CN110995742B - Network routing protocol protection method and system based on flow behavior - Google Patents

Network routing protocol protection method and system based on flow behavior Download PDF

Info

Publication number
CN110995742B
CN110995742B CN201911298818.5A CN201911298818A CN110995742B CN 110995742 B CN110995742 B CN 110995742B CN 201911298818 A CN201911298818 A CN 201911298818A CN 110995742 B CN110995742 B CN 110995742B
Authority
CN
China
Prior art keywords
routing protocol
firewall
management platform
template
security management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911298818.5A
Other languages
Chinese (zh)
Other versions
CN110995742A (en
Inventor
卢敏
胥斌
王彤
李亚峰
杜爱红
沈慧婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangtai Technology Development Co ltd
Original Assignee
Beijing Wangtai Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangtai Technology Development Co ltd filed Critical Beijing Wangtai Technology Development Co ltd
Priority to CN201911298818.5A priority Critical patent/CN110995742B/en
Publication of CN110995742A publication Critical patent/CN110995742A/en
Application granted granted Critical
Publication of CN110995742B publication Critical patent/CN110995742B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a network routing protocol protection method based on flow behaviors. The method comprises the following steps: the security management platform issues the rule template to the firewall; the firewall monitors the threat of the flow data according to the rule template and reports threat flow data packets obtained by monitoring to the security management platform; after a threat flow data packet received by a safety management platform reaches a first threshold value, issuing an instruction to enable a firewall to count the times that most threatened routing protocol field parameters appear in the same manner; and after the counted times that the threatened routing protocol field parameters appearing most frequently are the same reach a second threshold value, the security management platform generates a new configuration template. Compared with the traditional method for protecting the routing protocol, the method can effectively improve the protection effectiveness.

Description

Network routing protocol protection method and system based on flow behavior
Technical Field
The invention relates to the technical field of network security, in particular to a network router protocol protection method and system based on flow behaviors.
Background
The network routing protocol belongs to a network layer in a network seven-layer protocol, and the network layer defines end-to-end packet transmission. The traditional network routing protocol protection method is to establish a security control point at the boundary of network connection, and to realize auditing and controlling the service and access of the internal network by allowing, refusing or redefining the data flow passing through the firewall.
The network routing protocol protection method is mainly realized by adopting the modes of flow data packet filtering, state monitoring, proxy service and the like, the protection rule is fixed, the protection rule cannot be automatically changed according to the specific behavior of data flow, and the functions of autonomous learning and intelligent protection rule updating are not provided.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a network router protocol protection method and system based on flow behaviors.
In a first aspect, an embodiment of the present invention provides a method for protecting a network router protocol based on traffic behavior, including the following steps:
the security management platform issues the rule template to the firewall;
the firewall monitors threats in the flow data according to the rule template and reports threat flow data packets obtained through monitoring to the security management platform;
after a threat flow data packet received by a safety management platform reaches a first threshold value, issuing an instruction to enable a firewall to count the times that most threatened routing protocol field parameters appear in the same manner;
and after the counted times that the threatened routing protocol field parameters with the most occurrence number are the same reach a second threshold value, the safety management platform generates a new configuration template and sends the new configuration template to the firewall.
Further, the method comprises the following steps:
and determining protocol fields under ISIS, BGP and OSPF protocols through a firewall service configuration page of the security management platform, and generating a self-defined single-rule and multi-rule JSON format data template.
Further, the method comprises the following steps:
the protocol field may be determined by checking, clicking, or other methods that may implement the selection.
Further, the method comprises the following steps:
the firewall analyzes and disassembles the captured threat flow data packet and removes field configuration in the system template;
the firewall counts the number of times that the threatened routing protocol field parameters with the largest occurrence number are the same.
Further, the method comprises the following steps:
intercepting the threatened routing protocol field with the most occurrence times by the security management platform;
copying an original built-in template of the firewall;
and replacing the protocol field of the original built-in template with the threatened routing protocol field with the largest occurrence number to generate a new configuration template.
Further, the threatening routing protocol field is other routing protocol field except field configuration in the system template.
Further, the other routing protocol field may be an unknown or non-standard protocol field.
Further, the security management platform manages one or more firewalls in a unified manner.
Further, the first threshold is 20-50 times of occurrence of threat traffic data packets within one minute.
Further, the second threshold is 100 times that the most threatening routing protocol field parameters occur.
In a second aspect, an embodiment of the present invention provides a network routing protocol guard device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, where the processor executes the computer program to implement the steps of the method according to the first aspect.
In a third aspect, an embodiment of the present invention provides a network structure, including a router, a firewall, and a security management platform, which are connected by using a data link. The router, firewall, security management platform operate using the method as provided in the first aspect.
The embodiment of the invention provides a network router protocol protection method and system based on flow behaviors, which can automatically learn, automatically update protection rules, automatically perform vulnerability repair and can detect and repair the artificially unexplored threats. Compared with the traditional method for protecting the routing protocol, the method can effectively improve the protection effectiveness.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic overall flow chart of a network router protocol protection method based on traffic behavior according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network routing protocol protection apparatus according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a network structure according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a method for protecting a network router protocol based on traffic behavior according to an embodiment of the present invention, as shown in fig. 1, the method includes:
step 101, a security management platform issues a rule template to a firewall;
step 102, the firewall monitors the threat of the flow data according to the rule template and reports the threat flow data packet obtained by monitoring to the security management platform;
103, after the threat flow data packet received by the security management platform reaches a first threshold value, issuing an instruction to enable the firewall to count the times of occurrence of the most threatened routing protocol field parameters which are the same;
and 104, after the counted number of times that the threatened routing protocol field parameters with the most occurrence number are the same reaches a second threshold value, the security management platform generates a new configuration template, and the step 101 is switched.
By the method, the protection rule of the network routing protocol can be automatically updated, automatic vulnerability repair can be realized, the threat that people cannot detect can be repaired, and compared with the traditional routing protocol protection method, the effectiveness of network routing protocol protection can be effectively improved.
In order to more clearly illustrate the method provided by the embodiment of the present invention, the description is made with reference to the network structure shown in fig. 3. An Autonomous System (Autonomous System) network refers to a network with a unified management authority and a unified routing policy, and the global internet is divided into a plurality of AS Autonomous domains. It should be noted that in the embodiments of the present invention, autonomous domains are connected by routers, one or more backbone routers are distributed in an autonomous domain, and firewalls are arranged between the routers in the autonomous domain and between the routers in respective subordinate domains. The existing network routing protocol protection method is mainly realized by adopting modes of flow data packet filtering, state monitoring, proxy service and the like, and has fixed protection rules without the functions of autonomous learning and intelligent protection rule updating.
To solve this problem, the present embodiment further provides the following steps: determining protocol fields under ISIS, BGP and OSPF protocols by using a firewall service configuration page of a security management platform and adopting a checking, clicking or other methods capable of implementing selection, generating a self-defined single-rule and multi-rule JSON format data template, issuing the template to a firewall, and performing road network routing protocol protection. Among them, the BGP (Border Gateway Protocol) Protocol is mainly used for interconnection between internet ases (autonomous systems), and its main function is to control the propagation of routes and select the best route. The ISIS (Intermediate system to Intermediate system) protocol is an interior gateway protocol, one of the interior gateway protocols commonly used by telecommunication operators. OSPF (Open Shortest Path First) protocol is an interior gateway protocol, is used for deciding routing in a single autonomous system, is an implementation of a link state routing protocol, is affiliated to the interior gateway protocol, and operates in the autonomous system.
Specifically, the firewall monitors the threat of the flow data according to a rule template issued by the security management platform and reports threat flow data packets obtained by monitoring to the security management platform; when the number of times of receiving the threat flow data packets within one minute by the security management platform reaches a first threshold value, the threshold value is preferably 20-50, the security management platform issues an instruction to the firewall, the firewall analyzes and disassembles the captured threat flow data packets, field configuration in a system template is removed, and the number of times of field parameters of the threatened routing protocol with the largest number of times is counted.
Specifically, when the counted number of times that the threatened routing protocol field parameter with the largest occurrence number of times is the same reaches a second threshold, the threshold is preferably 100, the security management platform intercepts the threatened routing protocol field with the largest occurrence number of times, copies the original built-in template of the firewall, replaces the protocol field of the original built-in template with the threatened routing protocol field with the largest occurrence number of times, generates a new configuration template, issues the firewall, and starts new protection. When the second threshold is lower than 100, the template is replaced more frequently, and the normal traffic data packet is mistaken for a threat, and when the second threshold is higher than 100, the time for replacing the template is prolonged, and the technical effect of timely protection cannot be achieved.
Preferably, the threatening routing protocol field is other than a field configuration in a system template. The other routing protocol field may be an unknown or non-standard protocol field. The security management platform uniformly manages one or more firewalls.
An embodiment of the present invention further provides a network routing protocol protection device, and as shown in fig. 2, the device may include: a processor (processor)201, a communication Interface (communication Interface)204, a memory (memory)202 and a communication bus 203, wherein the processor 201, the communication Interface 204 and the memory 202 complete communication with each other through the communication bus 203. The processor 201 may invoke a computer program stored on the memory 202 and executable on the processor 201 to perform the methods provided by the above embodiments, including, for example: the security management platform issues the rule template to the firewall; the firewall monitors threats in the flow data according to the rule template and reports threat flow data packets obtained through monitoring to the security management platform; after a threat flow data packet received by a safety management platform reaches a first threshold value, issuing an instruction to enable a firewall to count the times that most threatened routing protocol field parameters appear in the same manner; and after the counted times that the threatened routing protocol field parameters with the most occurrence number are the same reach a second threshold value, the safety management platform generates a new configuration template and sends the new configuration template to the firewall. By executing the method, the protection device can automatically update the protection rule of the network routing protocol, automatically perform vulnerability repair, and repair the artificially undetectable threat.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
As shown in fig. 3, the user group 303 is connected to the switch 302, the switch 302 is connected to the router 301, the router 301 is connected to the firewall 305, and a plurality of combination units formed by the user group 303, the switch 302 and the router 301 may be provided in a single autonomous domain 308, and the combination units are connected through the firewall 305. The autonomous domains 308 are also connected to each other via the router 301 and the firewall 305. All firewalls 305 within a single autonomous domain 308 are connected to a security management platform 307 through a management network router 306. The network structure performs the method provided by the above embodiments, for example, including: the security management platform issues the rule template to the firewall; the firewall monitors threats in the flow data according to the rule template and reports threat flow data packets obtained through monitoring to the security management platform; after a threat flow data packet received by a safety management platform reaches a first threshold value, issuing an instruction to enable a firewall to count the times that most threatened routing protocol field parameters appear in the same manner; and after the counted times that the threatened routing protocol field parameters with the most occurrence number are the same reach a second threshold value, the safety management platform generates a new configuration template and sends the new configuration template to the firewall. By executing the method, the network structure can automatically update the protection rule of the network routing protocol, automatically perform vulnerability repair, and repair the manually undetectable threat.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (6)

1. A network routing protocol protection method based on flow behavior is characterized in that:
s1: the security management platform issues the rule template to the firewall;
s2: the firewall monitors the threat of the flow data according to the rule template and reports threat flow data packets obtained by monitoring to the security management platform;
s3: after the number of times of threat flow data packets received by the security management platform reaches a first threshold value, issuing an instruction, analyzing and disassembling the captured threat flow data packets by a firewall, removing field configuration in a system template, and counting the number of times of field parameters of the threatened routing protocol with the largest number of times by the firewall;
s4: after the counted number of times that the threatened routing protocol field with the largest occurrence number of times has the same parameter reaches a second threshold value, intercepting the threatened routing protocol field with the largest occurrence number of times by the security management platform, copying an original built-in template of the firewall, replacing the protocol field of the original built-in template by the threatened routing protocol field with the largest occurrence number of times, generating a new configuration template, and turning to step S1;
wherein, the threatened routing protocol field is other routing protocol field except field configuration in the system template;
wherein the other routing protocol fields include unknown and non-standard protocol fields.
2. The method for network routing protocol protection based on traffic behavior according to claim 1, characterized in that: in step S1, the method for generating the rule template includes:
and determining protocol fields under ISIS, BGP and OSPF protocols through a firewall service configuration page of the security management platform, and generating a self-defined single-rule and multi-rule JSON format data template.
3. The method of claim 2, wherein the network routing protocol protection based on traffic behavior comprises: and determining protocol fields by checking and clicking.
4. The method for network routing protocol protection based on traffic behavior according to claim 1, characterized in that: the security management platform uniformly manages one or more firewalls.
5. A network routing protocol guard comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the method according to any of claims 1 to 4.
6. A network system comprising a router, a firewall and a security management platform connected by a data link, wherein the router, the firewall and the security management platform operate according to the method of any one of claims 1 to 4.
CN201911298818.5A 2019-12-17 2019-12-17 Network routing protocol protection method and system based on flow behavior Active CN110995742B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911298818.5A CN110995742B (en) 2019-12-17 2019-12-17 Network routing protocol protection method and system based on flow behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911298818.5A CN110995742B (en) 2019-12-17 2019-12-17 Network routing protocol protection method and system based on flow behavior

Publications (2)

Publication Number Publication Date
CN110995742A CN110995742A (en) 2020-04-10
CN110995742B true CN110995742B (en) 2022-03-29

Family

ID=70094425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911298818.5A Active CN110995742B (en) 2019-12-17 2019-12-17 Network routing protocol protection method and system based on flow behavior

Country Status (1)

Country Link
CN (1) CN110995742B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022343A (en) * 2007-03-19 2007-08-22 杭州华为三康技术有限公司 Network invading detecting/resisting system and method
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
US10021429B1 (en) * 2017-07-18 2018-07-10 Wowza Media Systems, LLC Selection of a content source based on performance data
CN109495467A (en) * 2018-11-07 2019-03-19 深圳前海微众银行股份有限公司 Intercept update method, equipment and the computer readable storage medium of rule
CN110061960A (en) * 2019-03-01 2019-07-26 西安交大捷普网络科技有限公司 WAF rule self-study system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7835348B2 (en) * 2006-12-30 2010-11-16 Extreme Networks, Inc. Method and apparatus for dynamic anomaly-based updates to traffic selection policies in a switch

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022343A (en) * 2007-03-19 2007-08-22 杭州华为三康技术有限公司 Network invading detecting/resisting system and method
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
US10021429B1 (en) * 2017-07-18 2018-07-10 Wowza Media Systems, LLC Selection of a content source based on performance data
CN109495467A (en) * 2018-11-07 2019-03-19 深圳前海微众银行股份有限公司 Intercept update method, equipment and the computer readable storage medium of rule
CN110061960A (en) * 2019-03-01 2019-07-26 西安交大捷普网络科技有限公司 WAF rule self-study system

Also Published As

Publication number Publication date
CN110995742A (en) 2020-04-10

Similar Documents

Publication Publication Date Title
US10637888B2 (en) Automated lifecycle system operations for threat mitigation
AU2015255980B2 (en) System and methods for reducing impact of malicious activity on operations of a wide area network
Phan et al. OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN110830469A (en) DDoS attack protection system and method based on SDN and BGP flow specification
US20070162595A1 (en) System and method for tracking network resources
US9166990B2 (en) Distributed denial-of-service signature transmission
EP3292665B1 (en) Reducing traffic overload in software defined network
CN107800668B (en) Distributed denial of service attack defense method, device and system
CN112787959B (en) Flow scheduling method and system
CN112202646B (en) Flow analysis method and system
US10771499B2 (en) Automatic handling of device group oversubscription using stateless upstream network devices
CN110995742B (en) Network routing protocol protection method and system based on flow behavior
EP3166279B1 (en) Integrated security system having rule optimization
CN110636059B (en) Network attack defense system, method, SDN controller, router, device and medium
Tiloca et al. Performance and security evaluation of SDN networks in OMNeT++/INET
Sachdeva et al. A comprehensive survey of distributed defense techniques against DDoS attacks
Ali et al. Network architecture and security issues in campus networks
CN106060068A (en) Information filtering method and device
Xiong An SDN-based IPS development framework in cloud networking environment
EP3166281B1 (en) Integrated security system having threat visualization
Silva et al. A cooperative approach for a global intrusion detection system for internet service providers
Lee et al. NetPiler: Detection of ineffective router configurations
CN115776406B (en) Security protection method and device, electronic equipment and storage medium
EP3166280A1 (en) Integrated security system having threat visualization and automated security device control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant