CN106254338B - Message detecting method and device - Google Patents

Message detecting method and device Download PDF

Info

Publication number
CN106254338B
CN106254338B CN201610620547.0A CN201610620547A CN106254338B CN 106254338 B CN106254338 B CN 106254338B CN 201610620547 A CN201610620547 A CN 201610620547A CN 106254338 B CN106254338 B CN 106254338B
Authority
CN
China
Prior art keywords
message
hadoop
mirror image
switching equipment
sdn controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610620547.0A
Other languages
Chinese (zh)
Other versions
CN106254338A (en
Inventor
王海
韩东亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201610620547.0A priority Critical patent/CN106254338B/en
Publication of CN106254338A publication Critical patent/CN106254338A/en
Application granted granted Critical
Publication of CN106254338B publication Critical patent/CN106254338B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The present invention provides a kind of message detecting method and device, wherein this method comprises: receiving the mirror image message that switching equipment is sent;Packet check is executed to the mirror image message, determines corresponding viral response policy;Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment handles the message for matching the flow entry, the present invention is remarkably improved the overall performance of SDN network.

Description

Message detecting method and device
Technical field
The present invention relates to field of communication technology more particularly to a kind of message detecting methods and device.
Background technique
In the SDN (Software Defined Network, software defined network) application IPS (intrusion prevention system, Intrusion Prevention System) anti-virus detection function networking in, by IPS equipment to entering and leaving entire SDN network Message carry out viral diagnosis, and virus is blocked or is monitored according to preconfigured viral response policy.
However, needing the message of entire SDN network to be all drained to IPS equipment enterprising when IPS equipment carries out viral diagnosis Row viral diagnosis, when the message amount of entire SDN network is larger, IPS equipment can then become the bottle of entire SDN network performance Neck causes IPS equipment pressure larger, and then influences overall performance.
Summary of the invention
In view of the drawbacks of the prior art, the present invention provides a kind of message detecting method and devices.
The present invention provides a kind of message detecting method, applied to the SDN controller in Hadoop cluster, wherein this method packet It includes:
Receive the mirror image message that switching equipment is sent;
Packet check is executed to the mirror image message, determines corresponding viral response policy;
Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment pair The message for matching the flow entry is handled.
The present invention also provides a kind of packet check devices, applied to the SDN controller in Hadoop cluster, the device packet It includes:
SDN control unit, for receiving the mirror image message of switching equipment transmission;
Detection unit determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit is also used to send corresponding stream to the switching equipment according to the viral response policy List item, so that the switching equipment handles the message for matching the flow entry.
Message detecting method and device provided by the invention, by SDN controller clustered deploy(ment) Hadoop cluster, and The viral diagnosis work that script is carried out by IPS equipment is distributed on each SDN controller, by SDN controller to received report The message characteristic of text is matched with the characteristic in IPS feature database, and in matching according to corresponding viral response policy Respective handling is carried out, and then the processing pressure of IPS equipment is greatly reduced, significantly improves the overall performance of SDN network.
Detailed description of the invention
Fig. 1 is SDN network schematic diagram applied by a kind of message detecting method in the embodiment of the present invention;
Fig. 2 is a kind of message detecting method flow diagram in the embodiment of the present invention;
Fig. 3 is a kind of message detecting method schematic diagram in the embodiment of the present invention;
Fig. 4 is a kind of logical construction schematic diagram of packet check device in the embodiment of the present invention;
Fig. 5 is the logical construction schematic diagram of detection unit in the embodiment of the present invention;
Fig. 6 is the hardware structure schematic diagram of SDN controller where packet check device in the embodiment of the present invention.
Specific embodiment
For the purpose for making the application, technical solution and advantage are more clearly understood, referring to the drawings to application scheme It is described in further detail.
In order to solve the problems in the existing technology, the present invention provides a kind of message detecting method and devices.
Fig. 1 is SDN network schematic diagram of a scenario applied by the embodiment of the present invention, which includes being controlled by multiple SDN The SDN controller cluster 100 of device (such as SDN controller 101,102,103 and 104) composition, gateway 105, multiple exchanges are set Standby (such as switching equipment 106 and 107), is respectively connected to the multiple main frames (such as host 108 and 109) of multiple switching equipment And IPS equipment 110.The most popular in SDN technology is OpenFlow (open flows) agreement, based on OpenFlow agreement In SDN network, switching equipment can be the equipment such as interchanger or router, can be the hardware switching equipment of physical presence It can be virtual swap device, the host that host can be physical presence is also possible to fictitious host computer.It, can be in present embodiment Each SDN controller in SDN controller cluster is specified to pass through control between which switching equipment respectively by configuring in advance Channel runs OpenFlow agreement, and is issued from SDN controller to the specified switching equipment for establishing control channel with it OpenFlow flow list item, to instruct switching equipment to the data forwarding of data plane between each host.
Hadoop is the software frame that distributed treatment can be carried out to mass data, efficiently, scalable with reliable Mode carry out data processing.It, can be in SDN controller in present embodiment in order to solve the problems, such as that IPS equipment pressure is larger Deploy Hadoop cluster in cluster in advance, comprising there are two types of functional modules in Hadoop cluster: Hadoop control module and Hadoop operational module, wherein operation has Nimbus component in Hadoop control module, and running in Hadoop operational module has Supervisor component, in addition, in Hadoop cluster can also include other assemblies or service, such as: Zookeeper service It can be disposed by installing various assemblies or service on each SDN controller of SDN controller cluster Deng, present embodiment Hadoop cluster.The Nimbus component of Hadoop control module operation is used for after SDN controller receives message, will be to the report Which Hadoop operational module processing is the task that text carries out viral diagnosis distribute to, and monitors the money of each Hadoop operational module Source occupancy situation and operating status;Hadoop operational module operation Supervisor component be used for listen to it is assigned After viral diagnosis task, the task is executed.When disposing Hadoop cluster, one can be affixed one's name in the middle part of SDN controller cluster Nimbus component, in order to the consideration of networking reliability can also dispose it is multiple, to avoid because of only dispose Nimbus component therefore Hinder and cause can not work normally, which may be mounted on any one or more SDN controllers, it may be assumed that installation The SDN controller for having Nimbus component then includes Hadoop control module;In SDN controller cluster on each SDN controller It is fitted at least one Supervisor component, namely: each SDN controller includes at least one Hadoop Working mould Block.For example, the component or service for the installation of each SDN controller can be as shown in table 1:
SDN controller identifier The component of installation or service
SDN controller 101 Nimbus、Supervisor
SDN controller 102 Supervisor、Zookeeper
SDN controller 103 Supervisor、Zookeeper
SDN controller 104 Supervisor、Zookeeper
Table 1
Referring to FIG. 2, being the processing flow schematic diagram of message detecting method provided by the invention, which can Applied to the SDN controller in Hadoop cluster, method includes the following steps:
Step 201, the mirror image message that switching equipment is sent is received.
In present embodiment, when host is online, the interface for the switching equipment which is connected will be in SDN The state of " Up (unlatching) " is presented in controller, and SDN controller is when the state for detecting port becomes " Up ", then to the exchange The port of equipment " Up " state issues detection flow entry, so that Port Mirroring function is realized in the port of " Up " state of being somebody's turn to do.The detection Flow entry may include two processing movements: one is the guidance report that the routing forwarding information stored according to SDN controller generates The forwarding information how text forwards;Second it is the realization of Port Mirroring function, it may be assumed that the detection will be hit by controlling the switching equipment The message of flow entry carries out mirror image (duplication), and the mirror image message obtained after mirror image is sent to the SDN controller.At this two Reason movement can also be issued to switching equipment by two flow entrys respectively.
Switching equipment matches message with the flow entry prestored, after the message for receiving host transmission when the report When text hits the detection flow entry, illustrate that the message needs to carry out viral diagnosis, it can be according to the corresponding movement of detection flow entry After the message is carried out mirror image, one of message is forwarded according to the movement one of detection flow entry, will be obtained after mirror image Mirror image message according to detection flow entry movement two be sent to SDN controller.
After SDN controller receives the mirror image message of switching equipment transmission, determine to execute the packet check Hadoop operational module;Wherein, the Hadoop operational module for executing packet check belongs to the SDN for receiving the mirror image message Controller, alternatively, belonging to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
Determine the Hadoop operational module for executing the packet check, comprising:
The SDN controller for receiving the mirror image message sends report to the SDN controller with the Hadoop control module The notification message of text detection;
The SDN controller with Hadoop control module is according to the specified finger for executing packet check of load balancing Determine Hadoop operational module, and to SDN controller returning response message, the sound belonging to the specified Hadoop operational module Answer the mark comprising the specified Hadoop operational module in message.
Specifically, SDN controller can be equipped with Hadoop into SDN controller cluster after receiving mirror image message The SDN controller of control module sends the notification message of packet check, so that the SDN controller root with Hadoop control module According to the Hadoop operational module of specified the carrying out viral diagnosis to the mirror image message of the task of load balancing.
It is noted that when the SDN controller for receiving the mirror image message is the SDN control with Hadoop control module When device processed, SDN controller can be controlled after receiving mirror image message by the Hadoop that inner passage is installed in this equipment Module sends the notification message of packet check, specified to this according to load balancing by the Hadoop control module in this equipment Mirror image message carries out the Hadoop operational module of the task of viral diagnosis.
Distribution principle of the Hadoop control module to viral diagnosis task are as follows:
In order to avoid message striding equipment transmission and influence treatment effeciency, can be on the SDN controller by receiving the message Hadoop operational module execute to the viral diagnosis task of the message;It is multiple when having on the SDN controller for receiving the message When Hadoop operational module, selected according to load balancing to the Hadoop operational module for executing viral diagnosis task;When Hadoop control module detects that the occupation condition of the Hadoop operational module on the SDN controller for receiving the message is High load operation or operating status be when being " Down (closing) ", the viral diagnosis task to the message can be distributed to The Hadoop operational module processing that resources occupation rate is low on other SDN controllers.
The Hadoop control module of SDN controller is determined to execute the specified Hadoop operational module of viral diagnosis task It afterwards, can be specified comprising this in the response message to SDN controller returning response message belonging to specified Hadoop operational module The mark of Hadoop operational module, to inform the SDN controller for the notification message for sending packet check by the finger with the mark Determine Hadoop operational module and packet check processing is carried out to the mirror image message.
Step 202, packet check is executed to the mirror image message, determines corresponding viral response policy.
In present embodiment, SDN controller periodically IPS equipment into SDN network can send the acquisition of IPS feature database and ask It asks, such as per an IPS feature database acquisition request is just sent every other hour, IPS equipment receives the IPS feature database acquisition request Afterwards, then the IPS feature database of final updating in IPS equipment can be sent to SDN controller, SDN controller, which then saves, to be received IPS feature database.It is preserved in the IPS feature database to the characteristic obtained after various viruses or Abnormality Analysis, and Virus response policy corresponding with each characteristic.
With reference to Fig. 3, it is the specific process flow of step 202, includes the following steps 301-302:
Step 301, it executes SDN controller belonging to the Hadoop operational module of packet check and obtains the mirror image message Message characteristic matches the message characteristic in the intrusion prevention system IPS feature database obtained in advance;
The message characteristic may include source IP address, purpose IP address, type of message, the message protocol number, port of message Number etc. various message informations, be also possible to the other informations such as domain name, character string in message field, can also be message information And the combination etc. of any information in other information, it will not enumerate herein.
The specified Hadoop operational module of viral diagnosis task is executed in the message characteristic for getting mirror image message to message Afterwards, message characteristic can be matched in the IPS feature database that affiliated SDN controller saves, it may be assumed that the message that will acquire is special Sign is successively matched with each characteristic in IPS feature database.
Step 302, when the message characteristic is matched to the characteristic in the IPS feature database, determine that the IPS is special Levy viral response policy corresponding with the characteristic in library.
When message characteristic is matched to the characteristic in the IPS feature database, illustrate that the mirror image message is virus-contaminated portions, Due to being preserved in the IPS feature database to obtained characteristic after various viruses or Abnormality Analysis, and with each spy Therefore the corresponding viral response policy of sign data when message characteristic is matched to the characteristic in IPS feature database, illustrates this Mirror image message is virus-contaminated portions, can continue to determine the viral response policy corresponding with this feature data in IPS feature database.
The virus response policy may include by, block or the movements such as notice in one or more combinations.Wherein, For by movement, then allowing it to pass through without processing the virus-contaminated portions detected;Blocking is acted, then forbids disease Malicious message passes through, and can also be arranged and the source device for sending the virus-contaminated portions is isolated, should if a source device is isolated The subsequent all messages of source device cannot all pass through, if being not provided with being isolated, only abandon the virus-contaminated portions detected;For logical Know movement, then records virus event when detecting virus-contaminated portions, and by the virus event of record by being output to local data Library notifies administrator by Email (mail), is output to user terminal or the modes such as Syslog (system log) host issue announcement Alert prompt.In addition to this, viral response policy can also include other movements, will not enumerate herein.
In present embodiment, when specified Hadoop operational module carries out packet check processing to mirror image message, specify Specifically process flow may include: Hadoop operational module
It is to specify Hadoop work after received mirror image message specifies Hadoop operational module by Hadoop control module The Supervisor component of module obtains the received mirror image message of affiliated SDN controller, and the mirror image message that will acquire gives Spout Mirror image message is sent to abnormality detection Bolt by (entrance function), Spout, and abnormality detection Bolt obtains IPS feature from IPS equipment Library, and the message characteristic of mirror image message is compared with the characteristic in IPS feature database, when message characteristic is matched to IPS When characteristic in feature database, abnormality detection Bolt obtains virus corresponding with the characteristic being matched in IPS feature database Response policy.
In one embodiment, after the mirror image message that will acquire gives Spout, the mirror image message that Spout will acquire is sent While carrying out viral diagnosis processing to abnormality detection Bolt, source IP address, the destination IP of the mirror image message can also be obtained The information such as the address informations such as location and type of message, and by counting the information preservation that will acquire of Bolt to local disk equipotential It sets, so that user establishes model according to the data mining that the various information of acquisition are the later period.In another embodiment, in order not to The viral diagnosis efficiency to message is influenced, after the mirror image message that will acquire gives Spout, Spout can also be by the mirror image message Two mirror image messages are obtained after being replicated, and one of mirror image message is sent to abnormality detection Bolt and carries out viral diagnosis Processing, is sent to statistics Bolt for another mirror image message, obtains the source IP address of mirror image message, destination IP by statistics Bolt The information such as the address informations such as address and type of message, completed parallel to the viral diagnosis of message and acquisition of information etc. Reason.
In one embodiment, model is established according to the data mining that the various information of acquisition are the later period, such as may include: Model is established to peak period, low peak period;Model is established to certain website visiting frequency;Mould is established to each website visiting frequency, accounting Type etc..After establishing model, can according to the various models of foundation carry out data analysis, obtain analysis result after, according to point Analysis result updates the IPS feature database saved in IPS equipment, so that IPS feature database is more perfect.
Step 203, corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the friendship Exchange device handles the message for matching the flow entry.
When message characteristic is matched to the characteristic in the IPS feature database, if corresponding with this feature data dynamic As blocking, is then generated according to the message characteristic of the message and flow entry is blocked to be issued to the friendship for sending the message to SDN controller Exchange device so that the switching equipment abandons the message for hitting the blocking flow entry, and then blocks to guarantee virus-contaminated portions Network security, and abandon by SDN controller the mirror image message of currently detected virus;If corresponding with this feature data dynamic As notice, then the virus event is recorded, and by the virus event by being output to local data base, notifying to manage by Email Reason person is output to the approach such as user terminal or Syslog host sending alarm prompt;If movement corresponding with this feature data To block and notifying, then while issuing blocking flow entry to switching equipment, outputting alarm prompt.
It can be seen that message detecting method provided by the invention, by SDN controller clustered deploy(ment) Hadoop cluster, And the viral diagnosis work that script is carried out by IPS equipment is distributed on each SDN controller and is completed, and then IPS is greatly reduced The processing pressure of equipment avoids the flow for making message packet loss etc. lead to entire SDN network because of IPS equipment fault cutout situation Occur, significantly improves the reliability and overall performance of SDN network.
The present invention also provides a kind of packet check device, Fig. 4 is the structural schematic diagram of the packet check device, which can To be applied to the SDN controller of Hadoop cluster, which may include:
SDN control unit 401, for receiving the mirror image message of switching equipment transmission;
Detection unit 402 determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit 401 is also used to be sent according to the viral response policy to the switching equipment corresponding Flow entry, so that the switching equipment handles the message for matching the flow entry.
Further, the SDN control unit 401 is also used to:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection stream List item, which is used to control after the message that the received host is sent is carried out mirror image by the switching equipment, is sent to this equipment.
Further, the SDN control unit 401, is also used to:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the exchange Equipment abandons the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
Further, each SDN controller in the Hadoop cluster has one or more Hadoop operational module; At least one SDN controller has a Hadoop control module in the cluster;
Referring to FIG. 5, the detection unit 402 can also include: Hadoop control module 4021 and/or Hadoop work Module 4022;
The Hadoop control module 4021 executes the packet check for determining according to the mirror image message Hadoop operational module;
Wherein, the Hadoop operational module 4022 for executing packet check belongs to the SDN control for receiving the mirror image message Device processed, alternatively, belonging to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
Further, the SDN control unit 401 is also used to mirror image message based on the received and generates the logical of packet check Know message, and is sent to the Hadoop control module 4021;
The Hadoop control module 4021, is also used to receive the notification message of packet check, according to load balancing The specified Hadoop operational module 4022 for executing packet check, and disappear to specified 4022 returning response of Hadoop operational module It ceases, mark comprising the specified Hadoop operational module 4022 in the response message.
Further, the Hadoop operational module 4022, for executing packet check, packet according to the response message It includes: obtaining the message characteristic of the mirror image message, by the message characteristic in the intrusion prevention system IPS feature database obtained in advance In matched;When the message characteristic is matched to the characteristic in the IPS feature database, the IPS feature database is determined In viral response policy corresponding with the characteristic
The packet check device that the present invention is applied to the SDN controller of Hadoop cluster can be in specific process flow With it is above-mentioned be applied to the process flow of message detecting method of SDN controller of Hadoop cluster it is consistent, details are not described herein.
Above-mentioned apparatus can be by software realization, can also be by hardware realization, friendship where packet check device of the present invention The hardware structure schematic diagram of exchange device and SDN controller can refer to shown in Fig. 6, and basic hardware environment includes central processing Device CPU601, forwarding chip 602, memory 603 and other hardware 604 wherein include machine readable finger in memory 603 It enables, CPU601 reads and execute the function that machine readable instructions execute each unit in Fig. 4.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (10)

1. a kind of message detecting method, which is characterized in that applied to the software defined network SDN controller in Hadoop cluster, The described method includes:
Receive the mirror image message that switching equipment is sent;
Packet check is executed to the mirror image message, determines corresponding viral response policy;
Corresponding flow entry is sent to the switching equipment according to the viral response policy, so that the switching equipment is to matching The message of the flow entry is handled;
It is described receive switching equipment send mirror image message include:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection flow entry This equipment, and instruction are sent to for controlling after the message that the received host is sent is carried out mirror image by the switching equipment The forwarding for instructing message how to forward that the routing forwarding information that the switching equipment is stored according to the SDN controller generates is believed Breath E-Packets.
2. the method according to claim 1, wherein being sent out according to the viral response policy to the switching equipment Corresponding flow entry is sent, so that the switching equipment handles the message for matching the flow entry, comprising:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the switching equipment Abandon the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
3. the method according to claim 1, wherein each SDN controller in the Hadoop cluster has One or more Hadoop operational modules;At least one SDN controller has a Hadoop control module in the cluster;
After the mirror image message for receiving switching equipment transmission, the method also includes: it determines and executes the packet check Hadoop operational module;
Wherein, the Hadoop operational module for executing packet check belongs to the SDN controller for receiving the mirror image message, or Person belongs to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
4. according to the method described in claim 3, it is characterized in that, the determining Hadoop work for executing the packet check Module, comprising:
The SDN controller for receiving the mirror image message sends message inspection to the SDN controller with the Hadoop control module The notification message of survey;
The SDN controller with Hadoop control module is according to the specified Hadoop for executing packet check of load balancing Operational module, and SDN controller returning response message belonging to Hadoop operational module is specified to this, it is wrapped in the response message The mark of Hadoop operational module is specified containing this.
5. according to the method described in claim 3, it is characterized in that, executing packet check, determining correspondence to the mirror image message Viral response policy, comprising:
The message characteristic that SDN controller belonging to the Hadoop operational module of packet check obtains the mirror image message is executed, it will The message characteristic is matched in the intrusion prevention system IPS feature database obtained in advance;
When the message characteristic is matched to the characteristic in the IPS feature database, determine in the IPS feature database with it is described The corresponding viral response policy of characteristic.
6. a kind of packet check device, which is characterized in that applied to the software defined network SDN controller in Hadoop cluster, Described device includes:
SDN control unit, for receiving the mirror image message of switching equipment transmission;
Detection unit determines corresponding viral response policy for executing packet check to the mirror image message;
The SDN control unit is also used to send corresponding flow entry to the switching equipment according to the viral response policy, So that the switching equipment handles the message for matching the flow entry;
The SDN control unit is also used to:
When detecting that host is online, the switching equipment that Xiang Suoshu host is accessed issues detection flow entry, the detection flow entry This equipment, and instruction are sent to for controlling after the message that the received host is sent is carried out mirror image by the switching equipment The forwarding for instructing message how to forward that the routing forwarding information that the switching equipment is stored according to the SDN controller generates is believed Breath E-Packets.
7. device according to claim 6, which is characterized in that the SDN control unit is also used to:
When the viral response policy is to block, Xiang Suoshu switching equipment issues blocking flow entry, so that the switching equipment Abandon the hit message for blocking flow entry;And/or
When the viral response policy is notice, outputting alarm prompt.
8. device according to claim 6, which is characterized in that each SDN controller in the Hadoop cluster has One or more Hadoop operational modules;At least one SDN controller has a Hadoop control module in the cluster;
The detection unit includes: Hadoop control module and/or Hadoop operational module;
The Hadoop control module, for determining the Hadoop Working mould for executing the packet check according to the mirror image message Block;
Wherein, the Hadoop operational module for executing packet check belongs to the SDN controller for receiving the mirror image message, or Person belongs to other SDN controllers in Hadoop cluster in addition to the SDN controller for receiving the mirror image message.
9. device according to claim 8, which is characterized in that
The SDN control unit is also used to mirror image message based on the received and generates the notification message of packet check, and is sent to institute State Hadoop control module;
The Hadoop control module, is also used to receive the notification message of packet check, executes according to load balancing is specified The Hadoop operational module of packet check, and to the specified Hadoop operational module returning response message, the response message In mark comprising the specified Hadoop operational module.
10. device according to claim 9, which is characterized in that
The Hadoop operational module, for executing packet check according to the response message, comprising:
The message characteristic for obtaining the mirror image message, by the message characteristic in the intrusion prevention system IPS feature obtained in advance It is matched in library;When the message characteristic is matched to the characteristic in the IPS feature database, the IPS feature is determined Virus response policy corresponding with the characteristic in library.
CN201610620547.0A 2016-07-29 2016-07-29 Message detecting method and device Active CN106254338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610620547.0A CN106254338B (en) 2016-07-29 2016-07-29 Message detecting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610620547.0A CN106254338B (en) 2016-07-29 2016-07-29 Message detecting method and device

Publications (2)

Publication Number Publication Date
CN106254338A CN106254338A (en) 2016-12-21
CN106254338B true CN106254338B (en) 2019-09-06

Family

ID=57605805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610620547.0A Active CN106254338B (en) 2016-07-29 2016-07-29 Message detecting method and device

Country Status (1)

Country Link
CN (1) CN106254338B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108400958A (en) * 2017-02-08 2018-08-14 蓝盾信息安全技术有限公司 A kind of automatic counter-scanning method realized based on SDN technologies
CN108123939A (en) * 2017-12-14 2018-06-05 华中师范大学 Malicious act real-time detection method and device
CN110602119A (en) * 2019-09-19 2019-12-20 迈普通信技术股份有限公司 Virus protection method, device and system
CN112738110A (en) * 2020-12-30 2021-04-30 绿盟科技集团股份有限公司 Bypass blocking method and device, electronic equipment and storage medium
CN112769849B (en) * 2021-01-19 2023-06-09 杭州迪普科技股份有限公司 Method, system, equipment and storage medium for virus diagnosis and blocking
CN112995277B (en) * 2021-02-01 2023-02-24 长沙市到家悠享网络科技有限公司 Access processing method and device and proxy server

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103684922A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计***技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN204669399U (en) * 2015-04-23 2015-09-23 广州万方计算机科技有限公司 Based on internet worm and the threat monitoring system of Hadoop framework
CN105468720A (en) * 2015-11-20 2016-04-06 北京锐安科技有限公司 Method for integrating distributed data processing systems, corresponding systems and data processing method
CN103051557B (en) * 2012-12-27 2016-07-06 华为技术有限公司 Data flow processing method and system, controller, switching equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10395031B2 (en) * 2010-12-30 2019-08-27 Verisign, Inc. Systems and methods for malware detection and scanning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051557B (en) * 2012-12-27 2016-07-06 华为技术有限公司 Data flow processing method and system, controller, switching equipment
CN103684922A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Outlet information privacy checking detection platform system based on SDN (self-defending network) and detection method
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN104683333A (en) * 2015-02-10 2015-06-03 国都兴业信息审计***技术(北京)有限公司 Method for implementing abnormal traffic interception based on SDN
CN204669399U (en) * 2015-04-23 2015-09-23 广州万方计算机科技有限公司 Based on internet worm and the threat monitoring system of Hadoop framework
CN105468720A (en) * 2015-11-20 2016-04-06 北京锐安科技有限公司 Method for integrating distributed data processing systems, corresponding systems and data processing method

Also Published As

Publication number Publication date
CN106254338A (en) 2016-12-21

Similar Documents

Publication Publication Date Title
CN106254338B (en) Message detecting method and device
Tan et al. A new framework for DDoS attack detection and defense in SDN environment
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
KR100800370B1 (en) Network attack signature generation
CN100435513C (en) Method of linking network equipment and invading detection system
CN103491060B (en) A kind of method, apparatus and system of defence Web attacks
JP2012235461A (en) Network monitoring system, computer readable recording medium, and method of identifying topology of network
CN104038466B (en) Intruding detection system, method and apparatus for cloud computing environment
US20160352774A1 (en) Mitigation of computer network attacks
JP2003533941A (en) Intelligent feedback loop process control system
CN103916288B (en) A kind of Botnet detection methods and system based on gateway with local
CN102857388A (en) Cloud detection safety management auditing system
CN106357685A (en) Method and device for defending distributed denial of service attack
CN107347047A (en) Attack guarding method and device
JP2007006054A (en) Packet repeater and packet repeating system
CN105051696A (en) An improved streaming method and system for processing network metadata
CN108234315A (en) Image network flow control protocol in a kind of virtualized network environment
Neu et al. Lightweight IPS for port scan in OpenFlow SDN networks
US11343143B2 (en) Using a flow database to automatically configure network traffic visibility systems
Jiang et al. Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN106572103A (en) Hidden port detection method based on SDN network architecture
KR100733830B1 (en) DDoS Detection and Packet Filtering Scheme
CN110166359B (en) Message forwarding method and device
Hasan et al. Intrusion detection in a private network by satisfying constraints

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant