ciena Corporation Method and system of mitigating network attacks
US20210409433A1 (en) * 2020-06-30 2021-12-30 Vmware, Inc. Network attack identification, defense, and prevention
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method
CN115484047A (en) * 2022-07-29 2022-12-16 天翼云科技有限公司 Method, device, equipment and storage medium for identifying flooding attack in cloud platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YUAN LI, XIE YIZHEN; WANG YONGJIAN; JIANG HONG: "Traffic anomaly detection method for vehicular ad-hoc network flooding attack", JOURNAL OF NANJING UNIVERSITY OF SCIENCE AND TECHNOLOGY, vol. 44, no. 4, 30 August 2020 (2020-08-30), pages 454 - 461, XP093132555 *

Also Published As

Publication number Publication date
CN115484047A (en) 2022-12-16

Similar Documents

Publication Publication Date Title
US10917322B2 (en) Network traffic tracking using encapsulation protocol
US10868730B2 (en) Methods, systems, and computer readable media for testing network elements of an in-band network telemetry capable network
WO2024021495A1 (en) Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium
CN107996023B (en) Method and equipment for monitoring virtual network and virtual network system
US10965546B2 (en) Control of network nodes in computer network systems
US10033602B1 (en) Network health management using metrics from encapsulation protocol endpoints
CN106972985B (en) Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
US11870696B2 (en) Method and system for triggering augmented data collection on a network device based on traffic patterns
US11336545B2 (en) Network device measurements employing white boxes
WO2014000297A1 (en) Virtual port monitoring method and device
WO2009049644A1 (en) Method and monitoring component for network traffic monitoring
WO2017035717A1 (en) Distributed denial of service attack detection method and associated device
CN111314179A (en) Network quality detection method, device, equipment and storage medium
CN103414594A (en) IP stream information statistical method for charging and monitoring
CN106302001B (en) Service fault detection method, related device and system in data communication network
CN106453367B (en) SDN-based method and system for preventing address scanning attack
KR20220029142A (en) Sdn controller server and method for analysing sdn based network traffic usage thereof
CN111884871B (en) Method and equipment for detecting discarded message of switch
CN111106977B (en) Data stream detection method, device and storage medium
CN115118473B (en) Data processing method, device, equipment and storage medium
CN111490989A (en) Network system, attack detection method and device and electronic equipment
CN101730131B (en) IP bearing based quality monitoring method and system in mobile network
CN110300019B (en) Event management subsystem and method for multi-protocol exchange system
US20230261940A1 (en) Network Intention Monitoring Method, Network Intention Monitoring System, and Storage Medium
WO2023174287A1 (en) Time delay analysis method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22952924

Country of ref document: EP

Kind code of ref document: A1