CN116015700A - Intranet DDOS flow detection and protection method based on software defined network - Google Patents
Intranet DDOS flow detection and protection method based on software defined network Download PDFInfo
- Publication number
- CN116015700A CN116015700A CN202111301397.4A CN202111301397A CN116015700A CN 116015700 A CN116015700 A CN 116015700A CN 202111301397 A CN202111301397 A CN 202111301397A CN 116015700 A CN116015700 A CN 116015700A
- Authority
- CN
- China
- Prior art keywords
- flow
- ddos
- layer
- intranet
- sflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000001514 detection method Methods 0.000 title claims abstract description 18
- 238000004891 communication Methods 0.000 claims abstract description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 15
- 230000007123 defense Effects 0.000 claims abstract description 5
- 238000004590 computer program Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000004088 simulation Methods 0.000 claims description 3
- 230000003068 static effect Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intranet DDOS flow detection and protection method based on a software defined network, and belongs to the technical field of computer network security. The method comprises the following steps: s1: detecting DPI by the deep data packet; s2: detecting a depth data stream; s3: OSI seven layer protocol analysis. According to the invention, DPI (deep packet inspection) and deep data stream inspection are carried out through deep data packets, so that the content of an application program in the whole intranet is obtained; and then carrying out OSI seven-layer protocol analysis to obtain the communication flow, data packet, byte per second, bit per second and data packet data per second of each protocol, carrying out deep detection on the communication characteristics and contents, if the DDoS attack is detected by configuring sFlow Agent, carrying out DDOS defense, and leading the flow to be normal by observing measures such as flow, issuing a flow table and the like.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intranet DDOS flow detection and protection method based on a software defined network.
Background
With the rapid development of cloud computing technology, many businesses of data centers gradually migrate to cloud data center networks. Cloud computing is a new mode for distributing IT resources as required, and depending on a virtualization technology, the utilization rate of hardware resources is further improved in a virtual manner. The tenant can purchase and dynamically expand the corresponding resource scale at any time as required, and the corresponding tenant network also needs to be dynamically changed, which puts a very high requirement on the network operation and maintenance of the cloud data center.
The scale of the internet and cloud computing pushing data centers is continuously expanding, and network operation and maintenance currently faces 4 challenges: network security; network performance; network management; performance of network applications.
From the perspective of network and service operation and maintenance, the operation and maintenance departments cannot be effectively matched, 80% of time is wasted on fault link positioning, and a plurality of problems often cannot determine the root fault cause, wherein DDOS attack is possibly initiated by an intranet puppet and the DDOS attack is urgently needed to solve the problem.
Disclosure of Invention
Therefore, one of the purposes of the present invention is to provide a method for detecting and protecting intranet DDOS traffic based on a software defined network.
One of the purposes of the invention is realized by the following technical scheme:
an intranet DDOS flow detection and protection method based on a software defined network comprises the following steps:
s1: detecting DPI by the deep data packet;
s2: detecting a depth data stream;
s3: OSI seven-layer protocol analysis; DDOS flow detection of the intranet is achieved through SDN+Slow, a loop flow table is automatically issued to the ovs switch, and DDOS flow is achieved.
Optionally, the S1 specifically is:
and on the basis of analyzing the packet header, the analysis of an application layer is added, and the content of an IP packet load is read to analyze and reorganize the communication content of the application layer in the OSI model, so that the content of the whole application program is obtained.
Optionally, the S3 specifically is:
the method comprises the steps of adopting a protocol identification engine CSPRE to identify the bearer protocols of an application layer, a presentation layer, a session layer, a transmission layer, a network layer and a data link layer of an OSI model, and displaying communication flow, data packets, bytes per second, bits per second and data packet data per second of each protocol in a protocol tree mode in a hierarchical manner;
when decoding, the method conforms to the standard RFC document formulated by IEEE, and adopts a protocol decoding engine CSPDE to carry out complete field decoding on the communication protocol of each layer, thereby realizing deep detection on the communication characteristics and contents from the data link layer to each layer of the application layer.
Optionally, the step S3 further includes:
s4: DDoS attack detection;
1) Start sFlow-RT
A terminal keeping Mininet running, opening a terminal window again, inputting the following instructions, and starting sFlow-RT;
2) Configuring sFlow Agent
The sFlow Agent needs to be configured in the virtual switch, so that the sFlow Collector can collect flow information for analysis and presentation;
typing an instruction to deploy sFlow Agent:
viewing the already configured sFlow Agent information by instruction:
inputting an ip link instruction for viewing, and mapping a virtual switch port and a port number;
checking whether sFlow Agent is configured successfully or not, and checking through a WebUI:
turning to a graphical flow monitoring page;
observing the flow;
performing DDoS simulation Attack, executing in a mini terminal, and simulating Flood attach; and then to observe the switch traffic.
Optionally, the step S4 further includes:
s5: DDoS attack defense:
opening a system terminal, calling an API of the Floodlight to inquire an existing flow table;
returns to null.
Optionally, the step S5 specifically includes:
1) Add flow table operation
Adding a static stream table, creating a ddos.json file, writing the content of the stream table into the file, and submitting the file through an API, wherein the content of the file is as follows:
executing the following instructions and issuing a Drop data packet of the flow table;
returning Entry proposed, indicating that the stream table was successfully issued, and querying the stream table again:
2) Observing the flow rate
Switching to sFlow to check flow:
after the flow table is issued, the flow rate is rapidly reduced, and the data packet flooded from h1 to h2 is rapidly completely dropped;
switching to the terminal of h2, and accessing the web service of h 1;
also inaccessible;
3) Deleting a flow table
Executing an instruction to delete a stream table just issued;
again, the flow rate was observed:
recovering the attacked data packet flow table;
4) DROP specified flow rate
The flow table to be issued is modified, so that the OpenFlowswitch only drops the flow of ICMP, and normal HTTP service is not affected;
two fields are added, eth_type, specifying the Ethernet type as ipv4, ip_proto: designating the protocol type as ICMP;
the flow table is issued again:
observing traffic and accessing the HTTP service of h 1;
traffic drops to normal and HTTP services remain accessed without being affected.
It is a further object of the invention to provide a computer device comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, the processor implementing the method when executing the computer program.
It is a further object of the invention to provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method.
The beneficial effects of the invention are as follows: according to the invention, DPI (deep packet inspection) and deep data stream inspection are carried out through deep data packets, so that the content of an application program in the whole intranet is obtained; and then carrying out OSI seven-layer protocol analysis to obtain the communication flow, data packet, byte per second, bit per second and data packet data per second of each protocol, carrying out deep detection on the communication characteristics and contents, if the DDoS attack is detected by configuring sFlow Agent, carrying out DDOS defense, and leading the flow to be normal by observing measures such as flow, issuing a flow table and the like.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof.
Drawings
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the preferred embodiments are presented by way of illustration only and not by way of limitation.
As shown in FIG. 1, the system can obtain network delay at any time between any two servers in a large-scale data center network, measured delay data is collected and stored, summarized and analyzed through a data storage and analysis pipeline, and can be used for informing an application program whether perceived delay exists, defining and tracking a network Service Level Agreement (SLA), and automatically positioning and removing network faults.
The deep data packet analysis technology is an important technology utilized by the invention, and comprises deep data packet detection, deep data stream detection and OSI seven-layer protocol analysis technology.
Deep Packet Inspection (DPI):
the traditional data packet flow identification and analysis technology only analyzes the information of '5 replies', namely 'five-tuple', in the packet header, and comprises a source address, a destination address, a source port, a destination port and a protocol type. With the continuous enrichment of network application types, the application types in the traffic cannot be truly judged only by the fourth-layer port information, and the application types transmitted based on the open port, the random port and even by adopting an encryption mode cannot be dealt with. The deep data packet inspection technology increases the analysis of the application layer on the basis of analyzing the packet header, and can deeply read the content of the IP packet load to analyze and reorganize the communication content of the application layer in the OSI model, thereby obtaining the content of the whole application program.
OSI seven layer protocol analysis:
the invention follows the standard OSI seven-layer model design, adopts a protocol identification engine CSPRE to identify the bearing protocols of an application layer, a presentation layer, a session layer, a transmission layer, a network layer and a data link layer of the OSI model, and hierarchically displays the data such as communication flow, data packets, bytes per second, bits per second, data packets per second and the like of each protocol in a protocol tree mode; when decoding, the method conforms to the standard RFC document formulated by IEEE, and adopts a protocol decoding engine CSPDE to carry out complete field decoding on the communication protocol of each layer, thereby realizing deep detection on the communication characteristics and contents from the data link layer to each layer of the application layer.
Examples:
1. the WebUI port of flowlight is 8080, which is accessed with a browser.
2. Building topology
And (3) keeping the terminal operated by the Floodlight, opening a terminal window again, inputting the following instructions, and constructing a required topological structure.
3. DDoS attack detection
1) Start sFlow-RT
And (3) keeping the terminal operated by Mininet, opening a terminal window again, inputting the following instruction, and starting sFlow-RT.
2) Configuring sFlow Agent
The sFlow Agent needs to be configured in the virtual switch so that the sFlow Collector can collect traffic information for analysis and presentation.
Typing the following instructions to deploy sFlow Agent:
back@back:~$sudo ovs-vsctl----id=@sflow create sflow agent=eth0 target=\"127.0.0.1:6343\"sampling=10polling=20----set bridge s1sflow=@sflow
the already configured sFlow Agent information can be viewed by the following instructions:
back@back:~$sudo ovs-vsctl list sflow
and inputting an ip link instruction for viewing, and mapping the virtual switch port and the port number.
It can be seen that the number corresponding to the s1 switch is 4, the number corresponding to the port of the switch connecting host1 is 5, and so on.
Checking whether sFlow Agent is configured successfully or not, and checking through a WebUI:
localhost:8008/app/flow-trend/html/index.html
clicking the Apps option on the page, and clicking the flow-end option
localhost:8008/app/flow-trend/html/index.html
Then filling in the columns of Keys, value and Filter respectively: an ipsource, an ip destination, stack; bytes; leaving empty, then click on the right sub-t commit, then go automatically to the graphical traffic monitoring page.
Then switch to the mini console window, open the terminals of Host1, and Host2 using the following instructions:
mininet>xterm h1 h2
an http service is then started on Host1.
Ping Host1 on Host 2.
Then, the traffic is observed, and it can be seen that the traffic is normal, and the ping can be stopped according to ctrl+c in the Host2 terminal. It may try to access the HTTP service of Host1.
3) DDoS attack detection
Next, DDoS simulation Attack is performed, which is performed in the mini terminal, and the parameters h2 Ping-f h, -f mean Ping Flood, simulating Flood attach.
Then to observe the flow of the exchanger
4) DDoS attack defense
Opening a system terminal, inputting the following instructions, calling the API of the flood light to inquire the existing flow table
back@back:~$curl-X GET\
>
http://127.0.0.1:8080/wm/staticflowpusher/list/00:00:00:00:00:00:01/json
Returning to null:
1) Add flow table operation
Then, a static flow table is added, a ddos. Json file is newly built for convenient operation and viewing, the contents of the flow table are written into the file, and then the file is submitted through an API, wherein the contents of the file are as follows:
executing the following instructions, and issuing a flow table Drop data packet:
back@back:~$curl-X [email protected] http://127.0.0.1:8080/wm/staticflowpusher/json
returning to "Entry proposed" to indicate successful delivery of the flow table, and querying the flow table again:
2) Observing the flow rate
Switching to sFlow to check flow:
after the flow table is issued, the flow rate is rapidly reduced, and the data packet which is flooded from h1 to h2 is rapidly completely dropped.
Terminal switched to h2 and accessing web service of h1
Also inaccessible. This is because the issued flow table drops all packets and needs to solve this problem.
3) Deleting a flow table
The following instructions are executed to delete the just issued flow table:
back@back:~$curl-X DELETE-d'{"name":"flow-mod-dropt"}'\
>http://127.0.0.1:8080/wm/staticflowpusher/json
again, the flow rate was observed:
the offending packet flow table is restored.
4) DROP specified flow rate
And (3) reconstructing a flow table to be issued, so that the OpenFlowswitch only drops the flow of the ICMP, and normal HTTP service is not affected. The modification content is as follows:
"eth_type":"0x0800",
"ip_proto":"0x01",
two fields are added, eth_type, specifying the Ethernet type as ipv4, ip_proto: the designated protocol type is ICMP.
The flow table is issued again:
back@back:~$curl-X [email protected] http://127.0.0.1:8080/wm/staticflowpusher/json
at this point the traffic is again observed and the HTTP service of h1 is accessed
It can be seen that the traffic drops to normal, but the HTTP service is still accessible and unaffected.
4. Summary
Through SDN technology, network traffic can be monitored, extracted and analyzed in real time, and the traffic can be adjusted in time, such as QoS, load balancing, DDoS traffic filtering and the like.
It should be appreciated that embodiments of the invention may be implemented or realized by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer readable storage medium configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, in accordance with the methods and drawings described in the specific embodiments. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Furthermore, the operations of the processes described herein may be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes (or variations and/or combinations thereof) described herein may be performed under control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications), by hardware, or combinations thereof, collectively executing on one or more processors. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable computing platform, including, but not limited to, a personal computer, mini-computer, mainframe, workstation, network or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and so forth. Aspects of the invention may be implemented in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optical read and/or write storage medium, RAM, ROM, etc., such that it is readable by a programmable computer, which when read by a computer, is operable to configure and operate the computer to perform the processes described herein. Further, the machine readable code, or portions thereof, may be transmitted over a wired or wireless network. When such media includes instructions or programs that, in conjunction with a microprocessor or other data processor, implement the steps described above, the invention described herein includes these and other different types of non-transitory computer-readable storage media. When the method and the technology for detecting and protecting the intranet DDOS flow based on the software defined network are programmed according to the invention, the invention also comprises the computer.
The computer program can be applied to the input data to perform the functions described herein, thereby converting the input data to generate output data that is stored to the non-volatile memory. The output information may also be applied to one or more output devices such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including specific visual depictions of physical and tangible objects produced on a display.
Finally, it is noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the present invention, which is intended to be covered by the claims of the present invention.
Claims (8)
1. A method for detecting and protecting intranet DDOS flow based on a software defined network is characterized in that: the method comprises the following steps:
s1: detecting DPI by the deep data packet;
s2: detecting a depth data stream;
s3: OSI seven-layer protocol analysis; DDOS flow detection of the intranet is achieved through SDN+Slow, a loop flow table is automatically issued to the ovs switch, and DDOS flow is achieved.
2. The method for detecting and protecting intranet DDOS traffic based on a software defined network according to claim 1, wherein the method is characterized by: the S1 specifically comprises the following steps:
and on the basis of analyzing the packet header, the analysis of an application layer is added, and the content of an IP packet load is read to analyze and reorganize the communication content of the application layer in the OSI model, so that the content of the whole application program is obtained.
3. The method for detecting and protecting intranet DDOS traffic based on a software defined network according to claim 2, wherein the method is characterized by: the step S3 is specifically as follows:
the method comprises the steps of adopting a protocol identification engine CSPRE to identify the bearer protocols of an application layer, a presentation layer, a session layer, a transmission layer, a network layer and a data link layer of an OSI model, and displaying communication flow, data packets, bytes per second, bits per second and data packet data per second of each protocol in a protocol tree mode in a hierarchical manner;
when decoding, the method conforms to the standard RFC document formulated by IEEE, and adopts a protocol decoding engine CSPDE to carry out complete field decoding on the communication protocol of each layer, thereby realizing deep detection on the communication characteristics and contents from the data link layer to each layer of the application layer.
4. The method for detecting and protecting intranet DDOS traffic based on software defined network according to claim 3, wherein the method is characterized by: the step S3 further comprises the following steps:
s4: DDoS attack detection;
1) Start sFlow-RT
A terminal keeping Mininet running, opening a terminal window again, inputting the following instructions, and starting sFlow-RT;
2) Configuring sFlow Agent
The sFlow Agent needs to be configured in the virtual switch, so that the sFlow Collector can collect flow information for analysis and presentation;
typing an instruction to deploy sFlow Agent:
viewing the already configured sFlow Agent information by instruction:
inputting an ip link instruction for viewing, and mapping a virtual switch port and a port number;
checking whether sFlow Agent is configured successfully or not, and checking through a WebUI:
turning to a graphical flow monitoring page;
observing the flow;
performing DDoS simulation Attack, executing in a mini terminal, and simulating Flood attach; and then to observe the switch traffic.
5. The method for detecting and protecting intranet DDOS traffic based on a software defined network according to claim 4, wherein the method is characterized by: the step S4 further comprises the following steps:
s5: DDoS attack defense:
opening a system terminal, calling an API of the Floodlight to inquire an existing flow table;
returns to null.
6. The method for detecting and protecting intranet DDOS traffic based on a software defined network according to claim 5, wherein the method is characterized by: the step S5 specifically comprises the following steps:
1) Add flow table operation
Adding a static stream table, creating a ddos.json file, writing the content of the stream table into the file, and submitting the file through an API, wherein the content of the file is as follows:
executing the following instructions and issuing a Drop data packet of the flow table;
returning Entry proposed, indicating that the stream table was successfully issued, and querying the stream table again:
2) Observing the flow rate
Switching to sFlow to check flow:
after the flow table is issued, the flow rate is rapidly reduced, and the data packet flooded from h1 to h2 is rapidly completely dropped;
switching to the terminal of h2, and accessing the web service of h 1;
also inaccessible;
3) Deleting a flow table
Executing an instruction to delete a stream table just issued;
again, the flow rate was observed:
recovering the attacked data packet flow table;
4) DROP specified flow rate
The flow table to be issued is modified, so that the OpenFlowswitch only drops the flow of ICMP, and normal HTTP service is not affected;
two fields are added, eth_type, specifying the Ethernet type as ipv4, ip_proto: designating the protocol type as ICMP;
the flow table is issued again:
observing traffic and accessing the HTTP service of h 1;
traffic drops to normal and HTTP services remain accessed without being affected.
7. A computer apparatus comprising a memory, a processor, and a computer program stored on the memory and capable of running on the processor, characterized by: the processor, when executing the computer program, implements the method of any of claims 1-6.
8. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program implementing the method according to any of claims 1-6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111301397.4A CN116015700A (en) | 2021-11-04 | 2021-11-04 | Intranet DDOS flow detection and protection method based on software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111301397.4A CN116015700A (en) | 2021-11-04 | 2021-11-04 | Intranet DDOS flow detection and protection method based on software defined network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015700A true CN116015700A (en) | 2023-04-25 |
Family
ID=86025603
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111301397.4A Pending CN116015700A (en) | 2021-11-04 | 2021-11-04 | Intranet DDOS flow detection and protection method based on software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015700A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN108259466A (en) * | 2017-12-08 | 2018-07-06 | 中国联合网络通信集团有限公司 | DDoS flows re-injection method, SDN controllers and network system |
| CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
| CN109936557A (en) * | 2018-11-12 | 2019-06-25 | 浙江工商大学 | A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN110933111A (en) * | 2019-12-18 | 2020-03-27 | 北京浩瀚深度信息技术股份有限公司 | DDoS attack identification method and device based on DPI |
| CN111130946A (en) * | 2019-12-30 | 2020-05-08 | 联想(北京)有限公司 | Acceleration method and device for deep packet identification and storage medium |
| CN112073364A (en) * | 2020-07-15 | 2020-12-11 | 国家计算机网络与信息安全管理中心 | DDoS attack identification method, system, equipment and readable storage medium based on DPI |
| US20210112091A1 (en) * | 2019-10-10 | 2021-04-15 | Charter Communications Operating, Llc | Denial-of-service detection and mitigation solution |
-
2021
- 2021-11-04 CN CN202111301397.4A patent/CN116015700A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102347949A (en) * | 2011-09-28 | 2012-02-08 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
| CN108259466A (en) * | 2017-12-08 | 2018-07-06 | 中国联合网络通信集团有限公司 | DDoS flows re-injection method, SDN controllers and network system |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
| CN109936557A (en) * | 2018-11-12 | 2019-06-25 | 浙江工商大学 | A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| US20210112091A1 (en) * | 2019-10-10 | 2021-04-15 | Charter Communications Operating, Llc | Denial-of-service detection and mitigation solution |
| CN110933111A (en) * | 2019-12-18 | 2020-03-27 | 北京浩瀚深度信息技术股份有限公司 | DDoS attack identification method and device based on DPI |
| CN111130946A (en) * | 2019-12-30 | 2020-05-08 | 联想(北京)有限公司 | Acceleration method and device for deep packet identification and storage medium |
| CN112073364A (en) * | 2020-07-15 | 2020-12-11 | 国家计算机网络与信息安全管理中心 | DDoS attack identification method, system, equipment and readable storage medium based on DPI |
Non-Patent Citations (1)
| Title |
|---|
| 合天网安实验室: ""基于SDN的DDoS攻击检测与防御"", pages 1 - 16, Retrieved from the Internet <URL:https://www.songma.com/news/txtlist_i37399v.html?btwaf=64421151> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1742416B1 (en) | Method, computer readable medium and system for analyzing and management of application traffic on networks | |
| US9473369B2 (en) | Application topology based on network traffic | |
| US10855549B2 (en) | Network data processing driver for a cognitive artificial intelligence system | |
| US20170295068A1 (en) | Logical network topology analyzer | |
| US20190007292A1 (en) | Apparatus and method for monitoring network performance of virtualized resources | |
| Bye et al. | Application-level simulation for network security | |
| JP6290849B2 (en) | Traffic analysis system and traffic analysis method | |
| Schmidt et al. | Application-level simulation for network security | |
| CN106294706A (en) | Cloud platform customer service statistical analysis system based on DFI and method | |
| Qiu et al. | Global Flow Table: A convincing mechanism for security operations in SDN | |
| CN111224893A (en) | VPN-based android mobile phone traffic collection and labeling system and method | |
| KR20220029142A (en) | Sdn controller server and method for analysing sdn based network traffic usage thereof | |
| CN104618246A (en) | Network topology discovery method for XEN virtualization environment | |
| CN111698110B (en) | Network equipment performance analysis method, system, equipment and computer medium | |
| CN117176802B (en) | Full-link monitoring method and device for service request, electronic equipment and medium | |
| Oluwabukola et al. | A Packet Sniffer (PSniffer) application for network security in Java | |
| CN109547257A (en) | Method for controlling network flow, device, equipment, system and storage medium | |
| CN116015700A (en) | Intranet DDOS flow detection and protection method based on software defined network | |
| Shah et al. | Implementation and performance analysis of firewall on open vSwitch | |
| CN108173717A (en) | A kind of method under User space by obtaining ICMP error message monitoring network situations | |
| US9979613B2 (en) | Analyzing network traffic in a computer network | |
| Florance et al. | Study on SDN with security issues using Mininet | |
| Pawar et al. | Developing a big-data-based model to study and analyze network traffic | |
| Hublikar et al. | Detecting denial-of-service attacks using sFlow | |
| US20230239247A1 (en) | Method and system for dynamic load balancing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |