CN110198270A - A kind of active defense method in SDN network based on path and IP address jump - Google Patents
A kind of active defense method in SDN network based on path and IP address jump Download PDFInfo
- Publication number
- CN110198270A CN110198270A CN201910390382.6A CN201910390382A CN110198270A CN 110198270 A CN110198270 A CN 110198270A CN 201910390382 A CN201910390382 A CN 201910390382A CN 110198270 A CN110198270 A CN 110198270A
- Authority
- CN
- China
- Prior art keywords
- interchanger
- flow table
- rule
- address
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the active defense methods in a kind of SDN network based on path and address jump, belong to mobile target defence field.It include: that S1. source host delivers a packet to first interchanger;S2. judge whether successful match flow entry if so, being forwarded to next-hop interchanger enters step S5 to data packet;Otherwise, Packet-In message is sent to controller by interchanger, enters step S3;S3. controller simultaneous selection data packet transmission path and virtual IP address;S4. controller generates flow table rule according to the transmission path and virtual IP address of selection, and issues flow table and reversed flow table to each interchanger;S5. judge whether the interchanger is last interchanger, if so, data packet is sent to destination host, otherwise, enters step S2.Utilize the thought that variation is actively manipulated in SDN network data Layer and control layer stalling characteristic and MTD, under the premise of not influencing network normal communication, change the IP and transmission path of data packet, increases the difficulty that attacker obtains information, to improve the Initiative Defense ability of system.
Description
Technical field
The invention belongs to mobile targets to defend field, more particularly, to a kind of SDN (Software Defined
Network, software defined network) active defense method in network based on path and address jump.
Background technique
Mobile target defence (Moving Target Defence, MTD) is to utilize dynamic, uncertain network environment
Increase the attack difficulty of attacker, evades the risk attacked as much as possible.In traditional network defense technique, network configuration
Typically static, attacker can scout network at any time to plan attack, and defender must keep at any time on the alert
It is attacked to resist, forms the not reciprocity situation of attacking and defending.Construct an active, dynamic network environment can reduce this attack
Prevent asymmetric gap, but will lead to system availability reduction, to limit the ability of MTD.
The appearance of SDN is that the solution of the problem brings new opportunity, and SDN realizes the separation of data Layer and controller, from
Network structure is fundamentally changed, the characteristic of centralized management helps to play the advantage of MTD.In the prior art, patent
CN105141641A discloses a kind of mobile target defence method of Chaos based on SDN and system, principle are then to pass through pairing
The mode that method communication takes IP random and periodical to convert obscures attacker, and this method can hinder the detection of attacker to attack, but
When attacker learns that the IP in network is the IP of camouflage, since path has not been changed, the short time same friendship of interior process is screened and analyzed
The information changed planes, still can in a certain interchanger sniff to communication all information.Patent CN108833285A discloses one
Kind of network moving target defence method, electronic equipment, storage medium and system, by realize path under certain hop period with
Machine converts, but realizes the problems such as jumping the consistency of data transmission policies execution when not considering policy update later.It may
Will appear path integration is that processing rule in data packet front and back is not identical, in a network due to IP address exposure, the overall situation of attacker
Analysis still can be with sniff to the communication information.
The existing jump method that IP and path are realized based on SDN, data packet carries information due to data packet IP in network
Exposure is easy to be captured by sniff person and analyze;The information of data packet transmission may be tracked by sniff person, so as to cause attacker's overall situation
Analysis, learns network actual state, for example, topological structure or enlivening host.
Summary of the invention
In view of the drawbacks of the prior art, it is an object of the invention to solve the mobile target defender of prior art SDN network
Method leads to the technical problem of defence capability difference because data packet IP exposure, data packet transmission information are tracked.
To achieve the above object, in a first aspect, the embodiment of the invention provides with being based on path and IP in a kind of SDN network
The active defense method of location jump, method includes the following steps:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow table
, it is forwarded to next-hop interchanger, enters step S5;Otherwise, interchanger disappears the information of data packet header by Packet-In
Breath is sent to controller, enters step S3;
S3. after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and
For hiding the virtual IP address of host information;
S4. controller generates flow table rule, and each friendship into transmission path according to the transmission path and virtual IP address of selection
It changes planes and issues installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to purpose master according to matching flow entry
Otherwise machine enters step S2.
Specifically, when receiving the Packet-In information that first interchanger is sent, controller is appointed from the IP being not used by
Meaning selects two virtual IP addresses as source IP and destination IP.
Specifically, step S3 further include:
If send Packet-In message is not first interchanger, the Packet-In message from non-first interchanger is carried out
It counts, judges whether count is more than given threshold, if so, controller is checking the interchanger for uploading Packet-In message
Flow table when something goes wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
Specifically, described that flow table rule is generated according to the transmission path and virtual IP address of selection, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger
IP be virtual IP address, increasing version number be the number of selected transmission path, turning for first interchanger determined based on selected transmission path
The rule of originator mouth;
For last interchanger, by matching virtual source IP, destination IP and version number, it is true for executing restoring data packet header IP
The transmission path that actual source IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger;
For by way of interchanger executed according to selected transmission road by matching virtual source IP, destination IP and version number
Diameter determines the rule by way of the forwarding port of interchanger.
Specifically, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance
IP hop period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old
Flow table rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
Specifically, the controller selects new virtual IP address to reconstruct new flow table rule, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger
IP is the rule of new virtual IP address;
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is not
The rule of change;
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header
Source IP and destination IP are the rule of new virtual IP address.
Specifically, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance
Path changes period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, the priority of flow table rule
Higher than old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
Specifically, the controller selects new transmission path to reconstruct new flow table rule, specific as follows:
For first interchanger, by matching true source IP and destination IP, execution revision number is new transmission path
Number determines the rule of the forwarding port of first interchanger according to new transmission path;
It is new path number, root for by way of interchanger and last interchanger, executing version number matched in occurrence
The rule of the forwarding port of the interchanger is determined according to new transmission path.
Specifically, following two condition need to be met by reconstructing new flow table rule:
(1) priority that new strategy issues flow table is higher than old strategy;
(2) when data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, from
It is dynamic to be deleted.
Second aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage mediums
Computer program is stored in matter, which realizes SDN network described in above-mentioned first aspect when being executed by processor
In based on path and IP address jump active defense method.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, have below beneficial to effect
Fruit:
1. the present invention is by modification data packet header source IP and destination IP and changes transmission path, make attacker unknown
In the case of sniff network when get is mistake or incomplete information, to increase attacker for steal information and net
The difficulty that network understands.The modification of IP is the separation based on data Layer in SDN network and control layer in the technological means, data Layer
Interchanger is only responsible for following decision forwarding, and controller carrys out the forwarding of data packet in actual management network, with legacy network data
The IP address of packet header will be used for pathfinding difference, and flow entry does not influence the modification of data packet header the principle of network communication.
The modification in path is the global regulation's ability for having resource based on controller in SDN network in the technological means, available to arrive
Network topology selects the original in different paths by disposing different flow table guide data packets to get a plurality of transmission path
Reason brings attacker and can not identify and enlivens host, can not be recognized as same data flow, and acquisition complete information is difficult, thus
Increase the effect for collecting the difficulty of information.
2. IP address and the path of the invention by initiatively changing transmitted data packet with certain frequency, reduces attack
The availability for the information that person's sniff obtains tracks virtual IP address even if what attacker learnt the exposure of data packet in network is virtual IP address
Transmission path is obtained, also only temporary data is got, may have occurred that variation at this time, makes the information of acquisition originally
Failure further reduces the availability of attacker's information.What the technological means to be completed is the modification to same data flow,
In situation known to source IP and destination IP, path is also known.It can be with the good flow entry of advance planning based on SDN network controller
Rule can issue the principle of respective rule when setting hop period in time, bring the collected data meeting of attacker
Be it is at random, it is irregular, time-effectiveness, to improve the effect of the defence capability of system.
Detailed description of the invention
Fig. 1 is the Initiative Defense side in a kind of SDN network provided in an embodiment of the present invention based on path and IP address jump
Method flow chart;
Fig. 2 is flow table structural schematic diagram in each interchanger provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
As shown in Figure 1, the active defense method in a kind of SDN network based on path and IP address jump, this method include
Following steps:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow table
, it is forwarded to next-hop interchanger, enters step S5;Otherwise, interchanger disappears the information of data packet header by Packet-In
Breath is sent to controller, enters step S3;
S3. after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and
For hiding the virtual IP address of host information;
S4. controller generates flow table rule, and each friendship into transmission path according to the transmission path and virtual IP address of selection
It changes planes and issues installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to purpose master according to matching flow entry
Otherwise machine enters step S2.
Step S1. source host delivers a packet to first interchanger.
Data flow continues data packet being sent to first interchanger from source host.As shown in Fig. 2, being handed over two hosts and four
For changing planes, it is connected (not shown) with controller.It is assumed that first carrying out IP jump (the second row), then carry out Path selection
(the third line), either progress IP mutation or Route Selection, constant path number and IP are kept not with current state in fact
Become.Host A will send data packet to host B, and the data packet of host A can first be transmitted to the interchanger C0 being connected directly therewith.
Step S2. searches the flow table of the interchanger, judge data packet whether successful match flow entry, if so, according to matching
Flow entry is forwarded to next-hop interchanger, enters step S5;Otherwise, the information of data packet header is passed through Packet- by interchanger
In message is sent to controller, enters step S3.
Interchanger does not have decision making function, searches corresponding flow table and is matched, and the data packet of transmission can follow flow table rule,
As long as matching the occurrence of flow table, so that it may execute relevant Action operation.Occurrence is by the certain of data packet header
Field is constituted, for example, source IP and purpose IP address etc..
If the content that the occurrence of flow entry includes identical calculation successful match with data packet header corresponding informance, is directly pressed
According to the Action field instruction forwarding data packet of flow table.Action can have multiple operations, for example, modifying the IP of data packet simultaneously
Address and some port for being forwarded to interchanger.
If no flow entry matching, interchanger match table-miss rule, table-miss rule needs controller thing
It first configures, the specified data packet for not matching flow entry is sent to controller.Interchanger passes through the information of data packet header
Packet-In message is sent to controller, for example, the information such as the source IP of data packet, destination IP, port, MAC Address.
After step S3. controller listens to the message, transmission road of the simultaneous selection data packet from source host to destination host
Diameter and virtual IP address for hiding host information.
It is different from the data Layer where interchanger, controller as the management level in SDN network, to network carry out deployment and
Control can constantly monitor the request from interchanger.Once listening to Packet-In message, received data packet is parsed, is identified
The interchanger id of data packet and the source IP address of data packet are sent, the interchanger is determined using network topology, and whether source host is straight
Connect it is connected, therefore, it is determined that send Packet-In message interchanger whether headed by interchanger, if so, carrying out routed path simultaneously
Selection and virtual IP address setting.
When receiving the information of first interchanger, controller is then considered that new communication starts, and will execute corresponding routing
Policy selection path.Controller parses source IP and destination IP in data packet using Packet-In message, passes through what is be collected into
The relevant informations such as network link working condition, according to one or more network performance indexes (packet loss, remaining bandwidth, time delay etc.
Deng), each of the links are assessed, using assessed value as link weight, formulate routing policy.If Duplication mistake between path
Greatly, then the effect for changing path is not had, it instead can be because of policy deployment and cost reduction network performance when issuing.With net
The scale of network topology becomes larger, and optional path is more, and specific routing policy can adjust according to actual topological structure.It looks for
Source host is to all paths of destination host out, after removing the wherein higher path of path overlap rate, selects k paths, false
If transmission path is respectively S1, S2 ..., Sk, path number 1,2 ... is given respectively, and k randomly chooses paths Sa (1 therein
≤a≤k).Once selection finishes, the interchanger id of all transmission on path and the port for being forwarded to next interchanger are ok
It is determined.
When receiving the information of first interchanger, controller selects virtual IP address to hide real IP to data flow.Due to control
Device processed has recorded the IP of communication host in entire SDN network, can arbitrarily select a v1 as source from the IP being not used by
IP, v2 IP as a purpose, for substituting the IP information of real IP hiding data packet.
If disposing and being controlled successfully to SDN network, that is, disposed data packet includes replying packet by way of forwarding
Transmission, then certainty Packet-In message is necessarily from first interchanger.If send Packet-In message is not first interchanger,
It is likely to be policy deployment to go wrong, needs to enter fault-tolerant processing.Specifically, to the Packet-In from non-first interchanger
Message is counted, and judges whether count is more than given threshold, if so, controller inspection uploads the stream of Packet-In interchanger
Whether table goes wrong, if going wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
Step S4. controller generates flow table rule according to the transmission path and virtual IP address of selection, and into transmission path
Each interchanger issues installation flow table and reversed flow table.
Data packet transmission paths is determining, for substitution virtual IP address also selected after, controller is according to having got
The interchanger id of transmission, the port of corresponding forwarding and substitution IP, issue flow table to issue corresponding strategy, with flow table in Fig. 2
Item the first row is corresponding, specifically:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger
IP is virtual IP address, increased version number is the number for selecting transmission path, is determined head interchanger based on selected transmission path
Forward the rule of port.
For last interchanger, by matching virtual source IP, destination IP and version number, it is true for executing restoring data packet header IP
The transmission path that actual source IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger.
For by way of interchanger executed according to selected transmission road by matching virtual source IP, destination IP and version number
Diameter determines the rule by way of the forwarding port of interchanger.
Step S5. judges whether the interchanger is last interchanger, if so, data packet is sent to mesh according to matching flow entry
Host otherwise enter step S2.
If the interchanger is last interchanger, necessarily directly it is connected with destination host.Data packet is according to flow entry
Action instruction is transferred to destination host.Since controller has installed the rule of corresponding reverse transfer, host B is to host
The reply packet of A transmission can equally follow the route forwarding planned, to complete while hiding IP and change path whole
The communication of data packet is completed in the forwarding of a data flow.
Preferably, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance
IP hop period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old
Flow table rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
Once tipTime arrives, from the IP being not used by randomly choose two virtual IP addresses respectively as data packet source IP and
Destination IP is set as v3 and v4, realizes the jump of address in a data flow.The controller selects new virtual IP address to reconstruct newly
Flow table rule, it is corresponding with the second row of flow entry in Fig. 2, it is constant for the rule in path, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger
IP is the rule of new virtual IP address.
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is not
The rule of change.
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header
Source IP and destination IP are the rule of new virtual IP address.
Preferably, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance
Path changes period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, the priority of flow table rule
Higher than old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
Once trouteTime arrives, and selectes a paths, the path number b (1≤b that will acquire at random again from k paths
≤ k) it is used as version number.The controller selects new transmission path to reconstruct new flow table rule, with flow entry the third line in Fig. 2
It is corresponding, it is constant for the rule of IP, specifically:
For first interchanger, by matching true source IP and destination IP, execution revision number is new transmission path
Number determines the rule of the forwarding port of first interchanger according to new transmission path.
It is new path number, root for by way of interchanger and last interchanger, executing version number matched in occurrence
The rule of the forwarding port of the interchanger is determined according to new transmission path.
According to real network situation, compromise considers packet loss and protection effect, and IP hop period t is arrangedip, path change week
Phase troute, generally the second grade.Temporal frequency has been set separately to path and IP address, once reaching time interval, has needed to carry out
The change of new and old strategy.Change to path and the modification of IP address is both needed to follow following rule:
1. the priority that new strategy issues flow table is higher than old strategy.If possessing identical priority, data packet turns
It will be uncertain for sending out, and two kinds of strategies can coexist in a switch, and as policy update is too fast, data flow is excessive, interchanger
In have a large amount of flow tables and exist, it is possible that the problem of flow table is overflowed.So for same data flow, in order to guarantee it
The data packet transmitted afterwards follows new strategy forwarding, needs to be distinguished with raising priority.But priority can not be without limitation
Increase, priority need to be set in a certain range, when having arrived inflection point, new strategy priority is lower, it then follows old strategy forwarding
, do not affect other data flows and then make system perturbations.The data packet transmitted later under identical matching condition all
Follow new strategy forwarding.
2. data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, from
It is dynamic to be deleted.For flow table, time t need to be provided withidle, guarantee that old strategy is automatically deleted on suitable opportunity.When new
When old strategy alternates, the data packet transmitted later follows new strategy and is forwarded, and has transmitted and has not reached destination host also
Data packet can match old tactful flow table in a short time to complete to forward, and old strategy also can not matched whithin a period of time
Flow table is automatically deleted, and new strategy can then substitute the transmission work of old strategy completely, is so recycled.Strategy can both be guaranteed by doing so
What is serviced when replacement does not interrupt, and can also be automatically deleted old strategy, does not increase excessive burden to the memory space of interchanger flow table.
T in the embodiment of the present inventionidleIt is set as 2s.
The real IP for transmitting data packet is hidden by first interchanger, and the path number provided with Path selection is as version
Number, data packet IP is modified back true IP by last interchanger, guarantees the accuracy of packet information transmitting.Flow table is issued every time
When, controller first issues the flow table strategy of other interchangers in addition to first interchanger, then issues the flow table strategy of first interchanger, comes
Guarantee that data packet can be correctly forwarded to destination host after transferring first interchanger, without because flow table matches not
Above frequently sends and request to controller.
Present invention focuses on the advantage of SDN network and MTD to be combined, SDN network data Layer and control layer are utilized
The thought that variation is actively manipulated in isolated characteristic and MTD changes data packet under the premise of not influencing network normal communication
IP and transmission path, increase attacker obtain information difficulty, to improve the Initiative Defense ability of system.It is passed by modification
The IP address of transmission of data packet and the mode for changing transmission path, it would be possible to by attacker's sniff to sensitive information stash,
Play the purpose for obscuring attacker.In order to increase the difficulty that attacker obtains information, controller is based on regular hour frequency and changes
Become IP address or path, initiatively initiate variation, the availability of sniff information is reduced, to lower attacker to Network status
Understand, can not plan attack, and then reduce success attack rate, to realize the Initiative Defense to network.
More than, the only preferable specific embodiment of the application, but the protection scope of the application is not limited thereto, and it is any
Within the technical scope of the present application, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
Cover within the scope of protection of this application.Therefore, the protection scope of the application should be subject to the protection scope in claims.
Claims (10)
1. in a kind of SDN network based on path and IP address jump active defense method, which is characterized in that this method include with
Lower step:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow entry, turn
It is dealt into next-hop interchanger, enters step S5;Otherwise, interchanger sends out the information of data packet header by Packet-In message
Controller is given, S3 is entered step;
S3. it after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and is used for
Hide the virtual IP address of host information;
S4. controller generates flow table rule, and each interchanger into transmission path according to the transmission path and virtual IP address of selection
Issue installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to destination host according to matching flow entry, it is no
Then, S2 is entered step.
2. active defense method as described in claim 1, which is characterized in that as the Packet- for receiving first interchanger transmission
When In information, controller arbitrarily selects two virtual IP addresses as source IP and destination IP from the IP being not used by.
3. active defense method as claimed in claim 1 or 2, which is characterized in that step S3 further include:
If send Packet-In message is not first interchanger, the Packet-In message from non-first interchanger is counted
Number judges whether count is more than given threshold, if so, controller is checking the stream for uploading the interchanger of Packet-In message
Table when something goes wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
4. active defense method as described in any one of claims 1 to 3, which is characterized in that the transmission road according to selection
Diameter and virtual IP address generate flow table rule, specific as follows:
It executes modification data packet header source IP by matching true source IP and destination IP for first interchanger and destination IP is
Virtual IP address, increasing version number be the number of selected transmission path, the forwarding end for determining based on selected transmission path first interchanger
The rule of mouth;
For last interchanger, by matching virtual source IP, destination IP and version number, execution restoring data packet header IP is real source
The transmission path that IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger;
For by way of interchanger executed true according to selected transmission path by matching virtual source IP, destination IP and version number
The rule of the fixed forwarding port by way of interchanger.
5. such as the described in any item active defense methods of Claims 1-4, which is characterized in that be based on path in the SDN network
With the active defense method of IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, jumped in the time interval IP apart from last time flow table issuance
Variable period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old flow table
Rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
6. active defense method as claimed in claim 5, which is characterized in that it is new that the controller selects new virtual IP address to reconstruct
Flow table rule, it is specific as follows:
It executes modification data packet header source IP by matching true source IP and destination IP for first interchanger and destination IP is
The rule of new virtual IP address;
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is constant
Rule;
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header source IP
It is the rule of new virtual IP address with destination IP.
7. such as active defense method as claimed in any one of claims 1 to 6, which is characterized in that be based on path in the SDN network
With the active defense method of IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval path apart from last time flow table issuance
Change period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, and the priority of flow table rule is higher than
Old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
8. active defense method as claimed in claim 7, which is characterized in that the controller selects new transmission path to reconstruct
New flow table rule, specific as follows:
For first interchanger, by matching true source IP and destination IP, executing revision number is that new transmission path is numbered,
The rule of the forwarding port of first interchanger is determined according to new transmission path;
For by way of interchanger and last interchanger, executing version number matched in occurrence is new path number, according to new
Transmission path determine the interchanger forwarding port rule.
9. such as the described in any item active defense methods of claim 5 to 8, which is characterized in that reconstructing new flow table rule need to expire
Sufficient following two condition:
(1) priority that new strategy issues flow table is higher than old strategy;
(2) when data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, automatically will
It is deleted.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, the computer program is realized when being executed by processor to be based in SDN network as described in any one of claim 1 to 9
The active defense method in path and IP address jump.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910390382.6A CN110198270A (en) | 2019-05-10 | 2019-05-10 | A kind of active defense method in SDN network based on path and IP address jump |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910390382.6A CN110198270A (en) | 2019-05-10 | 2019-05-10 | A kind of active defense method in SDN network based on path and IP address jump |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110198270A true CN110198270A (en) | 2019-09-03 |
Family
ID=67752576
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910390382.6A Pending CN110198270A (en) | 2019-05-10 | 2019-05-10 | A kind of active defense method in SDN network based on path and IP address jump |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110198270A (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
CN111163062A (en) * | 2019-12-12 | 2020-05-15 | 之江实验室 | Multi-network address hopping security defense method for cross fire attack |
CN111224934A (en) * | 2019-10-31 | 2020-06-02 | 浙江工商大学 | Service path verification method for mimicry configuration in mimicry defense |
CN111385228A (en) * | 2020-02-26 | 2020-07-07 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN111884941A (en) * | 2020-08-03 | 2020-11-03 | 中国人民解放军92941部队 | Safe SDN multicast system and control method thereof |
CN113098900A (en) * | 2021-04-29 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113242215A (en) * | 2021-04-21 | 2021-08-10 | 华南理工大学 | Defense method, system, device and medium for SDN fingerprint attack |
CN113259387A (en) * | 2021-06-21 | 2021-08-13 | 江苏天翼安全技术有限公司 | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange |
CN113595769A (en) * | 2021-07-09 | 2021-11-02 | 武汉大学 | Multi-node network delay time window calculation method for hopping network |
CN113612691A (en) * | 2021-08-06 | 2021-11-05 | 浙江工商大学 | Path conversion method, storage medium and terminal equipment |
CN113765896A (en) * | 2021-08-18 | 2021-12-07 | 广东三水合肥工业大学研究院 | Internet of things implementation system and method based on artificial intelligence |
CN113810404A (en) * | 2021-09-15 | 2021-12-17 | 佳缘科技股份有限公司 | SDN (software defined network) -based dynamic defense system and method for full-view transformation of network |
CN114124491A (en) * | 2021-11-12 | 2022-03-01 | 中国电信股份有限公司 | Method and system for preventing bypass hijacking, ingress and egress switch and security network element |
CN114257538A (en) * | 2021-12-07 | 2022-03-29 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN114826923A (en) * | 2021-01-27 | 2022-07-29 | 华中科技大学 | Network rigidity evaluation method of SDN network |
CN115065531A (en) * | 2022-06-14 | 2022-09-16 | 天津理工大学 | SDN-based moving target defense method for IoT network sniffing attack |
CN116170396A (en) * | 2022-12-29 | 2023-05-26 | 天翼云科技有限公司 | IM message transmission method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104301129A (en) * | 2013-07-16 | 2015-01-21 | 上海宽带技术及应用工程研究中心 | Dynamic host configuration method and system in software defined network |
CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
CN106657066A (en) * | 2016-12-23 | 2017-05-10 | 中国电子科技集团公司第三十研究所 | Random jumping method and device for network management plane address |
CN109729022A (en) * | 2017-10-30 | 2019-05-07 | 华为技术有限公司 | A kind of data transmission method for uplink based on software defined network, apparatus and system |
-
2019
- 2019-05-10 CN CN201910390382.6A patent/CN110198270A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104301129A (en) * | 2013-07-16 | 2015-01-21 | 上海宽带技术及应用工程研究中心 | Dynamic host configuration method and system in software defined network |
CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
CN106657066A (en) * | 2016-12-23 | 2017-05-10 | 中国电子科技集团公司第三十研究所 | Random jumping method and device for network management plane address |
CN109729022A (en) * | 2017-10-30 | 2019-05-07 | 华为技术有限公司 | A kind of data transmission method for uplink based on software defined network, apparatus and system |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
CN111224934A (en) * | 2019-10-31 | 2020-06-02 | 浙江工商大学 | Service path verification method for mimicry configuration in mimicry defense |
CN111224934B (en) * | 2019-10-31 | 2022-04-15 | 浙江工商大学 | Service path verification method for mimicry configuration in mimicry defense |
CN111163062A (en) * | 2019-12-12 | 2020-05-15 | 之江实验室 | Multi-network address hopping security defense method for cross fire attack |
CN111163062B (en) * | 2019-12-12 | 2022-02-22 | 之江实验室 | Multi-network address hopping security defense method for cross fire attack |
CN111385228B (en) * | 2020-02-26 | 2022-02-18 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN111385228A (en) * | 2020-02-26 | 2020-07-07 | 天津理工大学 | Mobile target defense method based on openflow switch port confusion |
CN111884941A (en) * | 2020-08-03 | 2020-11-03 | 中国人民解放军92941部队 | Safe SDN multicast system and control method thereof |
CN114826923A (en) * | 2021-01-27 | 2022-07-29 | 华中科技大学 | Network rigidity evaluation method of SDN network |
CN113114666B (en) * | 2021-04-09 | 2022-02-22 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113114666A (en) * | 2021-04-09 | 2021-07-13 | 天津理工大学 | Moving target defense method for scanning attack in SDN network |
CN113242215A (en) * | 2021-04-21 | 2021-08-10 | 华南理工大学 | Defense method, system, device and medium for SDN fingerprint attack |
CN113242215B (en) * | 2021-04-21 | 2022-05-24 | 华南理工大学 | Defense method, system, device and medium for SDN fingerprint attack |
CN113098900B (en) * | 2021-04-29 | 2023-04-07 | 厦门美域中央信息科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN113098900A (en) * | 2021-04-29 | 2021-07-09 | 福建奇点时空数字科技有限公司 | SDN network IP hopping method supporting address space expansion |
CN113259387A (en) * | 2021-06-21 | 2021-08-13 | 江苏天翼安全技术有限公司 | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange |
CN113595769A (en) * | 2021-07-09 | 2021-11-02 | 武汉大学 | Multi-node network delay time window calculation method for hopping network |
CN113595769B (en) * | 2021-07-09 | 2022-06-07 | 武汉大学 | Multi-node network delay time window calculation method for hopping network |
CN113612691A (en) * | 2021-08-06 | 2021-11-05 | 浙江工商大学 | Path conversion method, storage medium and terminal equipment |
CN113612691B (en) * | 2021-08-06 | 2023-04-07 | 浙江工商大学 | Path conversion method, storage medium and terminal equipment |
CN113765896A (en) * | 2021-08-18 | 2021-12-07 | 广东三水合肥工业大学研究院 | Internet of things implementation system and method based on artificial intelligence |
CN113810404A (en) * | 2021-09-15 | 2021-12-17 | 佳缘科技股份有限公司 | SDN (software defined network) -based dynamic defense system and method for full-view transformation of network |
CN114124491A (en) * | 2021-11-12 | 2022-03-01 | 中国电信股份有限公司 | Method and system for preventing bypass hijacking, ingress and egress switch and security network element |
CN114257538A (en) * | 2021-12-07 | 2022-03-29 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN114257538B (en) * | 2021-12-07 | 2023-08-25 | 中国人民解放军63891部队 | SDN-based address random transformation method |
CN115065531A (en) * | 2022-06-14 | 2022-09-16 | 天津理工大学 | SDN-based moving target defense method for IoT network sniffing attack |
CN115065531B (en) * | 2022-06-14 | 2023-09-08 | 天津理工大学 | SDN-based mobile target defense method for IoT network sniffing attack |
CN116170396A (en) * | 2022-12-29 | 2023-05-26 | 天翼云科技有限公司 | IM message transmission method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110198270A (en) | A kind of active defense method in SDN network based on path and IP address jump | |
CN106921666B (en) | DDoS attack defense system and method based on cooperative theory | |
US9197518B2 (en) | Quality-deteriorated part analyzing system, quality-deteriorated part analyzing device, quality-deteriorated part analyzing method, and quality-deteriorated part analyzing program | |
CN105493450B (en) | The method and system of service exception in dynamic detection network | |
JP6186655B2 (en) | Malicious attack detection method and apparatus | |
US8611220B2 (en) | Network system, controller, and network control method | |
CN104335537B (en) | For the system and method for the multicast multipath of layer 2 transmission | |
US10826821B2 (en) | Flow path detection | |
CN110890994B (en) | Method, device and system for determining message forwarding path | |
JP2013207748A (en) | Network system ad node device | |
CN111431800B (en) | Method, device and equipment for establishing path and machine-readable storage medium | |
CN105591937B (en) | A kind of acquisition method and equipment of network topological information | |
CN106487558B (en) | A kind of method and apparatus for realizing the scalable appearance of access device | |
JP2014526189A (en) | Method and apparatus for self-healing routing of control traffic in split architecture systems | |
CN107800668B (en) | Distributed denial of service attack defense method, device and system | |
JP2007201966A (en) | Traffic control scheme, apparatus and system | |
CN110679120B (en) | Communication network node | |
CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
GB2527273A (en) | Executing loops | |
CN106470213A (en) | A kind of source tracing method of attack message and device | |
CN104601467A (en) | Method and device for sending messages | |
CN113992539A (en) | Network security dynamic route hopping method and system | |
Wang et al. | Source-based defense against ddos attacks in sdn based on sflow and som | |
KR101541531B1 (en) | Routing method based on available bandwidth pattern in software defined network | |
KR101601586B1 (en) | Switch for communicating data in a dynamic computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190903 |