Outlet information censorship detection platform system based on SDN and detection method
Technical field
The present invention relates to technical field of network security, more particularly, to the outlet information censorship based on SDN detect
Plateform system and detection method.
Background technology
With the fast development of China's economic society, informationization also develops continuous, and a business/organization is daily
Inevitably need in office to contact with internet, mutual transmission information.This brings safe and secret first to business/organization
The significant challenge of aspect, need to prevent leakage security information that employee is not intended to/has a mind to, prevent outsider illegally obtain enterprise/
The security information of tissue;In addition interior employee is required for the consumption of site resource and internet behavior etc. obtaining control being beneficial to enterprise
Being normally carried out of industry/tissue routine work.
To business/organization, all mobile Internet outlets carry out unified secrecy inspection to outlet information censorship detection platform
Check and survey.Primary study enters to all mobile Internet abnormal behaviours of business/organization internet, wooden horse behavior and transmission information
Row unified supervision, makes user find in the very first time and dispose all kinds of events.Examine the data by the Internet transmission for the analysis, examine
Check the mark analysis to the information of interconnection Web realease, is capable of identify that the network behavior of terminal abnormal, and can find that virus and wooden horse are stolen
The behavior of data;The behavior of divulging a secret can be carried out with strict monitoring, obtain necessary information to trace responsible person concerned;Ensure flat
The safety of platform data, prevents secondary divulging a secret.
For example, the patent of invention of Application No. 201210435961.6 provides a kind of network computerized information and protects
Close detection method, comprises the following steps:Network server end is associated with computer client;Setting network server end detects plan
Slightly;Determine computer client inspection policies;File dynamic real-time monitor is reported to the police.The present invention passes through active detecting and passive detection
The pattern combining, inspection result unification is carried out Macro or mass analysis, points out computer client to be processed accordingly.By meter
The self-defined function of white name list containing sensitive words information of calculation machine client, improves accuracy rate and the recall precision of censorship.Pass through
The unified of the censorship strategy of network server end sets and issues, and realizes the file dynamic real-time monitor of computer client
Report to the police, automatically check and early warning mechanism, from technological means, improve employee's secrecy prevention awareness, evade enterprise and divulge a secret risk.
The patent of invention of Application No. 200310114937.3 is related under the cooperative working environment of technical field of network security
Leakage of information crime prevention system and its implementation.Including:Client and service end two parts, client is arranged on every to be needed to grasp
Make on the computer of protected file, for execution protection operation;Service end is installed on independent computer in a network, is used for
Execution monitors and controls the computer of client, management certificate and key, to user in client to protected file, client
Pass through network connection with service end.Method includes:The identity of checking user and authority;Execution decryption oprerations;To the literary composition being opened
The part moment monitors;Make encryption to preserving content, the content being so saved on disk is all the information of encryption forever, so
Ensure that file to be copied to by any way elsewhere is all encryption.Fundamentally solve under cooperative working environment
Leakage of information problem, and various applied environments have all been made to consider, availability is high.
Above-mentioned technology is to associate network server end with computer client in former network, then on this server
Setting network server end inspection policies, determine computer client inspection policies, to carry out the detection of information privacy;In addition right
File dynamically carries out monitor in real time.This technology carries out censorship work in legacy network, with former operation system and be stored in
In one network, there is great potential safety hazard:Easily cause secondary divulge a secret, in addition also volume is caused to the flow load in former network
Outer burden.
In addition, the utility model of Patent No. 200820192655.3 is related to a kind of Intelligent multifunctional safety gateway, by
Linux kernel and at least two network interface cards are constituted, and its linux kernel is connected with each other with each network interface card respectively, is characterized in:Linux
Kernel is connected with each other with ip packet filter module, flow-control module, L7 and P2P module also by interface, and an internal task is adjusted
Degree module is connected with each other with linux kernel, ip packet filter module, flow-control module, L7 and P2P module respectively, internal task
Scheduler module is connected with user also by an interactive interface module.The utility model collection router, flow control, VPN
And firewall functionality is, it is possible to provide IP-based flow control function, intelligent router feature, VPN dial-up access
Server capability and network firewall and NAT address translation feature, substitute expensive and function phase to single multiple private network
Network equipment, not only stable and reliable for performance, and also with low cost.All working amount is pressed onto intelligent multifunction safety net by this technology
Close, by all of work, such as ip packet filter module, flow-control module, L7 and P2P module etc. all concentrate on an equipment
Complete, in addition flow system flow and original operation system also and exist in consolidated network.
Content of the invention
The present invention in order to solve prior art middle outlet information privacy check detection platform system security not high enough and
The flow effect shortcoming of legacy network efficiency or the deficiency producing, employs a kind of outlet information based on SDN secrecy
Checking the scheme of detection platform system, it is achieved thereby that strengthening outlet information censorship detection platform security of system, mitigating
Business network flow is born.
Based on the outlet information censorship detection platform system of SDN, it is by censorship detection module and control
Device clustered control module composition.
Wherein controller clustered control module coordinates to the controller cluster in platform and controls, and with support SDN
Switch communicated, it includes state distribution/synchronization module, point domain management module, distributed storage management module, exchanges
Machine Compliance control module, exchange interface communication module.
Controller clustered control module uses southbound interface agreement by exchange interface communication module and supports the friendship of SDN
Change planes and communicated, realize the synchronization of the flow table between multi-controller using other modules.
Censorship detection module is deployed on censorship detection service device, examines module, online row by daily concerning security matters
For control module, suspicious terminal detection module, trojan horse detection module, platform operation management module, inherently safe assurance module and
Policy database, virus characteristic pattern base, characterization rules storehouse composition.
Wherein daily concerning security matters examine that module is responsible for Email, and file transmits, microblogging, blog, the examination of network forum;
Internet behavior control module be responsible for HTTP, FTP, SMTP, POP3, Web Mail, QQ, MSN, community/forum/video/game,
The monitor audit of the P2P delivery means such as BT/ electricity donkey/sudden peal of thunder etc..
Suspicious terminal detection module includes domain name detection module, IP address detection module, and SSL channel detecting module is upper and lower
Row flow proportional detection module.
The extraordinary wooden horse domain name feature of trojan horse detection module detection, extraordinary wooden horse IP address feature, extraordinary wooden horse data content
Feature.
Platform operation management module includes Centralized management of policy module, retrieval analysis module, operation management module.
Inherently safe assurance module includes mark and identification module, platform operations log pattern, security service module, clock
Synchronization module, safety certificate module.
The detection method of the outlet information censorship detection platform based on SDN, the step of the method is as follows:Platform
After the completion of initialization, support that the switch of SDN forwards to the packet entering switch according to the flow table item issuing, if any
Packet meets the condition of outlet information censorship detection platform secret and safe threat, that is, mate the flow table of safe and secret threat
, support that the switch of SDN extracts the IP data packet head of this packet and tcp data packet header forms an alarm data packet and sends
To controller, simultaneously by this data packet discarding, controller notifies censorship detection module to carry out correlation after receiving warning information
Operation, censorship detection module record security threatens daily record, and sends notice to third party's fail-safe software control system;If any
Packet meets the condition of outlet information censorship detection platform secret and safe threat, supports that the switch of SDN replicates this number
Be sent to controller according to bag, simultaneously by this packet press-in waiting list with wait issue flow table indicate how process, controller
Then it is further forwarded to censorship detection module, by censorship detection module, this packet is detected, such as detect
Find this security data packet no to divulge a secret then and notify the controller sending information to be checked to send data it is desirable to switch shines former target
Bag;Find that this data is surrounded by security threat or situation of divulging a secret as detected, then censorship detection module generates such packet
Flow table item is simultaneously distributed to related controller, and the flow table item that oneself is assigned to by controller is issued to the exchange of this controller management
Machine, notifies to send the packet that the switch of information to be checked is processed press-in waiting list by the flow table newly issuing;If packet
Do not comply with case above, then send packet as before.
The beneficial effect that technical solution of the present invention is brought:
Outlet information censorship detection platform system based on SDN utilizes SDN technology, can be by outlet information
The flow separation related to censorship that censorship detection platform produces, on another network, solves possible " two
Secondary divulge a secret " etc. the security threat of system and flow load problem, can greatly lift Internet exportation information privacy inspection detection
Plateform system security, also mitigates business network flow burden simultaneously.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the functional structure chart of the outlet information censorship detection platform system based on SDN;
Fig. 2 is the subdivision flow diagram of the outlet information censorship detection platform system based on SDN;
Fig. 3 is the network topological diagram of the outlet information censorship detection platform system based on SDN;
Fig. 4 is the outlet information censorship detection platform System Initialization Procedure figure based on SDN;
Fig. 5 is the detection method flow chart of the outlet information censorship detection platform based on SDN.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of protection of the invention.
Outlet information censorship detection platform system based on SDN can be directed to all internets of business/organization, shifting
Dynamic Internet exportation carries out unified censorship detection.Censorship detection module passes through SDN controller from the friendship supporting SDN
The place of changing planes collects related data flow and is analyzed, to all abnormal behaviours, wooden horse behavior and transmission in business/organization Intranet
Information carries out unified supervision, so that user is found in the very first time and dispose all kinds of events.Examine analysis by the Internet transmission
Data, examines that analysis, to the information of interconnection Web realease, is capable of identify that abnormal network behavior, and can find that virus and wooden horse are stolen
Take the behavior of data, the behavior of divulging a secret can be carried out with strict monitoring, obtain necessary information tracing responsible person concerned it is ensured that
The safety of platform data, prevents secondary divulging a secret.
Be illustrated in figure 1 the functional structure chart of the outlet information censorship detection platform system based on SDN, its by
Censorship detection module and controller clustered control module composition.
Wherein controller clustered control module coordinates to the controller cluster in platform and controls, and with support SDN
Switch communicated, it includes state distribution/synchronization module, point domain management module, distributed storage management module, exchanges
Machine Compliance control module, exchange interface communication module.Controller clustered control module is made by exchange interface communication module
Communicated with the switch supporting SDN with southbound interface agreement, realized flow table between multi-controller using other modules
Synchronous.Censorship detection module is deployed on censorship detection service device, examines module, internet behavior control by daily concerning security matters
This is six big for molding block, suspicious terminal detection module, trojan horse detection module, platform operation management module, inherently safe assurance module
Module and policy database, virus characteristic pattern base, these three databases of characterization rules storehouse composition.Wherein daily concerning security matters examine mould
Block is responsible for Email, and file transmits, microblogging, blog, the examination of network forum;It is right that internet behavior control module is responsible for
The P2P transmission such as HTTP, FTP, SMTP, POP3, Web Mail, QQ, MSN, community/forum/video/game, BT/ electricity donkey/sudden peal of thunder
The monitor audit of instrument etc.;Suspicious terminal detection module includes domain name detection module, IP address detection module, SSL Air conduct measurement
Module, uplink and downlink flow proportional detection module;The extraordinary wooden horse domain name feature of trojan horse detection module detection, extraordinary wooden horse IP address
Feature, extraordinary wooden horse data content feature;Platform operation management module includes Centralized management of policy module, retrieval analysis module,
Operation management module;Inherently safe assurance module includes mark and identification module, platform operations log pattern, security service mould
Block, clock synchronization module, safety certificate module.
Outlet information censorship detection platform system based on SDN is based on SDN technology, by former network, goes out message
The network of breath both censorship detection platform is separated.Censorship detection module and SDN controller cluster, support SDN
Switch be connected to form an independent network, this network is carried out high level security control, such outlet information
The correlative flow of censorship detection platform system and SDN control flow to share the network of same high safety rank it is ensured that being
The security of system, and platform is preferably minimized to the performance impact of former network.Business/organization related system platform is continuing with
Original network, legacy network flow is hardly affected by outlet information censorship detection platform system.Specifically as Fig. 2 institute
Show, bold portion is former network traffics, platform is not changed to this;Flow shown in chain-dotted line controls flow for SDN, and this is
SDN controller and the flow of switch communication;Flow shown in thick dashed line is censorship detection flows, and this partial discharge is to prop up
Hold the flow to be checked that the switch of SDN is selected from former network traffics according to flow table, by flow table rule from switch certain
Individual port is sent to the network at SDN controlling stream place.
It is illustrated in figure 3 the network topological diagram of the outlet information censorship detection platform system based on SDN.In figure
Solid line network is the network topology structure of original undertaking/organization internal;Dotted line network is SDN controller and the switch supporting SDN
The network that " network and the outlet information censorship detecting system " of communication works.
It is the outlet information censorship detection platform System Initialization Procedure figure based on SDN as shown in Figure 4.It is based on
After the outlet information censorship detection platform system of SDN starts, censorship detection module tuning controller cluster, from
Switch obtains network topology situation, divides the switch scope that each controller is controlled, then according to policy database, virus
Feature mode storehouse, these three databases of characterization rules storehouse lay down a regulation and list flow table item, flow table item are dealt into respectively the control of correlation
Device processed, the flow table item that oneself is assigned to by controller is issued on the switch of this controller management, and so far plateform system is initial
Change end-of-job.
It is illustrated in figure 5 the overhaul flow chart of the outlet information censorship detection platform based on SDN.Platform is initial
After the completion of change, support that the switch of SDN forwards to the packet entering switch according to the flow table item issuing, if any data
Bag meets the condition of outlet information censorship detection platform secret and safe threat, that is, mate the flow table item of safe and secret threat,
Support that the switch of SDN extracts the IP data packet head of this packet and tcp data packet header forms an alarm data packet and is sent to
Controller, simultaneously by this data packet discarding, controller notifies censorship detection module to carry out related behaviour after receiving warning information
Make, censorship detection module record security threatens daily record, and send notice etc. to third party's fail-safe software control system;If any
Packet meets the condition of outlet information censorship detection platform secret and safe threat, supports that the switch of SDN replicates this number
Be sent to controller according to bag, simultaneously by this packet press-in waiting list with wait issue flow table indicate how process, controller
Then it is further forwarded to censorship detection module, by censorship detection module, this packet is detected, such as detect
Find this security data packet no to divulge a secret then and notify the controller sending information to be checked to send data it is desirable to switch shines former target
Bag, such as detection find this data to be surrounded by security threat or situation of divulging a secret that then censorship detection module generates the stream of such packet
List item is simultaneously distributed to related controller, and the flow table item that oneself is assigned to by controller is issued to the exchange of this controller management
Machine, notifies to send the packet that the switch of information to be checked is processed press-in waiting list by the flow table newly issuing;If packet
Do not comply with case above, then send packet as before.
The outlet information censorship detection platform system based on SDN that above embodiment of the present invention provided and
Detection method is described in detail, and specific case used herein is explained to the principle of the present invention and embodiment
State, the explanation of above example is only intended to help and understands the method for the present invention and its core concept;Simultaneously for this area
Those skilled in the art, according to the thought of the present invention, all will change, to sum up institute in specific embodiments and applications
State, this specification content should not be construed as limitation of the present invention.