CN112929200B - SDN multi-controller oriented anomaly detection method - Google Patents
SDN multi-controller oriented anomaly detection method Download PDFInfo
- Publication number
- CN112929200B CN112929200B CN202110020074.1A CN202110020074A CN112929200B CN 112929200 B CN112929200 B CN 112929200B CN 202110020074 A CN202110020074 A CN 202110020074A CN 112929200 B CN112929200 B CN 112929200B
- Authority
- CN
- China
- Prior art keywords
- packet
- controller
- message
- switch
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0695—Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an anomaly detection method for SDN multi-controller. It comprises the following steps: 1-1) selecting a 'master controller' by adopting a Raft consistency algorithm in an SDN controller set, and the rest are 'slave controllers'; 1-2) establishing connection between a master controller and an SDN switch, sending Features Request parameter information to the switch, and replying a Features Reply message to the master controller by the switch; 1-3) the switch encapsulates the received Data Packet into a Packet In message and reports the Packet In message to the 'main controller'; 1-4) "the main controller" broadcasts the Packet In message by using a BFT mechanism, and each controller reports the verified Packet In message to Proxy; 1-5) the Proxy puts the collected information into the same tuple for classification, compares the information with the previously collected information, judges a Data transmission path, judges a controller and a switch which are abnormal, judges a reliable Packet In message and encapsulates the message into a Packet Out message to be sent to the switch. The present invention improves upon the current problems in network security related to detecting abnormal SDN controllers and switch devices.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an SDN multi-controller oriented anomaly detection method.
Background
The complexity and closeness of conventional network architectures make it difficult for network administrators to manage and operate in view of network dynamics and various application requirements. In order to solve these problems, a new Network-defined Network (SDN) is proposed. A typical SDN architecture consists of three layers, an application layer consisting of network applications, a centralized SDN controller software acting as an SDN brain, and a data plane layer consisting of forwarding device switches, etc. The SDN separates a network control plane from a forwarding plane, and improves the flexibility of the network. The SDN network has expansibility, flexibility, reliability, safety and programmability, and has higher performance and usability than the traditional network.
In SDN, switches and routers rely on a centralized SDN controller to provide the necessary configuration for finding paths and allocating resources. When a large-scale SDN network is deployed, a single controller has the problems of single-point failure, capacity bottleneck and the like. The method comprises the following steps that due to the vulnerability of an SDN controller, a switch and controller application, an SDN device is easily attacked by an attacker, the attacker maliciously hijacks the controller, all flow table entries on the switch to which the attacker belongs are deleted, switch data are monitored and tampered, and network resources of a controller originally belonging to a legal user are stolen. Therefore, it is very important to detect abnormal SDN devices in a timely manner.
Currently, some studies relating to SDN security have emerged to reduce the risk of an SDN device being hijacked: (1) Currently, a commonly used open-source SDN controller Ryu (Ryu SDN Framework Community, 2014) is mainly concentrated in a single controller scenario, and is not optimized for controller distribution; (2) The FortNOX architecture is a software extension based on the NOX of the OpenFlow controller and provides an identity authentication and security constraint mechanism, the architecture enables the controller to check conflicts in flow list items in real time and discover malicious applications in time, however, the FortNOX architecture can only detect the abnormality of a single controller and cannot detect the abnormality of other SDN devices.
Disclosure of Invention
The invention aims to solve the problem of abnormal SDN equipment detection in the current network security, and provides an SDN multi-controller-oriented abnormality detection method which can avoid the network damage caused by the abnormal SDN errors or attacks.
An SDN multi-controller-oriented anomaly detection method comprises the following steps:
1-1) selecting a 'master controller' by adopting a Raft consistency algorithm In an SDN controller set, and the rest are 'slave controllers', and taking charge of the specific operation of Packet In messages, configuring Proxy and taking charge of carrying out logic judgment on the verification result of the controller set;
1-2) establishing connection between a master controller and an SDN switch, sending Features Request detailed parameter information to the switch, and replying Features Reply information containing Datapath Id, port and the like to the master controller by the switch;
1-3) the switch encapsulates the received Data Packet into a Packet In message carrying Cookie information and reports the Packet In message to the 'main controller';
1-4) "the main controller" broadcasts the Packet In message by using a BFT mechanism, and each controller reports the verified Packet In message to Proxy;
1-5) the Proxy puts the collected Datapath Id and Cookie information into the same tuple for classification, compares the same tuple with the previously collected information, judges the transmission path of Data, judges the abnormal controller and switch, judges reliable Packet In information and encapsulates the reliable Packet In information into Packet Out information to be sent to the switch.
In the step 1-2): the 'master controller' sends feature Request switch detailed parameter information to the switch, such as switch ID, buffer number, port and port attribute. The switch replies messages such as Features and Port to the 'master controller', the Features Reply message contains 64 bits of data path Id, port and other information, and the data path Id is used as a data channel identifier to represent the unique identity of the switch.
In the step 1-3): the host sends a data packet to the switch, and the switch searches matching items from the flow table according to the routing related information (such as source, destination IP address, destination physical address, source and destination port) in the data packet; and if the action recorded In the matched flow entry is 'sending to an OpenFlow controller', the switch encapsulates the data Packet into a Packet In message defined by OpenFlow and reports the Packet In message to the 'main controller', wherein the Packet In message carries Cookie information, and the data Packet with the Datapath Id matching can be deduced through the Cookie.
In step 1-4), the "master controller" broadcasts a Packet In message by using a BFT mechanism:
4-1), the master controller applies a BFT mechanism to broadcast Packet In messages to other slave controllers;
4-2) "receive from controller" 2fAfter receiving the Packet In message matched with the controller, the controller broadcasts the Packet In message to other controllers;
4-3) authentication to 2 for each controllerf+1 Packet In messages from other controllers;
4-4) controller set sends Packet Out messages processed according to the BFT mechanism to Proxy.
The invention has the beneficial effects that:
aiming at the problem of detecting abnormal SDN equipment in the current network security, the abnormal SDN equipment is detected by adopting a multi-controller scheme of a BFT fault-tolerant mechanism in the SDN multi-controller oriented abnormal detection, so that the abnormal SDN equipment can be detected, abnormal errors or attacks to damage the network can be avoided, correct flow table commands can be issued, and the security of the SDN network is effectively improved.
Drawings
Fig. 1 is a structural diagram of an abnormality detection method for SDN multi-controller.
Detailed Description
The invention will be further elucidated and explained with reference to the drawings and examples. The technical features of the embodiments of the present invention can be combined correspondingly without mutual conflict.
An SDN multi-controller-oriented anomaly detection method comprises the following steps: :
1-1) selecting a 'master controller' by adopting a Raft consistency algorithm In an SDN controller set, and the rest are 'slave controllers', and taking charge of the specific operation of Packet In messages, configuring Proxy and taking charge of carrying out logic judgment on the verification result of the controller set;
1-2) establishing connection between a master controller and an SDN switch, sending Features Request detailed parameter information to the switch, and replying Features Reply information containing Datapath Id, port and the like to the master controller by the switch;
1-3) the switch encapsulates the received Data Packet into a Packet In message carrying Cookie information and reports the Packet In message to the 'main controller';
1-4) "the main controller" broadcasts the Packet In message by using a BFT mechanism, and each controller reports the verified Packet In message to Proxy;
1-5) the Proxy puts the collected Datapath Id and Cookie information into the same tuple for classification, compares the same tuple with the previously collected information, judges the transmission path of Data, judges the abnormal controller and switch, judges reliable Packet In information and encapsulates the reliable Packet In information into Packet Out information to be sent to the switch.
In the step 1-2): the 'master controller' sends feature Request switch detailed parameter information to the switch, such as switch ID, buffer number, port and port attribute. The switch replies messages such as Features and Port to the 'master controller', the Features Reply message contains 64 bits of data path Id, port and other information, and the data path Id is used as a data channel identifier to represent the unique identity of the switch.
In the step 1-3): the host sends a data packet to the switch, and the switch searches matching items from the flow table according to the routing related information (such as source, destination IP address, destination physical address, source and destination port) in the data packet; and if the action recorded In the matched flow entry is 'sending to an OpenFlow controller', the switch encapsulates the data Packet into a Packet In message defined by OpenFlow and reports the Packet In message to the 'main controller', wherein the Packet In message carries Cookie information, and the data Packet with the Datapath Id matching can be deduced through the Cookie.
In step 1-4), the "master controller" broadcasts a Packet In message by using a BFT mechanism:
4-1), the master controller applies a BFT mechanism to broadcast Packet In messages to other slave controllers;
4-2) "slave controller" receives 2fAfter receiving the Packet In message matched with the controller, broadcasting the Packet In message to other controllers;
4-3) each controller verifies to 2f+1 Packet In messages from other controllers;
4-4) controller set sends Packet Out messages processed according to the BFT mechanism to Proxy.
Examples
To facilitate the understanding and practice of the present invention by those of ordinary skill in the art, a specific embodiment of the method of the present invention will now be described. The core idea of the SDN multi-controller oriented anomaly detection method is as follows: and a multi-controller scheme of a BFT fault-tolerant mechanism is adopted to detect abnormal SDN equipment, so that the network is prevented from being damaged by abnormal attack.
The present embodiment is described below by one case.
And (2) generating a network consisting of OpenFlow1.3 switches s1, s2 and s3 and hosts h1 and h2 by using Mininet, deploying 4 controllers by using OpenDaylight, selecting a 'master controller' c0 and 'slave controllers' c1, c2 and c3 as the rest by using a Raft consistency algorithm, wherein the controllers are responsible for specific operation of Packet In messages, and configuring Proxy and are responsible for carrying out logic judgment on verification results of controller sets. As shown in the block diagram of fig. 1, all hosts and switches are labeled with corresponding numbers.
c0 establishes connection with s1, sends feature Request s1 detailed parameter information to s1, including switch ID, buffer number, port and Port attribute, etc., s1 replies a feature Reply message to c0, the feature Reply message includes 64-bit Datapath ID, actions, port and other information, the feature Reply message is shown in table 1.
h1, sending a Data packet Data to s1, wherein the Data format is shown in table 2, title represents the type of configuration action, add _ flows represents an adding flow table, and the content is as follows: datapath Id = 0000000000000002, action = "a new flow entry by port1", src is user address 52 00.
The ACTION described In the flow entry matched by the s1 flow table is "send to OpenFlow controller", that is, OFPR _ ACTION, and reports the Packet to c0 by a Packet In event, where the Packet In message is shown In table 3.
c0, performing Packet In message broadcasting on other slave controllers by using a BFT mechanism, wherein an output port for simulating an attacker to tamper with the Packet In message of c1 is 2:
from execute1 s1 type Add_flows message
data:dl_src=52:54:00:64:bd:54,dl_dst=52:54:00:26:ea:85 actions=output:2
and other controllers report the Packet In messages which are respectively verified to the Proxy.
And (3) the Proxy matches the collected verification data stored In the database to judge a reliable Packet In message, and the judgment result shows that:
result Add_flows message data to 0000000000000001:
data: dl_src=52:54:00:64:bd:54,dl_dst=52:54:00:26:ea:85 actions=output:1
and encapsulating the Packet Out message into a Packet Out message and sending the Packet Out message to s1, wherein a table 4 is part of verification data stored in the extracted database, and a table 5 is a format for outputting the Packet Out message.
s1 executes the Packet Out message, at this time, the dump-flows command is used to view the flow table information of s2, as shown in table 6, after the output flow table action of c1 is tampered, proxy still obtains a correct decision result, s1 issues a correct flow table entry command, and attack of the controller on flow table tampering is successfully defended.
And then simulating a malicious host to tamper the action of s1 with an output port of 2, enabling the data transmission path to be s1-s3-s2, enabling the Datapath id of s3 to be 0000000000000003, and judging by proxy according to the stored Cookie and Datapath id information:
Verification results: s1 error
not_switch : 0000000000000003
the switch which indicates that the s1-s2 transmission path lacks 0000000000000003, i.e. Data should not pass s3 but pass s3, thus judging that s1 is attacked illegally.
Finally, it should be noted that: the above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person of ordinary skill in the art can make modifications or equivalents to the specific embodiments of the present invention with reference to the above embodiments, and such modifications or equivalents without departing from the spirit and scope of the present invention are within the scope of the claims of the present invention as set forth in the claims.
Claims (1)
1. An SDN multi-controller-oriented anomaly detection method is characterized by comprising the following steps:
1-1) selecting a master controller and the rest slave controllers In an SDN controller set by adopting a Raft consistency algorithm, wherein the controller set is responsible for specific operation of Packet In messages, is configured with Proxy and is responsible for carrying out logic judgment on verification results of the controller set;
1-2) the main controller establishes connection with the SDN switch, sends Features Request detailed parameter information to the switch, and the switch replies Features Reply information to the main controller; the Features Reply message comprises a Datapath Id and Port information;
1-3) the switch encapsulates the received Data Packet into a Packet In message carrying Cookie information and reports the Packet In message to the main controller;
1-4) the main controller broadcasts a Packet In message by using a BFT mechanism, and each controller reports the verified Packet In message to a Proxy;
1-5) the Proxy puts the collected Datapath Id and Cookie information into the same tuple for classification, compares the same tuple with the previously collected information, judges the transmission path of Data, judges an abnormal controller and an abnormal switch, judges a reliable Packet In message and encapsulates the reliable Packet In message into a Packet Out message to be sent to the switch;
in the step 1-2): the main controller sends Features Request switch detailed parameter information to the switch, wherein the switch detailed parameter information comprises switch ID, buffer area number, port and port attribute; the switch replies to the Features Reply message, wherein the switch replies to the Features Reply message comprises 64 bits of Datapath Id and Port information, and the Datapath Id is used as a data channel identifier and is used for representing the unique identity of the switch;
in the step 1-3): the host sends a data packet to the switch, and the switch searches matching items from the flow table according to the routing related information in the data packet, including source and destination IP addresses, destination physical addresses, source and destination port information; the action recorded In the matched flow entry is 'sent to an OpenFlow controller', then the switch encapsulates the data Packet into a Packet In message defined by OpenFlow and reports the Packet In message to the main controller, the Packet In message carries Cookie information, and the data Packet matched with the Datapath Id can be deduced through the Cookie;
in steps 1-4), the main controller broadcasts a Packet In message by using a BFT mechanism:
4-1), the master controller applies a BFT mechanism to broadcast Packet In messages to other slave controllers;
4-2) "receive from controller" 2fAfter receiving the Packet In message matched with the controller, the controller broadcasts the Packet In message to other controllers;
4-3) authentication to 2 for each controllerf+1 Packet In messages from other controllers;
4-4) controller set sends Packet Out messages processed according to the BFT mechanism to Proxy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020074.1A CN112929200B (en) | 2021-01-07 | 2021-01-07 | SDN multi-controller oriented anomaly detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020074.1A CN112929200B (en) | 2021-01-07 | 2021-01-07 | SDN multi-controller oriented anomaly detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112929200A CN112929200A (en) | 2021-06-08 |
| CN112929200B true CN112929200B (en) | 2022-11-25 |
Family
ID=76163168
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110020074.1A Active CN112929200B (en) | 2021-01-07 | 2021-01-07 | SDN multi-controller oriented anomaly detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112929200B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448900B (en) * | 2022-04-02 | 2022-08-02 | 南京邮电大学 | SDN controller interaction method and system based on extended raft algorithm |
| CN114978580B (en) * | 2022-04-08 | 2023-09-29 | 中国电信股份有限公司 | Network detection method and device, storage medium and electronic equipment |
| CN117134998B (en) * | 2023-10-26 | 2024-03-19 | 国网冀北电力有限公司 | SDN-based power information authentication method of Gossip blockchain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222478A (en) * | 2017-05-27 | 2017-09-29 | 暨南大学 | Software defined network key-course security mechanism construction method based on block chain |
| CN110225033A (en) * | 2019-06-11 | 2019-09-10 | 西安电子科技大学 | Isomery controller collection group business based on abnormality sensing actively changes system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020221416A1 (en) * | 2019-04-29 | 2020-11-05 | Siemens Aktiengesellschaft | Method and apparatus for selecting a communication device of a plurality of communication devices for communication packet processing |
-
2021
- 2021-01-07 CN CN202110020074.1A patent/CN112929200B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222478A (en) * | 2017-05-27 | 2017-09-29 | 暨南大学 | Software defined network key-course security mechanism construction method based on block chain |
| CN110225033A (en) * | 2019-06-11 | 2019-09-10 | 西安电子科技大学 | Isomery controller collection group business based on abnormality sensing actively changes system and method |
Non-Patent Citations (1)
| Title |
|---|
| Byzantine Fault Tolerant Software-Defined Networking (SDN) Controllers;Karim ElDefrawy;《IEEE》;20160825;第2-3节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112929200A (en) | 2021-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112929200B (en) | SDN multi-controller oriented anomaly detection method | |
| US11902120B2 (en) | Synthetic data for determining health of a network security system | |
| CN110225008B (en) | SDN network state consistency verification method in cloud environment | |
| US8959197B2 (en) | Intelligent integrated network security device for high-availability applications | |
| CN103609070B (en) | Network flow detection method, system, equipment and controller | |
| US10313233B2 (en) | Method for routing data, computer program, network controller and network associated therewith | |
| US10680893B2 (en) | Communication device, system, and method | |
| EP3200399B1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling | |
| US9699202B2 (en) | Intrusion detection to prevent impersonation attacks in computer networks | |
| CN103891206A (en) | Method and device for synchronizing network data flow detection status | |
| CN106921527B (en) | The processing method and processing device of stacking conflict | |
| CN109347705A (en) | A kind of loop detecting method and device | |
| CN103747026A (en) | Alarm method and alarm device of openflow flow table | |
| Sun et al. | Detecting and mitigating ARP attacks in SDN-based cloud environment | |
| CN113709160B (en) | Software defined network topology defense method based on forwarding route integrity verification | |
| US20150128260A1 (en) | Methods and systems for controlling communication in a virtualized network environment | |
| CN115051851B (en) | User access behavior management and control system and method in scene of internet of things | |
| KR102587055B1 (en) | System for Detecting Anomaly Computing Based on Artificial Intelligence | |
| CN105407095B (en) | Secure communication device and its communication means between heterogeneous networks | |
| US11509565B2 (en) | Network link verification | |
| KR101914831B1 (en) | SDN to prevent an attack on the host tracking service and controller including the same | |
| JP3715628B2 (en) | Packet transfer system, packet transfer apparatus, program, and packet transfer method | |
| CN116319112B (en) | Message integrity verification method and system | |
| CN111385120B (en) | Method and equipment for determining forwarding fault position | |
| Rodas et al. | A reliable and scalable classification-based hybrid ips |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |