CN113709160B - Software defined network topology defense method based on forwarding route integrity verification - Google Patents
Software defined network topology defense method based on forwarding route integrity verification Download PDFInfo
- Publication number
- CN113709160B CN113709160B CN202111004361.XA CN202111004361A CN113709160B CN 113709160 B CN113709160 B CN 113709160B CN 202111004361 A CN202111004361 A CN 202111004361A CN 113709160 B CN113709160 B CN 113709160B
- Authority
- CN
- China
- Prior art keywords
- switch
- flow
- last
- current
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Abstract
The invention discloses a software defined network topology defense method based on forwarding routing integrity verification. The invention firstly models the detection of topology attack as the problem of the route path integrity verification of each flow. The method comprises the steps of tracing the source of each new flow, and comparing whether the characteristics of the flow on each forwarding device of a forwarding path are tampered or not to judge whether the topology attack occurs or not. The verification of the whole path takes the certificate authentication of the source host as a starting point and the basis of the whole authentication chain, and the excellent defense effect is achieved. Furthermore, the present invention can incrementally verify each node on the routing path, achieving the time complexity of O (1). Compared with the existing topology defense method, the invention can realize better defense effect.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a software defined network topology defense method based on forwarding route integrity verification.
Background
Software-Defined networking (Software-Defined networking) plays an increasingly important role in many application scenarios, such as cloud environments, large data centers, and the like, as a novel Network architecture. The topology discovery function is the basis for the SDN to have global control capability. Based on the topology discovery function, the control plane of the SDN establishes a global view of the entire network topology in real time, and stores key attributes of the network, such as network devices, link traffic, addresses of each device, migration conditions, and the like, so as to master key information of the entire network. Many SDN applications are based on the knowledge of the SDN controller about the global network structure, such as traffic scheduling, traffic monitoring, and network abnormal behavior diagnosis based on the global network condition. Therefore, the importance of the topology discovery function also makes it one of the main targets of attack of attackers, and errors of the topology discovery function not only affect the control plane, but also affect immeasurably many applications of the application plane that depend on the network topology.
The existing topology defense mechanism mainly depends on the extraction of specific attack characteristics or the authentication of LLDP messages and the like. For example: and calculating a hash value of the LLDP message so as to judge whether the LLDP message is forged or falsified. In addition, the method for detecting the topology attack by using the attack characteristics is widely applied. However, such methods rely on specific attack messages generated by topology attacks that have been discovered, and the defense effect is limited to specific known attacks, and such attacks can be bypassed if an attacker modifies the attack messages, for example, the message protocol is changed or the transmission time interval is changed. In addition, the attacker can also use the existing behavior of the network host to mask the own attack characteristics. For example: an attacker can launch an attack during host migration, and usurp the identity of the migrated host before the host migration is completed. Since the victim host cannot respond to security checks during migration, such attacks can easily breach security defenses and are considered normal behavior.
Disclosure of Invention
The invention aims to provide a software-defined network topology defense method based on route path integrity verification aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a software defined network topology defense method based on forwarding route integrity verification specifically comprises the following steps:
(1) Acquiring network topology information in real time by using an LLDP message and a Packet-in message of a data plane, wherein the network topology information comprises an online state and an offline state of a switch, an online state and an offline state and migration state of a network host and a change of a network link; the collected information is used to construct a data plane topology view on the controller.
(2) Monitoring the flow triggering the table-miss event in real time, and extracting the quintuple information of the flow f for each monitored flow f<smac,dmac,sip,dip,protocol>And finding the current position switch in the routing path in the topological view current (ii) a Judging whether the source mac address of the f is sent by a host newly added into the network or not according to the source mac address of the f; if yes, performing identity authentication on the host h; and if not, performing integrity verification on the forwarding path and acquiring a verification result.
(3) Analyzing the verification result in the step (2), if the host authentication is carried out and the new host h passes the authentication, recording the mac address and the certificate information of h, and generating quintuple information of the flow f and the current forwarding equipment switch of the way f current The current forwarding equipment receives an input port of the flow f<switch current ,port in >And exit port of flow f < switch current ,port out Recorded in the controller topology view.
(4) Analyzing the verification result in the step (2), and if the path integrity verification is carried out and the verification is passed, recording quintuple information of the flow f and the current forwarding equipment switch of the f path current The input port of the current forwarding equipment receiving the flow f is less than switch current ,port in And exit port of flow f < switch current ,port out Recorded in the controller topology view.
Further, when the identity authentication is performed on the host h in the step (2):
and acquiring the mac address of the host h newly added into the network, acquiring a corresponding certificate pre-stored in the controller according to the mac address, and sending a random character string s to the host h. The host h signs the string s with the private key and returns the result to the controller. The controller decrypts the signature by using the public key in the pre-distributed certificate, and verifies that the host h has the private key corresponding to the declared mac address.
Further, if the identity authentication of the host h is not passed, a safety alarm is output.
Further, when the route integrity is verified in the step (2):
finding last-hop-forwarding device switch for flow f in topology view of controller last Query whether the quintuple is in switch last Leave a record in it if the last device switch was sent last In the method, the quintuple information of the monitored flow f is inquired, and the switch of the last hop of the quintuple is switched last Outlet port of<switch last ,port out >With current switch current Incoming port receiving flow f < switch current ,port in If there is a link between them, the integrity verification passes. Due to the last hop switch last The previous forwarding path has arrived at the last hop switch at flow f last Integrity verification is performed, so only switch needs to be verified last And switch current The integrity therebetween is sufficient.
Further, if the route integrity verification fails, a security alert is output.
Further, if the last device switch was sent last No quintuple information of the stream f is recorded and a security alarm is output.
Compared with the prior art, the invention has the beneficial effects that: the software defined network topology defense method based on the route path integrity verification provided by the invention converts the topology attack detection problem into the route integrity verification problem, avoids the defect that the existing defense is only effective aiming at specific attack characteristics, and realizes a wide defense range. Since any occurrence of a topology attack would generate illegal traffic, thereby generating an unauthenticated routing path or destroying the integrity of an existing routing path. By dividing the route path integrity verification into verification chains based on the path switches, the controller only needs to verify the previous-hop switch on each-hop switch, and the O (1) time complexity is realized. In addition, the host authentication based on the certificate authentication is used as the starting point of the verification chain, so that the safety and the reliability of the defense method are ensured. Compared with the existing method, the method realizes the detection of unknown attacks, and has the advantages of wider defense range and lower time consumption.
Drawings
Fig. 1 is a flowchart of the software-defined network topology defense method based on route path integrity verification according to the present invention.
Detailed Description
The invention discloses a software defined network topology defense method based on forwarding route integrity verification. And judging whether the topology attack occurs or not by tracing the source of each new stream and comparing whether the characteristics of the stream on each forwarding device of the forwarding path are tampered or not. The verification of the whole path takes the certificate authentication of the source host as a starting point and the basis of the whole authentication chain, and the excellent defense effect is achieved. Furthermore, the present invention can incrementally verify each node on the routing path, achieving the time complexity of O (1).
The present invention will be described in detail below with reference to the accompanying drawings in order to highlight the object and specific effects of the present invention.
As shown in fig. 1, the present invention specifically includes the following steps:
(1) Acquiring network topology information in real time by using an LLDP (Link Layer Discovery Protocol) message and a Packet-in message of a data plane, wherein the network topology information comprises an online (switch _ add) and an offline (switch _ leave) of a switch, an online (host _ add, host _ leave) and a migration (host _ migration) of a network host, and a change (Link _ add, link _ del) of a network Link; the collected information is used to construct a data plane topology view on the controller.
(2) Monitoring the flow triggering the table-miss event in real time, and extracting the quintuple information of the flow f for each monitored flow f<smac,dmac,sip,dip,protocol>And finding the current position switch in the routing path in the topological view current (ii) a Judging whether the source mac address of the f is sent out by a host newly added into the network or not according to the source mac address of the f; if yes, performing identity authentication on the host h; if not, the integrity of the forwarding path is verified, and a verification result is obtained.
And (2.1) when the host identity is authenticated, firstly acquiring the mac address of the host h newly added into the network, acquiring a corresponding certificate stored in the controller in advance according to the mac address, and sending a random character s to the host h. The host h signs the string s with the private key and returns the result sign(s) to the controller. The controller decrypts the signature by using the public key in the pre-distributed certificate, and verifies that the host h has the private key corresponding to the mac address declared by the host h. And (4) if the host h has the corresponding private key, performing the step (3), otherwise, directly outputting a security alarm.
(2.2) when the integrity of the route is verified, firstly, the last-hop switching device switch of the flow f is searched in the topology view of the controller last Then, it is queried whether the quintuple is on switch last A record is left in the record; and outputting an alarm if no record is recorded. If the device switch is sent in the last jump last In the method, the quintuple information of the monitored flow f is inquired, and the switch of the last hop of the quintuple is switched last Outlet port of<switch last ,port out >With current switch current Ingress port receiving flow f<switch current ,port in >If a link exists between the two, the integrity verification is passed. Due to last hop switch last The previous forwarding path has arrived at the last hop switch at flow f last Integrity verification is performed, so only switch needs to be verified last And switch current The integrity therebetween is sufficient. And (4) if the verification is passed, performing the step (3), otherwise, directly outputting a safety alarm.
(3) And analyzing a verification result obtained by host authentication or route integrity verification:
if the host authentication is carried out and the new host h passes the authentication, the mac address and the certificate information of h are recorded, and the quintuple information of the flow f and the current forwarding equipment switch of the f path generated by the mac address and the certificate information are recorded current The current forwarding equipment receives the input port of the flow f<switch current ,port in >And outlet port for flow f<switch current ,port out >Recorded in the controller topology view.
If the path integrity verification is carried out and the verification is passed, recording quintuple information of the flow f and the current forwarding equipment switch of the f path current The current forwarding equipment receives the input port of the flow f<switch current ,port in >And an outlet port for flow f<switch current ,port out >Recorded in the controller topology view.
Claims (5)
1. A software defined network topology defense method based on forwarding route integrity verification is characterized by comprising the following steps:
(1) Acquiring network topology information in real time by using an LLDP message and a Packet-in message of a data plane, wherein the network topology information comprises an online and an offline of a switch, an online and an offline of a network host and a migration of a network link; constructing a data plane topology view on the controller using the collected information;
(2) Monitoring the flow triggering the table-miss event in real time, extracting five-tuple information < smac, dmac, sip, dip, protocol > of the flow f for each monitored flow f, and finding the current position switch in the routing path of the flow f in a topological view current (ii) a Judging whether the source mac address of the f is sent out by a host newly added into the network or not according to the source mac address of the f; if yes, performing identity authentication on the host h; if not, carrying out integrity verification on the forwarding path and obtaining a verification result;
verifying the integrity of the route, including: finding last-hop-send device switch of flow f in topology view of controller last Query whether the quintuple is in switch last Leave a record in it if the last device switch was sent last In the method, the quintuple information of the monitored flow f is inquired, and the switch of the last hop of the quintuple is switched last Out port < switch last ,port out Greater than with the current switch current Incoming port receiving flow f < switch current ,port in If a link exists between the two paths, the integrity verification is passed; due to last hop switch last The previous forwarding path has arrived at the last hop switch at flow f last Integrity verification is performed, so only switch needs to be verified last And switch current The integrity of the two layers is enough;
(3) Analyzing the verification result in the step (2), if the host authentication is carried out and the new host h passes the authentication, recording the mac address and the certificate information of h, and generating quintuple information of the flow f and the current forwarding equipment switch through which the flow f passes current The input port of the current forwarding equipment receiving the flow f is less than switch current ,port in >. And exit port of flow f < switch current ,port out Record in controller topology view;
(4) Analyzing the verification result in the step (2), and if the verification of the path integrity is carried out and the verification is passed, recording quintuple information of the flow f and the current forwarding equipment switch of the path f current The input port of the current forwarding equipment receiving the flow f is less than switch current ,port in And exit port of flow f < switch current ,port out Recorded in the controller topology view.
2. The forwarding route integrity verification-based software-defined network topology defense method according to claim 1, wherein when the identity authentication of the host h is performed in step (2):
acquiring a mac address of a host h newly joining a network, acquiring a corresponding certificate pre-stored in a controller according to the mac address, and sending a random character string s to the host h; the host h signs the character string s by using a private key and returns the result to the controller; the controller decrypts the signature by using the public key in the pre-distributed certificate, and verifies that the host h has the private key corresponding to the declared mac address.
3. The forwarding routing integrity verification-based software-defined network topology defense method according to claim 2, wherein if the host h identity authentication fails, a security alarm is output.
4. The forwarding route integrity verification-based software-defined network topology defense method according to claim 1, wherein if the route integrity verification fails, a security alarm is output.
5. The forwarding-routing-integrity-verification-based software-defined network topology defense method according to claim 1, characterized in thatIf the last jump sends a device switch last And no quintuple information of the flow f is recorded, and a safety alarm is output.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111004361.XA CN113709160B (en) | 2021-08-30 | 2021-08-30 | Software defined network topology defense method based on forwarding route integrity verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111004361.XA CN113709160B (en) | 2021-08-30 | 2021-08-30 | Software defined network topology defense method based on forwarding route integrity verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113709160A CN113709160A (en) | 2021-11-26 |
| CN113709160B true CN113709160B (en) | 2022-10-04 |
Family
ID=78656796
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111004361.XA Active CN113709160B (en) | 2021-08-30 | 2021-08-30 | Software defined network topology defense method based on forwarding route integrity verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113709160B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174467B (en) * | 2022-06-28 | 2023-09-22 | 福州大学 | Route jump defending construction method based on programmable data plane |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6044064A (en) * | 1997-03-28 | 2000-03-28 | Mci Communications Corporation | Method and system therefor of confining path verification signals within a distributed restoration network |
| CN106612267B (en) * | 2015-10-27 | 2020-01-21 | ***通信集团公司 | Verification method and verification device |
| CN107645445B (en) * | 2017-09-15 | 2019-11-22 | 安徽大学 | A kind of SDN network cross-domain communication method based on dummy node technology |
| CN112565230B (en) * | 2020-11-30 | 2022-08-19 | 国网山东省电力公司电力科学研究院 | Software-defined Internet of things network topology data transmission safety management method and system |
-
2021
- 2021-08-30 CN CN202111004361.XA patent/CN113709160B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113709160A (en) | 2021-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113328B (en) | Software defined opportunistic network DDoS defense method based on block chain | |
| Skowyra et al. | Effective topology tampering attacks and defenses in software-defined networks | |
| US20060034305A1 (en) | Anomaly-based intrusion detection | |
| US10680893B2 (en) | Communication device, system, and method | |
| CN112929200B (en) | SDN multi-controller oriented anomaly detection method | |
| CN108632267A (en) | A kind of topology pollution attack defense method and system | |
| CN113709160B (en) | Software defined network topology defense method based on forwarding route integrity verification | |
| Xiao et al. | Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model | |
| Mohammed et al. | Detection and mitigation of field flooding attacks on oil and gas critical infrastructure communication | |
| KR102149531B1 (en) | Method for connection fingerprint generation and traceback based on netflow | |
| US20220038425A1 (en) | Security guarantee method and apparatus for full life cycle of packet, and decentralized network trust system | |
| CN108881315B (en) | Method and system for detecting and recovering double LSA attack OSPF protocol based on NFV | |
| TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection | |
| CN110881016B (en) | Network security threat assessment method and device | |
| Li et al. | Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks | |
| US11146472B1 (en) | Artificial intelligence-based lateral movement identification tool | |
| Wang et al. | An efficient scheme for SDN state consistency verification in cloud computing environment | |
| Jeong et al. | Hybrid system to minimize damage by zero-day attack based on NIDPS and HoneyPot | |
| Nanda et al. | A highly scalable model for network attack identification and path prediction | |
| El-Dalahmeh et al. | Intrusion Detection System for SDN based VANETs Using A Deep Belief Network, Decision Tree, and ToN-IoT Dataset | |
| Al Salti et al. | LINK-GUARD: an effective and scalable security framework for link discovery in SDN networks | |
| Lange et al. | Using a deep understanding of network activities for security event management | |
| Lent et al. | Strengthening the security of cognitive packet networks | |
| Meredith et al. | Increasing Network Resilience to Persistent OSPF Attacks | |
| Gu et al. | IA-DD: An SDN Topological Poisoning Attack Defense Scheme Based on Blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |