CN104580107A - Hostile attack detection method and controller - Google Patents
Hostile attack detection method and controller Download PDFInfo
- Publication number
- CN104580107A CN104580107A CN201310508486.5A CN201310508486A CN104580107A CN 104580107 A CN104580107 A CN 104580107A CN 201310508486 A CN201310508486 A CN 201310508486A CN 104580107 A CN104580107 A CN 104580107A
- Authority
- CN
- China
- Prior art keywords
- port
- message
- controller
- list item
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a hostile attack detection method and a controller. The hostile attack detection method is applied to an open flow network framework including both a controller and an exchanger, and comprises the following steps: the controller receives message report information reported by the exchanger and determines that a first port meeting the report rate condition is subject to a hostile attack, wherein the first port is a port through which the exchanger and a mainframe are connected, and the report rate condition is that the report rate of the message report information corresponding to the port is larger than or equal to a preset rate threshold value and lasts a first time period. The hostile attack detection method and the controller, provided by the embodiment of the invention, can detect the hostile attack behavior on the port from the network source, thereby immediately finding out tactics for dealing with the hostile attack.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of malicious attack detection method and controller.
Background technology
Along with OpenFlow(open flows, hereinafter referred to as OF) extensive use of network in actual scene, its inevitable problem running into malicious attack that also can face legacy network.Typical malicious attack comprises flood attack, dos attacks, most malicious attack network is got congestion by generating mass data stream or destination server is paralysed, modal situation be attack also in the tolerance range of network but destination server paralyse.
In legacy network, the robustness of switch can only be relied on to the Bearing degree of network congestion, but owing to may have various dissimilar switch in network, and their security strategy can be different, therefore has uncertainty to the Bearing degree of network congestion; The fire compartment wall then can only reliance server installed for the attack of destination server and securing software, but the mass data stream that malicious attack generates consumes the network bandwidth, makes network have hysteresis quality.
At present, OF network does not also tackle the strategy of malicious attack.
Summary of the invention
technical problem
In view of this, the technical problem to be solved in the present invention effectively detects that OF network suffers malicious attack.
solution
In order to solve the problems of the technologies described above, according to one embodiment of the invention, provide a kind of malicious attack detection method, being applied to and comprising in the open flows network architecture of controller and switch, comprising:
Described controller receives the message reporting message that described switch reports; And
Described controller determine meet report the first port of rate conditions to suffer malicious attack,
Wherein, described first port is the port connecting described switch and main frame, described in report rate conditions to refer to the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length.
For above-mentioned malicious attack detection method, in a kind of possible implementation, after described controller receives the message reporting message that described switch reports, the method also comprises:
The described message reporting message received stores by described controller;
Determining to meet at described controller reports after the first port of rate conditions suffers malicious attack, and the method also comprises:
Described controller is removed message reporting message corresponding to described first port that stores and is indicated described switch to remove stream list item corresponding to described first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, remove message reporting message corresponding to described first port at described controller and indicate after described switch removes stream list item corresponding to described first port, also comprise:
Described controller issues new stream list item to described switch, and described stream list item is newly for notifying that described switch directly abandons the message received from described first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, after described stream list item is newly aging, described controller receives the message reporting message corresponding to described first port that described switch reports again,
Wherein, flow that list item is aging comprises described stream list item in the second predetermined time span without the message of coupling or flow list item described in this and continue for the 3rd predetermined time span of described controller.
In order to solve the problems of the technologies described above, according to another embodiment of the present invention, provide a kind of controller, be applied to and comprise in the open flows network architecture of controller and switch, described controller comprises:
Receiver module, for receiving the message reporting message that described switch reports; And
Processing module, is connected with described receiver module, reports the first port of rate conditions to suffer malicious attack for determining to meet,
Wherein, described first port is the port connecting described switch and main frame, described in report rate conditions to refer to the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length.
For above-mentioned controller, in a kind of possible implementation, also comprise:
Memory module, is connected with described receiver module and described processing module, stores for the described message reporting message received by receiver module;
Described processing module is also for removing message reporting message corresponding to described first port and indicating described switch to remove stream list item corresponding to described first port.
For above-mentioned controller, in a kind of possible implementation, also comprise:
Sending module, is connected with described processing module, and for issuing new stream list item to described switch, described stream list item is newly for notifying that described switch directly abandons the message received from described first port.
For above-mentioned controller, in a kind of possible implementation, after described stream list item is newly aging, described receiver module receives the message reporting message corresponding to described first port that described switch reports again,
Wherein, flow that list item is aging comprises described stream list item in the second predetermined time span without the message of coupling or flow list item described in this and continue for the 3rd predetermined time span of described controller.
beneficial effect
The malicious attack detection method that the embodiment of the present invention provides and controller, the message reporting message that controller is reported by desampler, continue for predetermined time length determine whether this port suffers malicious attack according to the speed threshold values of the setting that reported speed whether to exceed of message reporting message corresponding to the port of a certain connection main frame.If the message reporting message that this port is corresponding reported speed to exceed setting speed threshold values and continue for predetermined time length, then can determine that this port suffers malicious attack.The malicious attack detection method that the embodiment of the present invention provides, can detect the malicious attack behavior that port suffers from network source, thus find out in time reply be subjected to the strategy of malicious attack.
According to below with reference to the accompanying drawings to detailed description of illustrative embodiments, further feature of the present invention and aspect will become clear.
Accompanying drawing explanation
Comprise in the description and form the accompanying drawing of a part for specification and specification together illustrates exemplary embodiment of the present invention, characteristic sum aspect, and for explaining principle of the present invention.
Fig. 1 illustrates the flow chart of malicious attack detection method according to an embodiment of the invention;
Fig. 2 illustrates the flow chart of malicious attack detection method according to another embodiment of the present invention;
Fig. 3 illustrates the message time sequence figure of malicious attack detection method according to an embodiment of the invention;
Fig. 4 illustrates the schematic diagram of existing OF network architecture message forwarding method;
Fig. 5 illustrates the schematic diagram of message forwarding method according to an embodiment of the invention;
Fig. 6 illustrates the structured flowchart of controller according to an embodiment of the invention;
Fig. 7 illustrates the structured flowchart of controller according to another embodiment of the present invention;
Fig. 8 illustrates the structured flowchart of the controller according to further embodiment of this invention.
Embodiment
Various exemplary embodiment of the present invention, characteristic sum aspect is described in detail below with reference to accompanying drawing.The same or analogous element of Reference numeral presentation function identical in accompanying drawing.Although the various aspects of embodiment shown in the drawings, unless otherwise indicated, accompanying drawing need not be drawn in proportion.
Word " exemplary " special here means " as example, embodiment or illustrative ".Here need not be interpreted as being better than or being better than other embodiment as any embodiment illustrated by " exemplary ".
In addition, in order to better the present invention is described, in embodiment hereafter, give numerous details.It will be appreciated by those skilled in the art that do not have some detail, the present invention can implement equally.In some instances, the method known for those skilled in the art, means, element and circuit are not described in detail, so that highlight purport of the present invention.
Existing OF network primarily of OF Switch(OF switch, lower abbreviation switch) and OFController(OF controller, lower abbreviation controller) form.Switch includes stream table, is similar to the routing table of general switch, but can not safeguard stream table unlike switch oneself, and all messages through switch all can mate with stream table.If a message have found the stream list item of coupling, the action(operation that this stream list item is corresponding so will be performed), such as, an operation may be that command message forwards from certain prescribed port, at this moment will produce data flow in OF network.If do not find the stream list item of coupling, so this message will be packaged into message reporting message by switch, and such as Packetin message, then reports controller.After controller receives this message reporting message, decide message corresponding to this message reporting message by the mode such as increased and delete stream list item how this processes.Controller is mainly through increasing and deleting the stream table that stream list item controls switch.
embodiment 1
Fig. 1 illustrates the flow chart of malicious attack detection method according to an embodiment of the invention.The method is mainly used in and comprises in the OF network architecture of controller and switch.As shown in Figure 1, this malicious attack detection method mainly can comprise the following steps:
The message reporting message that step S100, controller desampler report,
Step S120, controller determine meet report the first port of rate conditions to suffer malicious attack,
Wherein, the first port is the port connecting switch and main frame, and the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length to report rate conditions to refer to.
Particularly, the controller in OF network connects host(main frame to switch) port manage.Controller can get Global Topological when link discovery, comprises and finds that switch connects the port information of switch, need and then can find during network service that switch is connected the port information of main frame at main frame.
For above-mentioned steps S100, when after the message that some port accepts of switch send to a certain main frame, the stream table on switch can be searched, if find match with the forwarding of this message rule stream list item, then need not to controller report, directly according to rule corresponding in this stream list item by message repeating corresponding for this message to destination server.If do not find the stream list item of coupling, exchange opportunity constructs corresponding message reporting message and reports controller, and such as, Packetin message, informs that it does not flow list item accordingly with controller, then wait for the instruction of controller.
Controller can receive the message reporting message that main frame is reported by this switch, wherein, this message reporting message can comprise all or part of content of port corresponding to this message reporting message and message, can also comprise the buffer address of message at switch.
For above-mentioned steps S120, controller can receive it and descend the message reporting message that the port of all switches is corresponding.When finding that the speed that reports of the message reporting message that certain Single port of a certain switch is corresponding is more than or equal to the speed threshold values of message reporting message corresponding to the port of controller setting, and when this reports speed to continue for predetermined time length, namely this port is satisfied reports rate conditions, then controller determines that this port suffers malicious attack.Such as, the speed threshold values of the message reporting message that the port that controller sets is corresponding is 100/s, duration is set to 5s, when this port at a time, 100/the s that reported speed to exceed of corresponding message reporting message, and from this moment, the speed that reports of this message reporting message continue for more than 5s more than the time span of 100/s, then can think that this port meets and report rate conditions, controller can determine that this port suffers malicious attack.
The malicious attack detection method that the embodiment of the present invention provides, the message reporting message that controller is reported by desampler, continue for predetermined time length determine whether this port suffers malicious attack according to the speed threshold values of the setting that reported speed whether to exceed of message reporting message corresponding to the port of a certain connection main frame.If the message reporting message that this port is corresponding reported speed to exceed setting speed threshold values and continue for predetermined time length, then can determine that this port suffers malicious attack.The malicious attack detection method that the embodiment of the present invention provides, can detect the malicious attack behavior that port suffers from network source.
embodiment 2
Fig. 2 illustrates the flow chart of malicious attack detection method according to another embodiment of the present invention.The step that in Fig. 2, label is identical with Fig. 1 has identical function, for simplicity's sake, omits the detailed description to these steps.
As shown in Figure 2, shown in the malicious attack detection method shown in Fig. 2 and Fig. 1, the main distinction of malicious attack detection method is, after step sloo, can also comprise the following steps:
The message reporting message received stores by step S110, controller;
Particularly, controller, after receiving the message reporting message that switch reports, can, by spatial cache stored thereon for this message reporting message, wait pending.
In a kind of possible implementation, after step S120, can also comprise the following steps:
Message reporting message corresponding to the first port of storing removed by step S130, controller and instruction switch removes stream list item corresponding to the first port.
Particularly, for convenience of the description of the application, will suffer that the port of malicious attack is called the first port.After controller determines that the first port suffers malicious attack in the step s 120, controller can remove message reporting message corresponding to the first port in spatial cache stored thereon, and issues indication information instruction switch simultaneously and removed by stream list item corresponding for the first port.
In a kind of possible implementation, after step S130, the malicious attack detection method of the present embodiment can also comprise the following steps:
Step S140, controller issue new stream list item to switch, and new stream list item is for notifying that switch directly abandons the message received from the first port.
Particularly, after controller is removed message reporting message corresponding to the first port and is indicated switch to remove stream list item corresponding to the first port, a new stream list item can also be issued to switch corresponding to the first port, this stream list item is mainly used in notifying switch, directly can abandon the message received from this first port.
In a kind of possible implementation, when set up in step S140 for after notifying that switch is aging when directly abandoning the message that the first port receives, switch can be configured to corresponding message reporting message by receiving message from the first port again, reports controller.If the message reporting message that now the first port is corresponding report speed to be less than the speed threshold values of setting time, namely do not meet when reporting rate conditions, then controller issues new stream list item can to switch corresponding to this first port and be forwarded to its destination server to enable message corresponding to this message reporting message.Wherein, flow list item aging comprise stream list item in the second predetermined time span without coupling message maybe this stream list item continue for the 3rd predetermined time span of controller.If the message reporting message that now port is corresponding report speed to be still more than or equal to the speed threshold values of setting time, namely meet when reporting rate conditions, still according to the method described above in suffer the port process of malicious attack.
Fig. 3 is the message time sequence figure of the malicious attack detection method of the present embodiment.As shown in Figure 3, main frame sends message by the port of a certain switch to controller, does not find this to correspond to the stream list item of this message repeating on switches, then switch fabric reports controller corresponding to the message reporting message of this message.After controller receives message reporting message corresponding to this port, judge the message reporting message that this port is corresponding reported speed whether to exceed setting speed threshold values, in the speed threshold values situation of the setting that reported speed to exceed of message reporting message corresponding to this port, remove the stream list item receiving message reporting message corresponding to this port and correspondence thereof, simultaneously, controller issues a new stream list item to switch corresponding to this port, inform switch directly abandon from this port accepts to message.
In the existing OF network architecture, as shown in Figure 4, controller all can issue the stream list item for E-Packeting to all messages (comprising normal message and malicious attack message), then switch by all message repeatings to destination server, mass data stream may be produced like this in OF network, wherein just likely comprise the data flow of a large amount of malicious attack message, directly may affect the forwarding of normal message or affect the normal work of destination server.In the present embodiment, as shown in Figure 5, controller only issues the stream list item for E-Packeting to normal message, and then normal message is forwarded to destination server by switch.When certain Single port of switch suffers malicious attack, controller is after determining that this port suffers malicious attack, switch can be indicated to abandon malicious attack message and only issue the stream list item for E-Packeting to normal message, the data flow that malicious attack message produces can be greatly reduced like this, in this case, the forwarding of normal message would not be subject to the impact of malicious attack message, thus OF network can be made to detect from network source and solve malicious attack, thus alleviate malicious attack to the impact of destination server, the network congestion simultaneously malicious attack also can being avoided to cause.
It should be noted that; the malicious attack detection method of the embodiment of the present invention, application is not limited to OF network, any control and the network architecture forwarding decoupling zero; as long as the malicious attack detection method of the application embodiment of the present invention, within all should being encompassed in the protection range of the application.
embodiment 3
Fig. 6 illustrates the structured flowchart of controller according to an embodiment of the invention.This controller 20 is mainly used in and comprises in the open flows OF network architecture of controller 20 and switch.As shown in the figure, controller 20 mainly can comprise receiver module 21 and processing module 22.Wherein, receiver module 21 is mainly used in the message reporting message that desampler reports, processing module 22, be connected with receiver module 21, be mainly used in determining to meet reporting the first port of rate conditions to suffer malicious attack, wherein, the first port is the port connecting switch and main frame, and the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length to report rate conditions to refer to.
The controller 20 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 1.Malicious attack detection method in embodiment 1 can specifically see the detailed description of embodiment 1.
The controller that the embodiment of the present invention provides, the message reporting message that controller is reported by receiver module desampler, processing module is used for the speed threshold values according to the setting that reported speed whether to exceed of message reporting message corresponding to certain Single port and continue for predetermined time length determining whether this port suffers malicious attack.If the message reporting message that this port is corresponding reported speed to exceed setting speed threshold values and continue for predetermined time length, then can determine that this port suffers malicious attack.The controller that the embodiment of the present invention provides, can detect the malicious attack behavior that port suffers from network source.
embodiment 4
Fig. 7 illustrates the structured flowchart of controller according to another embodiment of the present invention.The assembly that in Fig. 7, label is identical with Fig. 6 has identical function, for simplicity's sake, omits the detailed description to these assemblies.
The controller 30 of the present embodiment is with controller 20 main distinction of a upper embodiment, and controller 30 can also comprise memory module 23.Memory module 23 is connected with receiver module 21 and processing module 22, stores for the message reporting message received by receiver module 21.Processing module 22 is also for removing message reporting message corresponding to the first port and indicating switch to remove stream list item corresponding to the first port.
In a kind of possible implementation, controller 30 can also comprise sending module 24.Sending module 24 is connected with processing module 22, and for issuing new stream list item to switch, new stream list item is for notifying that switch directly abandons the message received from the first port.
In a kind of possible implementation, after new stream list item is aging, receiver module 21 receives the message reporting message corresponding to the first port that switch reports again.Wherein, flow list item aging comprise stream list item in the second predetermined time span without coupling message maybe this stream list item continue for the 3rd predetermined time span of controller.
The controller 30 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 2.Malicious attack detection method in embodiment 2 can specifically see the detailed description of embodiment 2.
The controller that the embodiment of the present invention provides, the message reporting message that controller is reported by receiver module desampler, processing module is used for the speed threshold values according to the setting that reported speed whether to exceed of message reporting message corresponding to certain Single port and continue for predetermined time length determining whether this port suffers malicious attack.If the message reporting message that this port is corresponding reported speed to exceed setting speed threshold values and continue for predetermined time length, then can determine that this port suffers malicious attack.Determining after this port suffers malicious attack, processing module can also be used for removing storage that the first port reports message reporting message in a storage module and instruction switch removes stream list item corresponding to the first port.Finally utilize sending module to issue new stream list item, this new stream list item is for notifying that switch directly abandons the message received from the first port.Like this, the controller of the embodiment of the present invention can detect from network source and solve malicious attack, thus alleviates malicious attack to the impact of destination server, meanwhile, also can avoid the network congestion that malicious attack may cause.
embodiment 5
Fig. 8 illustrates the structured flowchart of the controller according to further embodiment of this invention.Described controller 800 can be possess the host server of computing capability, personal computer PC or portable portable computer or terminal etc.The specific embodiment of the invention does not limit the specific implementation of computing node.
Described controller 800 comprises processor (processor) 810, communication interface (CommunicationsInterface) 820, memory (memory) 830 and bus 840.Wherein, processor 810, communication interface 820 and memory 830 complete mutual communication by bus 840.
Communication interface 820 for network device communications, wherein the network equipment comprise such as Virtual Machine Manager center, share store etc.
Processor 810 is for executive program.Processor 810 may be a central processor CPU, or application-specific integrated circuit ASIC (Application Specific Integrated Circuit), or is configured to the one or more integrated circuits implementing the embodiment of the present invention.
Memory 830 is for storing documents.Memory 830 may comprise high-speed RAM memory, still may comprise nonvolatile memory (non-volatile memory), such as at least one magnetic disc store.Memory 830 also can be memory array.Memory 830 also may by piecemeal, and described piece can become virtual volume by certain principle combinations.
In a kind of possible execution mode, said procedure can be the program code comprising computer-managed instruction.This program specifically can be used for:
Described controller receives the message reporting message that described switch reports; And
Described controller determine meet report the first port of rate conditions to suffer malicious attack,
Wherein, described first port is the port connecting described switch and main frame, described in report rate conditions to refer to the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length.
In a kind of possible implementation, after described controller receives the message reporting message that described switch reports, said procedure also comprises:
The described message reporting message received stores by described controller;
Determining to meet at described controller reports after the first port of rate conditions suffers malicious attack, and said procedure also comprises:
Described controller is removed message reporting message corresponding to described first port that stores and is indicated described switch to remove stream list item corresponding to described first port.
In a kind of possible implementation, remove message reporting message corresponding to described first port at described controller and indicate after described switch removes stream list item corresponding to described first port, said procedure also comprises:
Described controller issues new stream list item to described switch, and described stream list item is newly for notifying that described switch directly abandons the message received from described first port.
In a kind of possible implementation, after described stream list item is newly aging, described controller receives the message reporting message corresponding to described first port that described switch reports again,
Wherein, flow that list item is aging comprises described stream list item in the second predetermined time span without the message of coupling or flow list item described in this and continue for the 3rd predetermined time span of described controller.
Those of ordinary skill in the art can recognize, each exemplary cell in embodiment described herein and algorithm steps, can realize with the combination of electronic hardware or computer software and electronic hardware.These functions realize with hardware or software form actually, depend on application-specific and the design constraint of technical scheme.Professional and technical personnel can realize described function for specific application choice diverse ways, but this realization should not thought and exceeds scope of the present invention.
If using the form of computer software realize described function and as independently production marketing or use time, then can think that all or part of (such as to the part that prior art contributes) of technical scheme of the present invention embodies in form of a computer software product to a certain extent.This computer software product is stored in the non-volatile memory medium of embodied on computer readable usually, comprises all or part of step of some instructions in order to make computer equipment (can be personal computer, server or the network equipment etc.) perform various embodiments of the present invention method.And aforesaid storage medium comprise USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, RandomAccess Memory), magnetic disc or CD etc. various can be program code stored medium.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with the protection range of claim.
Claims (8)
1. a malicious attack detection method, is applied to and comprises in the open flows network architecture of controller and switch, it is characterized in that, described method comprises:
Described controller receives the message reporting message that described switch reports; And
Described controller determine meet report the first port of rate conditions to suffer malicious attack,
Wherein, described first port is the port connecting described switch and main frame, described in report rate conditions to refer to the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length.
2. malicious attack detection method according to claim 1, is characterized in that, after described controller receives the message reporting message that described switch reports, also comprises:
The described message reporting message received stores by described controller;
Determining to meet at described controller reports after the first port of rate conditions suffers malicious attack, and described method also comprises:
Described controller is removed message reporting message corresponding to described first port that stores and is indicated described switch to remove stream list item corresponding to described first port.
3. malicious attack detection method according to claim 1 and 2, is characterized in that, removes message reporting message corresponding to described first port and indicates after described switch removes stream list item corresponding to described first port, also comprise at described controller:
Described controller issues new stream list item to described switch, and described stream list item is newly for notifying that described switch directly abandons the message received from described first port.
4. malicious attack detection method according to claim 3, is characterized in that, after described stream list item is newly aging, described controller receives the message reporting message corresponding to described first port that described switch reports again,
Wherein, flow that list item is aging comprises described stream list item in the second predetermined time span without the message of coupling or flow list item described in this and continue for the 3rd predetermined time span of described controller.
5. a controller, is applied to and comprises in the open flows network architecture of described controller and switch, it is characterized in that, described controller comprises:
Receiver module, for receiving the message reporting message that described switch reports; And
Processing module, is connected with described receiver module, reports the first port of rate conditions to suffer malicious attack for determining to meet,
Wherein, described first port is the port connecting described switch and main frame, described in report rate conditions to refer to the speed that reports of the message reporting message that port is corresponding is not less than predetermined speed threshold values and continue for very first time length.
6. controller according to claim 5, is characterized in that, also comprises:
Memory module, is connected with described receiver module and described processing module, stores for the described message reporting message received by receiver module;
Described processing module is also for removing message reporting message corresponding to described first port and indicating described switch to remove stream list item corresponding to described first port.
7. the controller according to claim 5 or 6, is characterized in that, also comprises:
Sending module, is connected with described processing module, and for issuing new stream list item to described switch, described stream list item is newly for notifying that described switch directly abandons the message received from described first port.
8. controller according to claim 7, is characterized in that, after described stream list item is newly aging, described receiver module receives the message reporting message corresponding to described first port that described switch reports again,
Wherein, flow that list item is aging comprises described stream list item in the second predetermined time span without the message of coupling or flow list item described in this and continue for the 3rd predetermined time span of described controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310508486.5A CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310508486.5A CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104580107A true CN104580107A (en) | 2015-04-29 |
| CN104580107B CN104580107B (en) | 2018-02-06 |
Family
ID=53095305
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310508486.5A Active CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580107B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187324A (en) * | 2015-08-21 | 2015-12-23 | 上海斐讯数据通信技术有限公司 | SDN flow forwarding number limiting method and control system |
| CN109347810A (en) * | 2018-09-27 | 2019-02-15 | 新华三技术有限公司 | A kind of method and apparatus handling message |
| CN109768949A (en) * | 2017-11-09 | 2019-05-17 | 阿里巴巴集团控股有限公司 | A kind of port scan processing system, method and relevant apparatus |
| CN110392034A (en) * | 2018-09-28 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
| US11063749B2 (en) | 2019-03-29 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
| US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101188531A (en) * | 2007-12-27 | 2008-05-28 | 沈阳东软软件股份有限公司 | A method and system for monitoring network traffic exception |
| US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
-
2013
- 2013-10-24 CN CN201310508486.5A patent/CN104580107B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101188531A (en) * | 2007-12-27 | 2008-05-28 | 沈阳东软软件股份有限公司 | A method and system for monitoring network traffic exception |
| US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
Non-Patent Citations (3)
| Title |
|---|
| HP: "HP openflow protocol overview", 《HP TECHNICAL SOLUTION GUIDE HTTP://HP.COM》 * |
| WILLIAM STALLINGS: "Software-defined networks and openflow", 《THE INTERNET PROTOCOL JOURNAL》 * |
| 马琳茹等: "基于多源安全信息的告警校验与聚合技术", 《计算机工程》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187324B (en) * | 2015-08-21 | 2018-01-30 | 上海斐讯数据通信技术有限公司 | A kind of the quantity method for limiting and control system of SDN circulations hair |
| CN105187324A (en) * | 2015-08-21 | 2015-12-23 | 上海斐讯数据通信技术有限公司 | SDN flow forwarding number limiting method and control system |
| CN109768949B (en) * | 2017-11-09 | 2021-09-03 | 阿里巴巴集团控股有限公司 | Port scanning processing system, method and related device |
| CN109768949A (en) * | 2017-11-09 | 2019-05-17 | 阿里巴巴集团控股有限公司 | A kind of port scan processing system, method and relevant apparatus |
| CN109347810A (en) * | 2018-09-27 | 2019-02-15 | 新华三技术有限公司 | A kind of method and apparatus handling message |
| CN109347810B (en) * | 2018-09-27 | 2021-06-11 | 新华三技术有限公司 | Method and device for processing message |
| CN110392034A (en) * | 2018-09-28 | 2019-10-29 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| WO2020063853A1 (en) * | 2018-09-28 | 2020-04-02 | 新华三信息安全技术有限公司 | Message processing |
| US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
| US11088831B2 (en) | 2019-03-29 | 2021-08-10 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| US11063749B2 (en) | 2019-03-29 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
| US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
| US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
| US11258591B2 (en) | 2019-03-29 | 2022-02-22 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104580107B (en) | 2018-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580107A (en) | Hostile attack detection method and controller | |
| JP6055009B2 (en) | Packet processing method, apparatus and system | |
| US10764119B2 (en) | Link handover method for service in storage system, and storage device | |
| CN104660565A (en) | Hostile attack detection method and device | |
| CN107193673B (en) | Message processing method and device | |
| WO2015154475A1 (en) | Data processing method, device, and computer having corresponding device | |
| CN109274592B (en) | MAC address table item processing method and device and computer readable medium | |
| CN111200611B (en) | Method and device for verifying intra-domain source address based on boundary interface equivalence class | |
| EP3355533B1 (en) | Path switching | |
| EP3520325B1 (en) | Dynamically identifying criticality of services and data sources | |
| CN108566344B (en) | Message processing method and device | |
| EP3249853A1 (en) | Ethernet ring protection switching method and node | |
| CN103347031B (en) | A kind of method and apparatus taking precautions against ARP message aggression | |
| US8959233B2 (en) | Network bottlenecks | |
| CN114070752B (en) | Test method, test device, electronic equipment and computer readable storage medium | |
| CN107181689B (en) | Message interaction method and device between routers | |
| US20150319069A1 (en) | Method, Apparatus, and System for Identifying Abnormal IP Data Stream | |
| CN106921576B (en) | Virtualization system-based data network and management network flow separation method and device | |
| CN103051612B (en) | Fire compartment wall and prevent method of network attack | |
| WO2021109851A1 (en) | Network communication method, apparatus and device, and storage medium | |
| EP3979564A1 (en) | Device virtualization method, apparatus, system, device, and storage medium | |
| CN103561025A (en) | Method, device and system for detecting DOS attack prevention capacity | |
| CN107707480B (en) | Message forwarding method and device | |
| WO2015051696A1 (en) | Method and apparatus for transmitting oam packet | |
| CN105187424A (en) | Network security detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |