CN109450918B - IoT (Internet of things) equipment safety protection system based on software defined network - Google Patents
IoT (Internet of things) equipment safety protection system based on software defined network Download PDFInfo
- Publication number
- CN109450918B CN109450918B CN201811435424.5A CN201811435424A CN109450918B CN 109450918 B CN109450918 B CN 109450918B CN 201811435424 A CN201811435424 A CN 201811435424A CN 109450918 B CN109450918 B CN 109450918B
- Authority
- CN
- China
- Prior art keywords
- control
- state
- flow
- module
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an IoT device safety protection system based on a software defined network, which comprises a control application program state acquisition module, an SDN controller decision module and an OVS virtual switch module, wherein the control application state acquisition module is used for acquiring a control application program state and sending the application program state to the SDN controller decision module when the application program state changes, the SDN controller decision module is used for generating flow table rules according to the application program state and sending the flow table rules to the OVS virtual switch module, and the OVS virtual switch module is used for performing access control on the flow of an IoT device according to the received flow table rules. The method and the device combine the characteristics of an SDN separation control plane and a data plane, control the flow flowing to the IoT equipment, combine the state of a control end with flow information and generate the flow table rule, and improve the accuracy of safety protection.
Description
Technical Field
The invention belongs to an equipment safety protection technology, and particularly relates to an IoT equipment safety protection system based on a software defined network.
Background
With the wide spread of smart home concepts, the IoT device industry has been rapidly developed, and has begun to affect various aspects of people's family life, such as: safety monitoring camera, intelligent response lamp, intelligent lock and intelligent refrigerator etc.. A large number of IoT devices are purchased by users and placed for use at home. However, due to the lack of hardware performance and storage capacity of the IoT devices themselves and the carelessness of the manufacturers in terms of security, the IoT devices may contain vulnerabilities that may be exploited, posing serious threats to the privacy and home security of the users. Therefore, in order to ensure security of the IoT device, access control should be performed on the IoT device at the home gateway.
Most of the existing home gateways are routers, and most of the access control methods are functions integrated in firewalls, namely, access control lists, so that the purpose of controlling networking permissions of devices in a network is achieved by forbidding specific IP (Internet protocol), ports or protocols. However, for security access control of the IoT device, traffic entering the home network from a malicious source or abnormal traffic included in normal traffic should be shielded, so that the purpose of security protection of the IoT device cannot be achieved by completely shielding through IP, port, etc. alone.
Disclosure of Invention
The invention aims to provide an IoT (Internet of things) equipment security protection system based on a software defined network.
The technical solution for realizing the invention is as follows: an IoT device security protection system based on a software defined network comprises a control application state acquisition module, an SDN controller decision module and an OVS virtual switch module, wherein the control application state acquisition module is used for acquiring a control application state and sending the application state to the SDN controller decision module when the application state changes, the SDN controller decision module is used for generating flow table rules according to the application state and flow statistical information and sending the flow table rules to the OVS virtual switch module, and the OVS virtual switch module is used for performing access control on the flow of an IoT device according to the received flow table rules.
Preferably, the states of the IoT device control application include not running in the foreground, and ongoing control operations.
Preferably, the process of acquiring the state of the control application by the control application state acquisition module is as follows:
the control application program state acquisition module accesses process information under the analysis/proc directory to acquire whether the application is in a foreground operation state, if the control application program state acquisition module acquires the state that the application is not in the foreground operation state, the control application program state acquisition module directly returns to the state that the application is not in the foreground operation state, otherwise, the control application program state acquisition module judges whether a control command related function is executed within set time through code instrumentation, if the control command related function is executed, the control application program state acquisition module returns to the state in control, otherwise, the control application program state acquisition module returns to the state in the foreground operation state.
Preferably, the SDN controller decision module distinguishes traffic submitted to the controller into non-control traffic, and malicious control traffic according to statistical information of the traffic.
Preferably, the specific process of issuing the flow table rule by the SDN controller decision module is as follows:
if the state is not in foreground operation, issuing a flow table rule for discarding all the flows flowing to the IoT equipment; if the state is running in the foreground, issuing a rule for forwarding the flow flowing to the IoT equipment to the controller, and issuing a flow table rule for normally forwarding the flow belonging to the flow of the non-control packet and discarding the flow table rule belonging to the flow of the control packet according to the characteristics of the non-control flow and the control flow after obtaining the flow; and if the state is that the control operation is being performed, issuing a rule for forwarding normal traffic flowing to the IoT equipment and a rule for discarding malicious control traffic.
Preferably, the control application state collection module sends application program state information to the SDN controller decision module through an HTTPS protocol.
Preferably, the SDN controller decision module registers IP and Mac information of a protected IoT device, and the flow table rule takes the IP and Mac information as a matching domain.
Preferably, the SDN controller decision module issues the Flow table rule to the OVS virtual switch module through an Open Flow protocol.
Preferably, the OVS virtual switch module operates in a secure mode, and if the controller is disconnected in the secure mode, the OVS virtual switch module still performs secure access control according to the flow table rule issued, so as to ensure that the flow table rule is completely determined by the SDN controller decision module.
Preferably, the flow table rule in the OVS virtual switch module performs access control by using a source IP address and a MAC address of traffic as a matching domain.
Compared with the prior art, the invention has the following remarkable advantages: 1) the invention deploys the protection system on the gateway instead of the equipment, thereby solving the problem that the equipment cannot realize effective safety protection due to insufficient processing capacity and insufficient storage capacity; 2) the method and the device collect the control application state information of the equipment, send the control application state information to the SDN controller decision module, and combine the state information and the flow information to generate the flow table rule, thereby realizing real-time and fine-grained safety protection.
The present invention is described in further detail below with reference to the attached drawings.
Drawings
Fig. 1 is a process flow diagram of an IoT device security protection system based on a software defined network.
Fig. 2 is a schematic diagram of an IoT device security protection system based on a software defined network.
Detailed Description
As shown in fig. 2, an IoT device security protection system based on a software defined network includes a control application state acquisition module, an SDN controller decision module, and an OVS virtual switch module:
(1) control application program state acquisition module
The control application program state acquisition module is deployed on the mobile equipment provided with the control application program, analyzes the process information under the/proc directory, and judges whether the process is in the foreground operation state according to the attribute of the process after the process information is acquired by Shell naming. And if the control application program state acquisition module obtains the state that the application program does not run in the foreground, directly returning to the state that the application program does not run in the foreground, otherwise, judging whether a control command related function is executed within 5 to 10 seconds through code instrumentation, if the control command related function is executed, returning to the state of being in control, and otherwise, returning to the state of running in the foreground. The control application program state acquisition module monitors the state of the control application program in real time, and once the state is changed, the control application program state acquisition module sends the current state to a policy generation module of the SDN controller.
(2) SDN controller decision module
The SDN controller decision module is deployed in an SDN controller, analyzes current flow according to the running state of a control application program, divides the flow submitted to the controller into non-control flow, control flow and malicious control flow according to flow statistical information, makes a decision by using the control application program state information provided by the control application program state acquisition module and the flow provided by the OVS virtual switch module, generates a security access control flow table rule with IP and Mac as matching domains, and issues the security access control flow table rule to the OVS virtual switch module. The decision content specifically comprises: if the state is not in foreground operation, issuing a flow table rule for discarding all the flows flowing to the IoT equipment; if the state is running in the foreground, issuing a rule for forwarding the flow flowing to the IoT equipment to the controller, and issuing a flow table rule for normally forwarding the flow belonging to the flow of the non-control packet and discarding the flow table rule belonging to the flow of the control packet according to the characteristics of the non-control flow and the control flow after obtaining the flow; and if the state is that the control operation is being performed, issuing a rule for forwarding normal traffic flowing to the IoT equipment and a rule for discarding malicious control traffic.
(3) OVS virtual switch module
The OVS virtual switch module is deployed on the home gateway, the working mode of the OVS virtual switch module is set to be a safety mode, and the flow table rules completely depend on the issuing of the SDN controller decision module. The default mode of the OVS virtual switch module is an independent mode (standby), and after the controller is disconnected, the OVS can clear the flow table rule to operate by itself. And the security mode (Secure) will not clear the flow table rule, and continue to execute forwarding according to the previous rule. The OVS virtual switch module updates the flow table rule of the OVS virtual switch module according to the flow table rule issued by the SDN controller decision module, and then performs access control on the flow in the network according to the flow table rule, so that the purpose of performing safety protection on the IoT equipment in the network is achieved.
The invention effectively solves the defects of the performance and the storage capacity of the IoT equipment by utilizing the idea of separating the data plane and the control plane of the SDN, provides a safety protection mechanism on the home gateway, and simultaneously utilizes the control application state acquisition module to cooperatively generate a strategy, so that the access control is more accurate and has timeliness.
Examples
The embodiment utilizes the system of the present invention to implement IoT device security, as shown in fig. 1. The safety protection process comprises the following steps:
firstly, a control application program state acquisition module acquires the state of a control application program running on the mobile equipment, and judges whether the control application program is running or not and judges whether the state of the control application program is executing a control command or not by code instrumentation of a key position respectively through reading process information in a/proc directory.
And secondly, if the control application state information acquired in the first step is different from the last state information, sending new state information to an SDN controller decision module through an HTTPS protocol, wherein the content comprises the IP of the mobile equipment where the control application is located and the current state of the control application.
Thirdly, the SDN controller decision module performs corresponding operation according to the received state information:
if the state information is not in foreground operation, the current flow to the IoT equipment is shielded, and the controller issues a flow table rule which acts as discarding;
if the state information is foreground operation, in the current flow flowing to the IoT equipment, the flow of the control class is shielded, and the controller issues a flow table rule for discarding the IP address belonging to the flow source address of the control class;
if the state information is in control, determining the type of the flow in the current flow flowing to the IoT equipment according to the flow characteristics, and issuing a flow table rule for discarding the IP address belonging to the malicious flow source address by the controller;
and fourthly, setting the OVS virtual switch module to be in a safe mode, so that access control is only carried out according to the rules issued by the SDN controller decision module, communicating the OVS virtual switch module and the SDN controller decision module through an Open Flow protocol, and carrying out access control on the Flow passing through the OVS virtual switch module after obtaining the Flow table rules issued by the OVS virtual switch module.
Claims (8)
1. An IoT device security protection system based on a software defined network is characterized by comprising a control application state acquisition module, an SDN controller decision module and an OVS virtual switch module, wherein the control application state acquisition module is used for acquiring a control application state and sending the application state to the SDN controller decision module when the application state changes, the SDN controller decision module is used for generating flow table rules according to the application state and flow statistical information and sending the flow table rules to the OVS virtual switch module, and the OVS virtual switch module is used for performing access control on flow of an IoT device according to the received flow table rules;
the state of the IoT device control application includes not running in the foreground, and performing a control operation;
the process of acquiring the state of the control application program by the control application program state acquisition module is as follows:
the control application program state acquisition module accesses process information under the analysis/proc directory to acquire whether the application is in a foreground operation state, if the control application program state acquisition module acquires the state that the application is not in the foreground operation state, the control application program state acquisition module directly returns to the state that the application is not in the foreground operation state, otherwise, the control application program state acquisition module judges whether a control command related function is executed within set time through code instrumentation, if the control command related function is executed, the control application program state acquisition module returns to the state in control, otherwise, the control application program state acquisition module returns to the state in the foreground operation state.
2. The software defined network-based IoT device security defense system recited in claim 1, wherein the SDN controller decision module distinguishes traffic submitted to the controller into non-control traffic, and malicious control traffic according to statistics of the traffic.
3. The software defined network-based IoT device security protection system according to claim 1, wherein the SDN controller decision module issues flow table rules in a specific process:
if the state is not in foreground operation, issuing a flow table rule for discarding all the flows flowing to the IoT equipment; if the state is running in the foreground, issuing a rule for forwarding the flow flowing to the IoT equipment to the controller, and issuing a flow table rule for normally forwarding the flow belonging to the flow of the non-control packet and discarding the flow table rule belonging to the flow of the control packet according to the characteristics of the non-control flow and the control flow after obtaining the flow; and if the state is that the control operation is being performed, issuing a rule for forwarding normal traffic flowing to the IoT equipment and a rule for discarding malicious control traffic.
4. The software defined network-based IoT device security protection system recited in claim 1, wherein the control application state collection module is configured to send application state information to the SDN controller decision module via an HTTPS protocol.
5. The software defined network-based IoT device security protection system in accordance with claim 1, wherein the SDN controller decision module has registered therein IP and Mac information for a protected IoT device, and wherein the flow table rules have IP and Mac information as matching domains.
6. The software-defined networking-based IoT device security protection system according to claim 1, wherein the SDN controller decision module issues Flow table rules to the OVS virtual switch module via an Open Flow protocol.
7. The software-defined-network-based IoT device security protection system of claim 1, wherein the OVS virtual switch module operates in a security mode, and if the controller is disconnected in the security mode, the OVS virtual switch module still performs security access control according to issued flow table rules, so as to ensure that the flow table rules are completely determined by the SDN controller decision module.
8. The software defined network-based IoT device security protection system according to claim 1, wherein the flow table rules in the OVS virtual switch module access control with source IP address and MAC address of traffic as matching domains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811435424.5A CN109450918B (en) | 2018-11-28 | 2018-11-28 | IoT (Internet of things) equipment safety protection system based on software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811435424.5A CN109450918B (en) | 2018-11-28 | 2018-11-28 | IoT (Internet of things) equipment safety protection system based on software defined network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109450918A CN109450918A (en) | 2019-03-08 |
| CN109450918B true CN109450918B (en) | 2021-05-04 |
Family
ID=65555613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811435424.5A Active CN109450918B (en) | 2018-11-28 | 2018-11-28 | IoT (Internet of things) equipment safety protection system based on software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109450918B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505150A (en) * | 2019-09-04 | 2019-11-26 | 北京元安物联技术有限公司 | Internet of Things network control method, device, system, things-internet gateway and SDN controller |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2913964A4 (en) * | 2013-12-30 | 2015-09-09 | Huawei Tech Co Ltd | Software-defined networking event distribution method, control device, and processor |
| CN104023034B (en) * | 2014-06-25 | 2017-05-10 | 武汉大学 | Security defensive system and defensive method based on software-defined network |
| US10050840B2 (en) * | 2015-11-23 | 2018-08-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and system for an internet of things (IOT) device access in a software-defined networking (SDN) system |
| CN107104896A (en) * | 2017-05-26 | 2017-08-29 | 南京元融信息技术有限公司 | The sensitive SDN controllers of High Availabitity high-performance and SDN switch framework |
| CN107948129B (en) * | 2017-10-16 | 2020-07-28 | 北京邮电大学 | SDN-based Internet of things fog computing network system and control method thereof |
| CN108111542A (en) * | 2018-01-30 | 2018-06-01 | 深圳大学 | Internet of Things ddos attack defence method, device, equipment and medium based on SDN |
-
2018
- 2018-11-28 CN CN201811435424.5A patent/CN109450918B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109450918A (en) | 2019-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9210193B2 (en) | System and method for flexible network access control policies in a network environment | |
| US10721243B2 (en) | Apparatus, system and method for identifying and mitigating malicious network threats | |
| Rawat et al. | Software defined networking architecture, security and energy efficiency: A survey | |
| US10038671B2 (en) | Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows | |
| Salva-Garcia et al. | 5G NB‐IoT: Efficient Network Traffic Filtering for Multitenant IoT Cellular Networks | |
| Cabaj et al. | SDN Architecture Impact on Network Security. | |
| CN102821081B (en) | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow | |
| US20190104107A1 (en) | Poisoning Protection for Process Control Switches | |
| US10193890B2 (en) | Communication apparatus to manage whitelist information | |
| CN106899612B (en) | Method for automatically detecting ARP spoofing of fake host | |
| KR20010095337A (en) | Firewall system combined with embeded hardware and general-purpose computer | |
| US20160088001A1 (en) | Collaborative deep packet inspection systems and methods | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| KR102244036B1 (en) | Method for Classifying Network Asset Using Network Flow data and Method for Detecting Threat to the Network Asset Classified by the Same Method | |
| Schehlmann et al. | COFFEE: a Concept based on OpenFlow to Filter and Erase Events of botnet activity at high-speed nodes | |
| Nobakht et al. | IOT-NETSEC: policy-based IoT network security using OpenFlow | |
| Zhang et al. | CMD: A convincing mechanism for MITM detection in SDN | |
| CN109450918B (en) | IoT (Internet of things) equipment safety protection system based on software defined network | |
| CN110881023A (en) | Method for providing network differentiated security service based on SDN/NFV | |
| KR20020072618A (en) | Network based intrusion detection system | |
| TWI797962B (en) | Method for sase based ipv6 cloud edge network secure connection | |
| Bianchi et al. | StreaMon: A software-defined monitoring platform | |
| Kailanya et al. | Dynamic deep stateful firewall packet analysis model | |
| Veena et al. | Detection and mitigation of security attacks using real time SDN analytics | |
| SafaeiSisakht et al. | An Intelligent Two-Phase Automated Architecture for Securing SDN-Based IoT Infrastructure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |