CN110298381A - A kind of cloud security service functional tree Network Intrusion Detection System - Google Patents
A kind of cloud security service functional tree Network Intrusion Detection System Download PDFInfo
- Publication number
- CN110298381A CN110298381A CN201910441565.6A CN201910441565A CN110298381A CN 110298381 A CN110298381 A CN 110298381A CN 201910441565 A CN201910441565 A CN 201910441565A CN 110298381 A CN110298381 A CN 110298381A
- Authority
- CN
- China
- Prior art keywords
- network
- tree
- submodule
- resource
- cloud security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims abstract description 47
- 235000010425 Sorbus domestica Nutrition 0.000 claims abstract description 31
- 240000005332 Sorbus domestica Species 0.000 claims abstract description 31
- 238000013507 mapping Methods 0.000 claims abstract description 23
- 238000003066 decision tree Methods 0.000 claims description 28
- 238000004458 analytical method Methods 0.000 claims description 7
- 230000006872 improvement Effects 0.000 claims description 7
- 238000013138 pruning Methods 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 4
- 238000000034 method Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 3
- 238000005538 encapsulation Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 239000000523 sample Substances 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 8
- 238000012545 processing Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 7
- 230000006854 communication Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 239000003990 capacitor Substances 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to network monitoring fields, more specifically, it is related to a kind of cloud security service functional tree Network Intrusion Detection System, the system includes service tree topology orchestration module, service tree topology mapping block, stream characteristic library module, global resource monitoring module;The present invention provides cloud security resource using network function virtualization technology;According to cloud security situation flexible customization Prevention-Security strategy, cloud security service functional tree is disposed in the direction close to network attack source, gradually subdivision is carried out to suspicious network traffic and is identified;, can be in the cloud security service functional tree branch after subdivision according to Prevention-Security strategy, the network properties of flow according to current branch dispatches corresponding cloud security VNF and carries out the processing of more fine granularity, substantially increases the safety of network.
Description
Technical field
The present invention relates to network monitoring field, more particularly, to it is a kind of SDN the base realized in NFV cloud computing environment
In the cloud security service functional tree Network Intrusion Detection System of decision tree classification.
Background technique
During two hosts for accessing network are communicated, the transmitting of data message is needed by being distributed in number
According to the various network function nodes of center everywhere, just can guarantee can be provided during communication for user it is safe, fast, steady
Fixed network service.When the network flow of business is needed according to set sequence required by service logic, by corresponding network
Functional node delivers network data Message processing again, the network function node and link that these network flows are passed through,
It is generally termed service function chain.Service function chain and underlying physical network topology close-coupled in traditional network, be difficult to dispose,
Difficulty is updated, and the realization of network function is deployed in the special network function hardware device of data center everywhere dependent on static state.
When business demand changes, when service chaining is that the new business demand needs of reply are changed with load capacity dilatation, all
It needs to modify to physical network topology.
The information island quagmire of conventional data centers has been broken in the proposition of cloud computing concept, in cloud computation data center,
Have benefited from being widely used for virtualization technology, SDN technology and NFV technology realize the networking of tenant's logic and bottom physical network
Decoupling, the separation of control layer and forwarding virtualize dynamic creation and the flexible deployment of network function VNF.Therefore, by cloud
It calculates and disposes service function chain in environment, provide new thinking to solve network security problem.
Summary of the invention
To overcome described in the above-mentioned prior art when business demand changes, service chaining is the new business demand of reply
When needing to change with load capacity dilatation, the deficiency modified to physical network topology is required, the present invention provides
A kind of cloud security service functional tree Network Intrusion Detection System.
In order to solve the above technical problems, technical scheme is as follows:
A kind of cloud security service functional tree Network Intrusion Detection System, including service tree topology orchestration module, service tree are opened up
Flutter mapping block, stream characteristic library module, global resource monitoring module;
The stream characteristic library module is used to store the network flow characteristic of network attack, selects in conjunction with cloud security situation
Corresponding network attack stream characteristic data set is taken to construct corresponding training set;
The service tree topology orchestration module is used to that cloud security situation to be combined to construct Decision-Tree Classifier Model, special using stream
The training set built in sign database module is trained to decision-tree model and beta pruning, by trained decision tree classification mould
Type passes to service tree topology mapping block;
The service tree topology mapping block is for receiving decision tree classification constructed by service tree topology orchestration module
The decision rule matched node of Decision-Tree Classifier Model is mapped in corresponding service function tree node by model, in service function
It can matching and classification of the tree node completion to network flow;
The global resource monitoring module is for convection current characteristic library module, service tree topology orchestration module and clothes
Resource in business tree topology mapping block in network-wide basis is monitored and safeguards, thus in cloud security service function tree topology
In the building process of mapping and virtual logical network, the actual bearer ability information of underlying infrastructure, optimization VNF money are provided
The mapping and deployment in source.
Preferably, the Decision-Tree Classifier Model carries out stacking multiplexing to optimize security function to multiple service function chains
Layout and virtual resource deployment dispose cloud security service functional tree in the direction close to network attack source, to suspicious network stream
Amount carries out the fine granularity processing that specificity is completed in gradually subdivision identification.
Preferably, the service tree topology mapping block includes flow scheduling submodule and VNF scheduling of resource submodule
Block, the flow scheduling submodule are used to carry out network data message classification improvement, complete forwarding strategy matching;Described
VNF scheduling of resource submodule is used to carry out scheduling on demand and classification according to service function tree layout strategy.
Preferably, the flow scheduling submodule using OpenFlow multilevel flow table according to source direction come to network number
Classification improvement is carried out according to message.
Preferably, the VNF scheduling of resource submodule uses Docker container as the carrying of virtual network function, root
Scheduling on demand is carried out according to service function tree layout strategy.
Preferably, the global resource monitoring module further include Topology Discovery submodule, VNF monitoring resource submodule with
And infrastructure resources monitoring submodule;The Topology Discovery submodule be used for complete network-wide basis discovering network topology and
Fictitious host computer discovery;The VNF monitoring resource submodule is used to complete the state analysis and system to VNF resource in network-wide basis
Meter;The infrastructure resources monitoring submodule is for being monitored the physical equipment operating status of infrastructure layer;It opens up
Discovery submodule is flutterred, it is mutually indepedent between VNF monitoring resource submodule and each submodule of infrastructure resources monitoring submodule
Each self-monitoring status information is uniformly summarized submission into global resource monitoring module and handled by work.Preferably, described
Topology Discovery submodule realize that the module passes through encapsulation and carry out modular secondary development in SDN controller
LLDP link discovery protocols and ARP protocol complete the discovering network topology and fictitious host computer hair of network-wide basis as probe messages
It is existing.
Preferably, the VNF monitoring resource submodule passes through in VNF node deployment network flow collection apparatus module and real
Shi Gengxin network flow characteristic information completes state analysis and system to VNF resource in network-wide basis to VNF monitoring resource submodule
Meter.
Preferably, the infrastructure resources monitoring submodule, by obtaining physical server in network-wide basis in real time
The resources such as calculating, storage and network service condition, be monitored come the physical equipment operating status to infrastructure layer.
Compared with prior art, the beneficial effect of technical solution of the present invention is:
(1) single to solve service function chain processing logic, a plurality of service function interchain virtual functions node is mutually indepedent
And reusability it is low the problems such as, the present invention proposes a new service function tree topology in virtual logical network level.
Optimize function and resource deployment by the stacking multiplexing to multiple service function chains;It is realized not in the branch node of tree topology
With the shunting and separation of type network flow.
(2) cloud security service function tree-model is constructed according to decision tree classification thought, decision rule matched node is mapped
Into corresponding service function tree topology node, the network flow feature for flowing into the node is acquired in service function tree node
With analysis, and with decision rule match to determine network flow next-hop branch move towards, to suspicious network traffic carry out
Gradually subdivision identification.Compared with being handled using decision tree suspicious net flow on single node, service function tree can be
Between each decision rule matched node, it is flexibly embedded in corresponding virtual network function according to traffic characteristic and carries out specific processing.
Detailed description of the invention
Fig. 1 is system global structure schematic diagram of the invention;
Fig. 2 is the schematic diagram of cloud security service tree function tree topology;
Fig. 3 is that OVS doube bridge architecture network message forwards schematic diagram;
Fig. 4 is OpenFlow multilevel flow table design diagram;
Specific embodiment
The attached figures are only used for illustrative purposes and cannot be understood as limitating the patent;
In order to better illustrate this embodiment, the certain components of attached drawing have omission, zoom in or out, and do not represent actual product
Size;
To those skilled in the art, it is to be understood that certain known features and its explanation, which may be omitted, in attached drawing
's.
The following further describes the technical solution of the present invention with reference to the accompanying drawings and examples.
Embodiment 1
As shown in Fig.1 and Fig.2, a kind of cloud security service functional tree Network Intrusion Detection System, including service tree topology layout
Module 1, service tree topology mapping block 2, stream characteristic library module 3, global resource monitoring module 4;
The stream characteristic library module 3 is used to store the network flow characteristic of network attack, in conjunction with cloud security situation
It chooses corresponding network attack stream characteristic data set and constructs corresponding training set;
The service tree topology orchestration module 1 is used to that cloud security situation to be combined to construct Decision-Tree Classifier Model, uses stream
The training set built in characteristic library module 3 is trained to decision-tree model and beta pruning, by trained decision tree point
Class model passes to service tree topology mapping block 2;
The service tree topology mapping block 2 is for receiving decision tree point constructed by service tree topology orchestration module 1
The decision rule matched node of Decision-Tree Classifier Model is mapped in corresponding service function tree node, is servicing by class model
Function tree node completes the matching and classification to network flow;
The global resource monitoring module 4 for convection current characteristic library module 3, service tree topology orchestration module 1 with
And the resource in service tree topology mapping block 2 in network-wide basis is monitored and safeguards, in cloud security service function tree topology
Mapping and virtual logical network building process in, the actual bearer ability information of underlying infrastructure is provided, VNF is optimized
The mapping and deployment of resource.
As a preferred embodiment, the Decision-Tree Classifier Model carries out stacking multiplexing to multiple service function chains
It is disposed to optimize security function layout and virtual resource, disposes cloud security service function in the direction close to network attack source
Tree carries out the fine granularity that gradually specificity is completed in subdivision identification to suspicious network traffic and handles.
As a preferred embodiment, the service tree topology mapping block 2 include flow scheduling submodule 5 and
VNF scheduling of resource submodule 6, the flow scheduling submodule 5 are used to carry out network data message classification improvement, complete to turn
Send out strategy matching;The VNF scheduling of resource submodule 6 is used to carry out scheduling on demand according to service function tree layout strategy and divide
Class.
As a preferred embodiment, the flow scheduling submodule 5 is using OpenFlow multilevel flow table according to next
Source direction to network data message carries out classification improvement.
As a preferred embodiment, the VNF scheduling of resource submodule 6 uses Docker container as virtual net
The carrying of network function carries out scheduling on demand according to service function tree layout strategy.
As a preferred embodiment, the global resource monitoring module 4 further includes Topology Discovery submodule 7, VNF
Monitoring resource submodule 8 and infrastructure resources monitoring submodule 9;The Topology Discovery submodule 7 is for completing the whole network
The discovering network topology and fictitious host computer of range are found;The VNF monitoring resource submodule 8 is for completing in network-wide basis
The state analysis and statistics of VNF resource;The infrastructure resources monitoring submodule 9 is for setting the physics of infrastructure layer
Standby operating status is monitored;Topology Discovery submodule 7, VNF monitoring resource submodule 8 and infrastructure resources monitor submodule
It is worked independently from each other between each submodule of block 9, each self-monitoring status information is uniformly summarized into submission to global resource and monitors mould
It is handled in block 4.
As a preferred embodiment, the Topology Discovery submodule 7 is by carrying out modularization in SDN controller
Secondary development and realize, the module by encapsulation LLDP link discovery protocols and ARP protocol be used as probe messages, completion the whole network
The discovering network topology and fictitious host computer of range are found.
As a preferred embodiment, the VNF monitoring resource submodule 8 passes through in VNF node deployment network flow
Collection apparatus module simultaneously complete to VNF monitoring resource submodule 8 to VNF in network-wide basis by real-time update network flow characteristic information
The state analysis and statistics of resource.
As a preferred embodiment, the infrastructure resources monitoring submodule 9, by obtaining the whole network model in real time
The service condition for enclosing the resources such as the calculating, storage and network of interior physical server runs the physical equipment of infrastructure layer
State is monitored.
When Fig. 2 show work, cloud security service tree function tree topology schematic diagram, the bottom is multiple data center's hardware
The infrastructure that physical equipment is constituted;Cloud security resource pool is constructed after bottom physical equipment resource is virtualized, for Yunan County
Full service function tree is scheduled and layout;Middle layer is after virtualizing to infrastructure layer resource, to be formed by VNF cloud
The schematic diagram in secure resources pond is communicated across the VNF after data center virtualization and is realized by the tunnel VxLAN;Top is virtual
Tree topology in logical network layer is connected to each VNF node according to service tree topology layout strategy, constitutes tree-shaped and open up
It flutters, the branch of every tree is used to handle the network flow with individual features.
Embodiment 2
As shown in Figure 3 and 4, in the present embodiment by the tree topology of service function tree and decision tree to network attack stream
Amount identification is combined with classification characteristics, each of the characterization rules of decision tree nodes matching distributionization to service function tree
It goes to realize in VNF node.Under the guidance of decision tree classification thought, every root node to service tree is starting point to each leaf
The path of child node is all the VNF node path that there is the network flow of certain features to be flowed through.For across data center in Fig. 3
VNF communication process in, the capacitor network of virtualization is realized.Two OVS void are constructed by network virtualization technology in host
Quasi- bridge, wherein br-int virtual bridge mainly undertakes the angle of packet-switching in the local network segment in container data exchange network
Color;Br-tun virtual bridge then administers completion forwarding strategy matching according to source direction to carry out classification to network data message.
By virtualization technology, the Microsoft Loopback Adapter vNIC of the VNF container virtual port vPort for being tied to OVS virtual bridge is constructed logical
Believe channel;By constructing the tunnel VxLAN, across data center capacitor network communication is completed.1) tree topology orchestration module 1 is serviced
Service tree topology orchestration module 1 completes layout and the structure of cloud security service functional tree using C4.5 decision Tree algorithms
It builds;Sliding-model control is carried out to the network flow feature for taking successive value by dichotomy, the core concept of dichotomy is by feature Am
K different characteristic value be ranked up according to ascending order;Using dichotomy to close on the medians of two feature values as threshold
All feature values are divided into two parts by value, share k-1 kind division mode;Calculate separately this corresponding letter of k-1 kind division mode
Breath gain then chooses the division threshold value and is characterized A when obtaining information gain maximummTwo points of threshold values.
It is the appearance for preventing over-fitting during constructing decision tree, it is sad using pruning algorithms after pessimistic beta pruning
It sees pruning algorithms and does not need additional test data set, decision tree is trimmed from top to bottom.
2) tree topology mapping block 2 is serviced
According to the framework model of cloud security service functional tree, to ensure High Availabitity and expansibility, it is bis- to devise an OVS
Bridge architecture scheme, as shown in Figure 3.Two OVS virtual bridges are constructed by network virtualization technology in host, wherein br-int
Virtual bridge mainly undertakes the role of packet-switching in the local network segment in container data exchange network, completes VLAN tag
Label and removing and normal data packet forwarding capability;Br-tun virtual bridge then utilizes the more of 1.3 version of OpenFlow agreement
Grade flow table administers completion forwarding strategy matching according to source direction to carry out classification to network data message, is illustrated in figure 4 more
Grade flow table design diagram;By the tunnel technology packet of VxLAN, it is responsible for big double layer network model of the data packet between data center
Enclose interior communication.OVS realizes data packet by establishing a pair of port patch between two virtual bridges of br-int and br-tun
Circulation.
As shown in figure 4, the processing logical design of multilevel flow table is described as follows in br-tun virtual bridge:
Table 0 handles all data packets for flowing through br-tun virtual bridge, and basis source difference is by data packet
It submits to corresponding next stage flow table and carries out matching treatment.Wherein, the data packet of local network segment is flowed into from the port patch-int
Br-tun bridge then passes it to Table 1 and is handled;Across the data packet flowed between data center then from the port VxLAN
It flows into, submits to Table 2 and handled.
Table 1 completes the function that local network segment data packet is forwarded across data center.If multicast or broadcasting packet, then jump
It goes in Table 11, message is flooded transmission from all ports VxLAN;If unicast message, then according to VLAN ID label
Come judge data message next-hop flow direction data center's tunnel port, and by message to corresponding tunnel port complete turn
Hair.
In Table 2, the data message for flowing into local network segment to other data center is handled, according to corresponding tunnel
Source Tunnel ID is the corresponding VLAN tag of packet labeling, and the virtual net of local network segment is submitted to by the port patch-int
Bridge br-int is handled.
In Table 10, the unicast message for jumping submission of Table 1 is handled, is added accordingly after removing VLANID
VxLAN tunnel ID, and issued from the corresponding port VxLAN.
In Table 11, the multicast of submission is jumped to Table 1 or broadcasting packet is handled, from institute after removing VLANID
Some ports VxLAN flood sending.
3) characteristic library module 3 is flowed
When stream characteristic library module 3 mainly stores common network attack generation, the system of network flow feature performance
Evaluation.For the principle of common network attack, 9 network flow characteristics is selected to be constructed to be supplied to decision tree, respectively
For in time window flow into VNF TCP data packet account for the ratio of entire packet, UDP message packet account for entire packet ratio,
ICMP data packet accounts for the ratio of entire packet, the ratio of SYN data packet, different destination host address dates in TCP data packet
Packet accounts for the ratio of entire packet, different destination port data packets account for the ratio of entire packet, different source host data packets account for
The average bandwidth that the ratio of entire packet, different source port data packets account for entire packet ratio, flow into VNF data packet.
In choosing network flow feature, the features such as network flow is fast there are transient change rate and temporal correlation is low, pass through
Using time-based statistical property, Network Abnormal attack traffic is more accurately reflected to realize;Using the concept of time window,
Carry out smooth network flow transient change attribute, traffic characteristic was portrayed using 1 second time window.
4) global resource monitoring module 4
Global monitoring module predominantly controls management level and provides the global visual field, obtains the whole network from Topology Discovery submodule 7
Topology obtains the available computational resources of network-wide basis, from VNF monitoring resource submodule from infrastructure resources monitoring submodule 9
Network-wide security situation is obtained in block 8.
The same or similar label correspond to the same or similar components;
The terms describing the positional relationship in the drawings are only for illustration, should not be understood as the limitation to this patent;
Obviously, the above embodiment of the present invention be only to clearly illustrate example of the present invention, and not be pair
The restriction of embodiments of the present invention.For those of ordinary skill in the art, may be used also on the basis of the above description
To make other variations or changes in different ways.There is no necessity and possibility to exhaust all the enbodiments.It is all this
Made any modifications, equivalent replacements, and improvements etc., should be included in the claims in the present invention within the spirit and principle of invention
Protection scope within.
Claims (9)
1. a kind of cloud security service functional tree Network Intrusion Detection System, which is characterized in that including servicing tree topology orchestration module
(1), tree topology mapping block (2), stream characteristic library module (3), global resource monitoring module (4) are serviced;
Stream characteristic library module (3) is used to store the network flow characteristic of network attack, selects in conjunction with cloud security situation
Corresponding network attack stream characteristic data set is taken to construct corresponding training set;
The service tree topology orchestration module (1) is used to that cloud security situation to be combined to construct Decision-Tree Classifier Model, special using stream
The training set built in sign database module (3) is trained to decision-tree model and beta pruning, by trained decision tree point
Class model passes to service tree topology mapping block (2);
The service tree topology mapping block (2) is for receiving decision tree constructed by service tree topology orchestration module (1) point
The decision rule matched node of Decision-Tree Classifier Model is mapped in corresponding service function tree node, is servicing by class model
Function tree node completes the matching and classification to network flow;
The global resource monitoring module (4) is for convection current characteristic library module (3), service tree topology orchestration module (1)
And the resource in service tree topology mapping block (2) in network-wide basis is monitored and safeguards, in cloud security service functional tree
In the mapping of topology and the building process of virtual logical network, the actual bearer ability information of underlying infrastructure is provided, it is excellent
Change the mapping and deployment of VNF resource.
2. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 1, which is characterized in that described
Decision-Tree Classifier Model multiple service function chains carried out stacking multiplexing disposed to optimize security function layout and virtual resource,
Cloud security service functional tree is disposed in the direction close to network attack source, gradually subdivision is carried out to suspicious network traffic and has been identified
It is handled at the fine granularity of specificity.
3. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 2, which is characterized in that it is special
Sign is that the service tree topology mapping block (2) includes flow scheduling submodule (5) and VNF scheduling of resource submodule
(6), the flow scheduling submodule (5) is used to carry out network data message classification improvement, completes forwarding strategy matching;Institute
The VNF scheduling of resource submodule (6) stated is used to carry out scheduling on demand and classification according to service function tree layout strategy.
4. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 3, which is characterized in that it is special
Sign is that the flow scheduling submodule (5) is using OpenFlow multilevel flow table according to source direction come to network data report
Text carries out classification improvement.
5. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 3, which is characterized in that described
VNF scheduling of resource submodule (6) use Docker container as the carrying of virtual network function, according to service function tree layout
Strategy carries out scheduling on demand.
6. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 3, which is characterized in that described
Global resource monitoring module (4) further include Topology Discovery submodule (7), VNF monitoring resource submodule (8) and infrastructure
Monitoring resource submodule (9);The Topology Discovery submodule (7) is used to complete the discovering network topology of network-wide basis and virtual
Detecting host;The VNF monitoring resource submodule (8) is used to complete the state analysis and system to VNF resource in network-wide basis
Meter;The infrastructure resources monitoring submodule (9) is for being monitored the physical equipment operating status of infrastructure layer;
Topology Discovery submodule (7), VNF monitoring resource submodule (8) and infrastructure resources monitoring submodule (9) each submodule
Between work independently from each other, each self-monitoring status information is uniformly summarized into submission into global resource monitoring module (4)
Reason.
7. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 6, which is characterized in that described
Topology Discovery submodule (7) realize that the module passes through encapsulation and carry out modular secondary development in SDN controller
LLDP link discovery protocols and ARP protocol complete the discovering network topology and fictitious host computer hair of network-wide basis as probe messages
It is existing.
8. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 6, which is characterized in that described
VNF monitoring resource submodule (8) pass through in VNF node deployment network flow collection apparatus module and real-time update network flow feature
Information completes state analysis and statistics to VNF resource in network-wide basis to VNF monitoring resource submodule.
9. a kind of cloud security service functional tree Network Intrusion Detection System according to claim 6, which is characterized in that described
Infrastructure resources monitoring submodule (9), by obtaining the calculating, storage of physical server and network in network-wide basis in real time
Etc. resources service condition, be monitored come the physical equipment operating status to infrastructure layer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910441565.6A CN110298381B (en) | 2019-05-24 | 2019-05-24 | Cloud security service function tree network intrusion detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910441565.6A CN110298381B (en) | 2019-05-24 | 2019-05-24 | Cloud security service function tree network intrusion detection system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110298381A true CN110298381A (en) | 2019-10-01 |
CN110298381B CN110298381B (en) | 2022-09-20 |
Family
ID=68027162
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910441565.6A Active CN110298381B (en) | 2019-05-24 | 2019-05-24 | Cloud security service function tree network intrusion detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110298381B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111698326A (en) * | 2020-06-12 | 2020-09-22 | 北京百度网讯科技有限公司 | Method and apparatus for determining cost attribution of cloud service resources |
CN112564967A (en) * | 2020-12-02 | 2021-03-26 | 杭州谐云科技有限公司 | Cloud service topology self-discovery method and system based on eBPF, electronic device and storage medium |
CN114143160A (en) * | 2021-10-25 | 2022-03-04 | 北京银盾泰安网络科技有限公司 | Cloud platform automation operation and maintenance system |
CN114137861A (en) * | 2021-10-23 | 2022-03-04 | 西安电子科技大学 | Intention-driven cloud security service system and method |
CN114531287A (en) * | 2022-02-17 | 2022-05-24 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for detecting virtual resource acquisition behavior |
CN114629685A (en) * | 2022-02-17 | 2022-06-14 | 华南理工大学 | Industrial private network hard slicing service function chain deployment method, device and medium |
CN115859277A (en) * | 2023-02-07 | 2023-03-28 | 四川大学 | Host intrusion detection method based on system call sequence |
Citations (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
US8892766B1 (en) * | 2012-06-28 | 2014-11-18 | Trend Micro Incorporated | Application-based network traffic redirection for cloud security service |
CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
CN104580120A (en) * | 2013-10-28 | 2015-04-29 | 北京启明星辰信息技术股份有限公司 | On-demand-service virtualization network intrusion detection method and device |
US20150156122A1 (en) * | 2012-06-06 | 2015-06-04 | The Trustees Of Columbia University In The City Of New York | Unified networking system and device for heterogeneous mobile environments |
US20150172300A1 (en) * | 2013-12-17 | 2015-06-18 | Hoplite Industries, Inc. | Behavioral model based malware protection system and method |
US20150215172A1 (en) * | 2014-01-30 | 2015-07-30 | Cisco Technology, Inc. | Service-Function Chaining |
US20150358235A1 (en) * | 2014-06-05 | 2015-12-10 | Futurewei Technologies, Inc. | Service Chain Topology Map Construction |
CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
CN105956661A (en) * | 2016-04-15 | 2016-09-21 | 中山大学 | System for realizing DANN online training on SDN network |
CN107332913A (en) * | 2017-07-04 | 2017-11-07 | 电子科技大学 | A kind of Optimization deployment method of service function chain in 5G mobile networks |
WO2018027226A1 (en) * | 2016-08-05 | 2018-02-08 | Fractal Industries, Inc. | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform |
CN107770174A (en) * | 2017-10-23 | 2018-03-06 | 上海微波技术研究所(中国电子科技集团公司第五十研究所) | A kind of intrusion prevention system and method towards SDN |
CN107819742A (en) * | 2017-10-19 | 2018-03-20 | 北京交通大学 | A kind of system architecture and its method of Dynamical Deployment Network Security Service |
CN108173761A (en) * | 2017-12-22 | 2018-06-15 | 南京邮电大学 | A kind of method for optimizing resources of SDN and NFV fusions |
KR20180069657A (en) * | 2016-12-15 | 2018-06-25 | 경희대학교 산학협력단 | Method, apparatus and computer program for security investment considering characteristics of cloud service |
US20180287903A1 (en) * | 2017-03-29 | 2018-10-04 | Ca, Inc. | Adjusting monitoring based on inspection of network traffic |
US20180302343A1 (en) * | 2017-04-14 | 2018-10-18 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | System and method for convergence of software defined network (sdn) and network function virtualization (nfv) |
US10116514B1 (en) * | 2015-03-30 | 2018-10-30 | Amdocs Development Limited | System, method and computer program for deploying an orchestration layer for a network based on network function virtualization (NFV) |
CN108881028A (en) * | 2018-06-06 | 2018-11-23 | 北京邮电大学 | The SDN network resource regulating method of application perception is realized based on deep learning |
CN108900541A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | One kind being directed to cloud data center SDN Security Situation Awareness Systems and method |
US20180359658A1 (en) * | 2017-06-09 | 2018-12-13 | At&T Intellectual Property I, L.P. | System And Method For Fine Grained Service Management Using SDN-NFV Networks |
US20190036968A1 (en) * | 2017-07-31 | 2019-01-31 | Amdocs Development Limited | System, method, and computer program providing security in network function virtualization (nfv) based communication networks and software defined networks (sdns) |
KR20190018947A (en) * | 2017-08-16 | 2019-02-26 | 삼성전자주식회사 | Apparatus and method for handling a network attack in a software defined network |
CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
-
2019
- 2019-05-24 CN CN201910441565.6A patent/CN110298381B/en active Active
Patent Citations (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
US20150156122A1 (en) * | 2012-06-06 | 2015-06-04 | The Trustees Of Columbia University In The City Of New York | Unified networking system and device for heterogeneous mobile environments |
US8892766B1 (en) * | 2012-06-28 | 2014-11-18 | Trend Micro Incorporated | Application-based network traffic redirection for cloud security service |
CN104580120A (en) * | 2013-10-28 | 2015-04-29 | 北京启明星辰信息技术股份有限公司 | On-demand-service virtualization network intrusion detection method and device |
US20150172300A1 (en) * | 2013-12-17 | 2015-06-18 | Hoplite Industries, Inc. | Behavioral model based malware protection system and method |
US20150215172A1 (en) * | 2014-01-30 | 2015-07-30 | Cisco Technology, Inc. | Service-Function Chaining |
US20150358235A1 (en) * | 2014-06-05 | 2015-12-10 | Futurewei Technologies, Inc. | Service Chain Topology Map Construction |
CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
US10116514B1 (en) * | 2015-03-30 | 2018-10-30 | Amdocs Development Limited | System, method and computer program for deploying an orchestration layer for a network based on network function virtualization (NFV) |
CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
CN105956661A (en) * | 2016-04-15 | 2016-09-21 | 中山大学 | System for realizing DANN online training on SDN network |
WO2018027226A1 (en) * | 2016-08-05 | 2018-02-08 | Fractal Industries, Inc. | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform |
KR20180069657A (en) * | 2016-12-15 | 2018-06-25 | 경희대학교 산학협력단 | Method, apparatus and computer program for security investment considering characteristics of cloud service |
US20180287903A1 (en) * | 2017-03-29 | 2018-10-04 | Ca, Inc. | Adjusting monitoring based on inspection of network traffic |
US20180302343A1 (en) * | 2017-04-14 | 2018-10-18 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | System and method for convergence of software defined network (sdn) and network function virtualization (nfv) |
US20180359658A1 (en) * | 2017-06-09 | 2018-12-13 | At&T Intellectual Property I, L.P. | System And Method For Fine Grained Service Management Using SDN-NFV Networks |
CN107332913A (en) * | 2017-07-04 | 2017-11-07 | 电子科技大学 | A kind of Optimization deployment method of service function chain in 5G mobile networks |
US20190036968A1 (en) * | 2017-07-31 | 2019-01-31 | Amdocs Development Limited | System, method, and computer program providing security in network function virtualization (nfv) based communication networks and software defined networks (sdns) |
KR20190018947A (en) * | 2017-08-16 | 2019-02-26 | 삼성전자주식회사 | Apparatus and method for handling a network attack in a software defined network |
CN107819742A (en) * | 2017-10-19 | 2018-03-20 | 北京交通大学 | A kind of system architecture and its method of Dynamical Deployment Network Security Service |
CN107770174A (en) * | 2017-10-23 | 2018-03-06 | 上海微波技术研究所(中国电子科技集团公司第五十研究所) | A kind of intrusion prevention system and method towards SDN |
CN108173761A (en) * | 2017-12-22 | 2018-06-15 | 南京邮电大学 | A kind of method for optimizing resources of SDN and NFV fusions |
CN108881028A (en) * | 2018-06-06 | 2018-11-23 | 北京邮电大学 | The SDN network resource regulating method of application perception is realized based on deep learning |
CN108900541A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | One kind being directed to cloud data center SDN Security Situation Awareness Systems and method |
CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
Non-Patent Citations (3)
Title |
---|
GANSEN ZHAO ET AL.: "Constructing authentication web in cloud computing", 《SECURITY AND COMMUNICATION NETWORKS》 * |
YI XIE ET AL.: "A General Collaborative Framework for Modeling and Perceiving Distributed Network Behavior", 《IEEE-ACM TRANSACTIONS ON NETWORKING》 * |
王宇 等: "网络流量的决策树分类", 《小型微型计算机***》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111698326A (en) * | 2020-06-12 | 2020-09-22 | 北京百度网讯科技有限公司 | Method and apparatus for determining cost attribution of cloud service resources |
CN112564967A (en) * | 2020-12-02 | 2021-03-26 | 杭州谐云科技有限公司 | Cloud service topology self-discovery method and system based on eBPF, electronic device and storage medium |
CN112564967B (en) * | 2020-12-02 | 2022-11-08 | 杭州谐云科技有限公司 | Cloud service topology self-discovery method and system based on eBPF, electronic device and storage medium |
CN114137861A (en) * | 2021-10-23 | 2022-03-04 | 西安电子科技大学 | Intention-driven cloud security service system and method |
CN114143160A (en) * | 2021-10-25 | 2022-03-04 | 北京银盾泰安网络科技有限公司 | Cloud platform automation operation and maintenance system |
CN114531287A (en) * | 2022-02-17 | 2022-05-24 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for detecting virtual resource acquisition behavior |
CN114629685A (en) * | 2022-02-17 | 2022-06-14 | 华南理工大学 | Industrial private network hard slicing service function chain deployment method, device and medium |
CN114629685B (en) * | 2022-02-17 | 2022-12-16 | 华南理工大学 | Industrial private network hard slicing service function chain deployment method, device and medium |
CN114531287B (en) * | 2022-02-17 | 2024-06-11 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and medium for detecting virtual resource acquisition behavior |
CN115859277A (en) * | 2023-02-07 | 2023-03-28 | 四川大学 | Host intrusion detection method based on system call sequence |
CN115859277B (en) * | 2023-02-07 | 2023-05-02 | 四川大学 | Host intrusion detection method based on system call sequence |
Also Published As
Publication number | Publication date |
---|---|
CN110298381B (en) | 2022-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110298381A (en) | A kind of cloud security service functional tree Network Intrusion Detection System | |
Xiao et al. | Deep-q: Traffic-driven qos inference using deep generative network | |
US9876572B2 (en) | Configuring a computer network to satisfy multicast dispersion and latency requirements using affinity and network topologies | |
CN104348750B (en) | The implementation method and device of QoS in OpenFlow network | |
CN105519046B (en) | Scalable and separate type network virtualization | |
CN104253770B (en) | Realize the method and apparatus of the distributed virtual switch system | |
CN104170335B (en) | Congestion control and resource allocation in separated system structure network | |
US8797843B2 (en) | High availability distributed fabric protocol (DFP) switching network architecture | |
US11909653B2 (en) | Self-learning packet flow monitoring in software-defined networking environments | |
CN109845200A (en) | It detects and prevents network loop | |
CN105610710A (en) | Methods and apparatus for standard protocol validation mechanisms deployed over switch fabric system | |
CN107005439A (en) | The passive performance measurement linked for online service | |
Rastegarfar et al. | TCP flow classification and bandwidth aggregation in optically interconnected data center networks | |
CN110178342A (en) | The scalable application level of SDN network monitors | |
CN106031094A (en) | Accurate measurement of distributed counters | |
WO2013066603A1 (en) | Affinity modeling in a data center network | |
WO2020228398A1 (en) | Message detection method, device and system | |
CN105099916B (en) | Open flows route exchange device and its processing method to data message | |
CN110247798A (en) | Specific transactions are transmitted along blocking links | |
CN108337179A (en) | Link flow control method and device | |
CN110278139A (en) | Method, the network equipment and the storage medium of grouping are forwarded in computer network | |
CN112350948B (en) | Distributed network tracing method of SDN-based distributed network tracing system | |
CN110035006A (en) | The individual networks equipment of Forwarding plane resetting | |
CN111049747A (en) | Intelligent virtual network path planning method for large-scale container cluster | |
CN107317758A (en) | A kind of fine granularity SDN traffic monitoring frameworks of high reliability |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |