CN111224970A - SDN network system, network attack defense method, device and storage medium - Google Patents
SDN network system, network attack defense method, device and storage medium Download PDFInfo
- Publication number
- CN111224970A CN111224970A CN201911410351.9A CN201911410351A CN111224970A CN 111224970 A CN111224970 A CN 111224970A CN 201911410351 A CN201911410351 A CN 201911410351A CN 111224970 A CN111224970 A CN 111224970A
- Authority
- CN
- China
- Prior art keywords
- flow table
- table information
- module
- defense
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 76
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000001514 detection method Methods 0.000 claims abstract description 121
- 238000004140 cleaning Methods 0.000 claims abstract description 41
- 238000007781 pre-processing Methods 0.000 claims abstract description 30
- 230000002159 abnormal effect Effects 0.000 claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 36
- 238000003062 neural network model Methods 0.000 claims description 27
- 238000013135 deep learning Methods 0.000 claims description 19
- 238000011010 flushing procedure Methods 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 10
- 238000005406 washing Methods 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 238000013527 convolutional neural network Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000011176 pooling Methods 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of communication, and discloses an SDN network system, which comprises: a data plane, a control plane and an application plane, the control plane comprising a plurality of slices, each said slice comprising: the system comprises a preprocessing module, a detection module and a defense module; the preprocessing module is used for preprocessing the acquired flow table information and inputting the preprocessed flow table information into the detection module; the detection module is used for detecting the flow table information and sending a detection result to the defense module; and the defense module is used for issuing a cleaning flow table according to the detection result and cleaning the flow table information according to the cleaning flow table when the detection result is abnormal. The embodiment of the invention also provides a network attack defense method, equipment and a storage medium.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an SDN network system, a network attack defense method, a device, and a storage medium.
Background
The fifth generation network (5G) technology will affect aspects of people's life, such as automatic driving, wearable equipment, personalized medicine, Internet of things and the like, and bring huge changes to people's life. Meanwhile, more sensing devices in the 5G network will generate more data, and thus more network attacks will be brought, which affects the security of information.
In order to realize the defense against network attacks, network attacks are detected by an intrusion detection system at present, and when an abnormality is detected, an alarm message is sent out, and a network manager processes the alarm message according to the alarm message.
However, the inventors found that the prior art has at least the following problems: at present, network attacks are processed in a manner that after an intrusion detection system sends an alarm message, a network manager processes the alarm message, and the network manager may not process the alarm message in time, so that services are seriously affected, even a service system is paralyzed, and the processing efficiency of the network attacks is low.
Disclosure of Invention
Embodiments of the present invention provide an SDN network system, a network attack defense method, a device, and a storage medium, so that the processing efficiency of network attacks is improved.
To solve the above technical problem, an embodiment of the present invention provides an SDN network system, including: a data plane, a control plane, and an application plane, the control plane including a plurality of slices, each of the slices including: the system comprises a preprocessing module, a detection module and a defense module; the preprocessing module is used for preprocessing the acquired flow table information and inputting the preprocessed flow table information into the detection module; the detection module is used for detecting the flow table information and sending a detection result to the defense module; and the defense module is used for issuing a cleaning flow table according to the detection result and cleaning the flow table information according to the cleaning flow table when the detection result is abnormal.
The embodiment of the invention also provides a network attack defense method, which comprises the following steps: dividing the SDN control plane into a plurality of slices, wherein each slice comprises a preprocessing module, a detection module and a defense module; executing the network attack defense of the slice by utilizing each slice, wherein the executing of the network attack defense of the slice comprises the following steps: the method comprises the steps of collecting flow table information of a slice, carrying out network attack detection according to the collected flow table information and a neural network model of the slice, issuing a washing flow table under the condition of determining to be attacked by the network attack, and washing the flow table information according to the washing flow table.
An embodiment of the present invention further provides a network device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the network attack defense method described above.
Embodiments of the present invention also provide a computer-readable storage medium storing a computer program, which when executed by a processor implements the network attack defense method described above.
Compared with the prior art, the method and the device for detecting the attack of the; the flow table cleaning device comprises a preprocessing module, a detection module, a defense module and a flow table cleaning module, wherein the preprocessing module is used for preprocessing acquired flow table information and inputting the preprocessed flow table information into the detection module, the detection module is used for detecting the flow table information and sending a detection result to the defense module, the defense module is used for issuing and cleaning a flow table according to the detection result when the detection result is abnormal, and the flow table information is cleaned according to the cleaning flow table. The control plane is divided into a plurality of slices, and a preprocessing module, a detection module and a defense module can be used in each slice to realize the detection and defense of network attacks, so that the data security in each slice is ensured; furthermore, the flow table is sent to be cleaned to clean the attack flow when the detection result of the flow table information is abnormal, so that the network attack can be automatically processed, the condition that the processing is not timely due to the fact that the network management personnel send the alarm message to the intrusion detection system and then process the alarm message in the prior art is avoided, and the processing efficiency of the network attack is improved.
In addition, the preprocessing module comprises a flow table acquisition unit and a data processing unit; the flow table acquisition unit is used for acquiring the flow table information from the data plane and sending the flow table information to the data processing unit; the data processing unit is used for performing data format conversion and dimension reconstruction on the flow table information and sending the flow table information subjected to dimension reconstruction to the detection module. The flow table acquisition unit acquires flow table information of the data plane, so that information in network flow can be acquired in real time to realize real-time detection of network attack; and the data processing unit is used for carrying out data format conversion and dimension reconstruction on the flow table information, so that the flow table information can meet the data input requirement of the detection module, and the network attack detection is convenient.
In addition, the detection module is used for detecting the flow table information based on a deep learning neural network model. The flow table information is detected through the deep learning neural network model, and due to the fact that the deep learning capacity is strong and the adaptability is good, the detection module can adapt to different data types in different slices, and the accuracy of detection results is improved.
In addition, the defense module comprises a flow table generating unit and a flow table issuing unit; the flow table generating unit is used for generating a flushing flow table with action of drop according to the flow table information corresponding to the abnormality of the detection result when the detection result is abnormal, and sending the flushing flow table to the flow table issuing unit; and the flow table issuing unit is used for issuing the cleaning flow table to the data plane so as to enable the data plane to clean the flow table information according to the cleaning flow table. The flow table generating unit can generate the cleaning flow table aiming at the abnormal detection result, and the flow table issuing unit issues the cleaning flow table to the data plane, so that the flow table information with the abnormal detection result can be cleaned, the aim of defending against network attack is fulfilled, the condition that the processing is not timely due to the fact that the network manager needs to process the alarm message sent by the intrusion detection system in the prior art is avoided, and the processing efficiency of network attack is improved.
In addition, the executing the network attack defense of the slice further includes: collecting the flow table information from the data plane, performing data format conversion and dimension reconstruction on the flow table information, and inputting the flow table information subjected to dimension reconstruction into the neural network model for detection. By collecting flow table information of a data plane, information in network flow can be acquired in real time, so that real-time detection of network attack is realized; and by carrying out data format conversion and dimensionality reconstruction on the flow table information, the flow table information can meet the data input requirement of the neural network model, and network attack detection is facilitated.
In addition, the executing the network attack defense of the slice further includes: and performing network attack detection according to the deep learning-based neural network model of the slice. The flow table information is detected through the deep learning neural network model, and due to the fact that the deep learning capacity is strong and the adaptability is good, the detection module can adapt to different data types in different slices, and the accuracy of detection results is improved.
In addition, the executing the network attack defense of the slice further includes: and under the condition of determining the attack of the network, issuing a flushing flow table with action of drop and flushing the flow table information according to the flushing flow table. The flow table cleaning method and the flow table cleaning device have the advantages that the flow table cleaning device is generated under the condition that the network attack is determined, the flow table information corresponding to the network attack can be cleaned according to the flow table cleaning device, the purpose of defending the network attack is achieved, the condition that in the prior art, the network manager needs to process after sending the alarm message in the intrusion detection system, so that processing is not timely is avoided, and the processing efficiency of the network attack is improved.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
Fig. 1 is a schematic structural diagram of an SDN network system provided in a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a module of a control plane slice in an SDN network system according to a first embodiment of the present invention;
fig. 3 is a schematic structural diagram of another module of control plane slicing in the SDN network system according to the first embodiment of the present invention;
fig. 4 is a flowchart illustrating a network attack defense implemented by the SDN network system according to the first embodiment of the present invention;
fig. 5 is a schematic flow chart of a network attack defense method provided by a second embodiment of the invention;
fig. 6 is a schematic structural diagram of a network device according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
A first embodiment of the present invention relates to an SDN network system, as shown in fig. 1, including a data plane, a control plane, and an application plane, where the control plane includes a plurality of slices, and each slice is logically independent, that is, the number of slices is n, and n is a positive integer. Each slice includes a preprocessing module, a detection module, and a defense module. The SDN is a software defined Network (software defined Network), is a novel Network architecture, and separates a control plane of a router from a data plane by using an OpenFlow protocol, and is implemented in a software manner. The slice may be an enhanced mobile broadband (eMBB), a large-scale machine-type communication (mtc), an ultra-reliable and low-latency communication (urlllc), or a customized slice or an operator-defined slice, and may be specifically set according to actual needs, which is not limited herein. Optionally, the SDN Network system provided in the embodiment of the present invention may be applied to a 5G Network, where the 5G Network decouples software and hardware through Network Function Virtualization (NFV), and decomposes the decoupled virtualized Network Function software into modular components, which run on general hardware to implement clouding.
The data plane consists of an Access and Forward Layer (Access and Forward Layer) and network elements; various application programs are deployed in the application plane, such as an automatic driving application, a virtual reality application, a smart home application, and the like. Optionally, the control plane communicates with the data plane through a Southbound Interface (Southbound Interface), and communicates with the application plane through a Northbound Interface (Northbound Interface).
Referring to fig. 2, which is a schematic diagram of a module structure of a slice in a control plane, it can be understood that a slice includes modules, wherein the slice includes a preprocessing module 101, a detection module 102 and a defense module 103.
The preprocessing module 101 is configured to preprocess the acquired flow table information and input the preprocessed flow table information into the detection module;
the detection module 102 is configured to detect flow table information and send a detection result of the flow table information to the defense module;
and the defense module 103 is used for issuing a cleaning flow table according to the detection result and cleaning the flow table information according to the cleaning flow table when the detection result is abnormal.
Please refer to fig. 3, which is a schematic structural diagram of another module for slicing in the control plane. Specifically, the preprocessing module 101 includes a flow table acquisition unit 1011 and a data processing unit 1012, and the defense module 103 includes a flow table generating unit 1031 and a flow table issuing unit 1032.
A flow table collecting unit 1011 for collecting flow table information from the data plane and sending to the data processing unit 1012. Specifically, the flow table acquisition unit 1011 communicates with the data plane through the southbound interface according to the OpenFlow protocol, collects flow table information in the access forwarding layer, and sends the flow table information to the data processing module 1012.
The data processing unit 1012 is configured to perform data format conversion and dimension reconstruction on the flow table information, and send the flow table information after the dimension reconstruction to the detection module 102. Specifically, the data processing unit 1012 represents information such as an IP address and a mac address in the flow table information by a binary system, performs format conversion on data fields of text types such as a matching field and an instruction in the flow table information by a Bag of Word (BOW) method, and reserves original formats of fields such as a port number, a priority, and a counter in the flow table information as an input data format; then, the data processing unit 1012 performs dimension reconstruction on the format-converted data, and constructs a dimension required by the input of the detection module 102 (such as a deep learning model); when the data size after the dimension reconstruction reaches the size of one input window of the detection module 102, the data processing unit 1012 sends the flow table information after the dimension reconstruction reaching the one input window to the detection module 102 for attack detection.
And the detection module 102 is configured to detect the flow table information based on the deep learning neural network model. Optionally, the detection module 102 includes an attack detection unit and a model update unit, where the attack detection unit performs attack detection by using a deep learning-based neural network model, sends the flow table information reconstructed by the data processing unit 1012 dimension to the deep learning-based neural network model for learning, and performs analysis and detection on the flow table information; the model updating unit receives a model updating instruction of a user (such as an administrator) through a network, updates the type, structure, parameters and the like of the neural network model based on deep learning according to the updating instruction, changes the number of layers of the deep learning model, changes the selection of an optimizer, and reduces the learning rate by adopting a regularization and dropout method.
Optionally, the deep learning based Neural network model is a Deep Convolutional Neural Network (DCNN) model. Preferably, the deep convolutional neural network model includes 1 Input Layer (Input Layer), 2 convolutional layers (Convolution Layer), 2 Max Pooling layers (Max power Layer) and 1 Fully Connected Layer (full Connected Layer) and 1 Output Layer (Output Layer). For example, the attack detection unit inputs the data processed by the data processing unit 1012 to the input layer of the neural network model based on deep learning, and after the calculation of the 2-layer convolution layer and the pooling layer, inputs the calculation result to the full connection layer of the neural network model based on deep learning, and the full connection layer outputs the data through the output layer after the data processing is completed. It should be understood that the deep convolutional neural network model may be specifically designed by comprehensively considering the factors of computing power, detection efficiency, detection accuracy and the like, and is not particularly limited herein.
Alternatively, the detection module 102 may also employ other neural network models, which are not specifically limited herein.
It should be understood that the data processing unit 1012 inputs the flow table information reaching one input window of the detection module 102 into the detection module 102, and there may be a plurality of flow table information reaching one input window, and accordingly, there are a plurality of detection results output by the detection module 102, and the detection results correspond to the input flow table information, respectively, and the defense module 103 may perform corresponding processing according to each detection result. In addition, it should be noted that, when the input window is too large, the neural network model based on deep learning may be in a locally optimal condition, and when the input window is too small, the randomness introduced during model training may be large, and convergence is difficult to achieve, so the size of the input window should be reasonably set.
And a flow table generating unit 1031 configured to generate a cleansing flow table whose action is drop according to the flow table information corresponding to the abnormality as the detection result when the detection result is abnormal, and send the cleansing flow table to the flow table issuing unit. The detection result is abnormal, and the flow corresponding to the flow table information is attack flow; accordingly, when the detection result is normal, it indicates that the traffic corresponding to the flow table information is normal traffic. Optionally, the flow table generating unit 1031 does not process the normal flow, and keeps various types of statistical information unchanged. As described above, the result output at a time by the detection module 102 may be the detection result corresponding to a plurality of pieces of flow table information, that is, the result output at a time may include both the normal detection result and the abnormal detection result, and the flow table generation unit 1031 generates the cleansing flow table for the flow table information corresponding to each abnormal detection result.
And the flow table issuing unit 1032 is used for issuing the cleaning flow table to the data plane so that the data plane cleans the flow table information according to the cleaning flow table. Specifically, the flow table issuing unit 1032 issues the flushing flow table generated by the flow table generating unit to the access forwarding layer of the data plane through the southbound interface according to the OpenFlow protocol, so as to flush the attack flow.
Please refer to fig. 4, which is a flowchart illustrating a network attack defense process implemented by the SDN network system according to an embodiment of the present invention. Specifically, the flow table acquisition unit 1011 in the preprocessing module 101 acquires flow table information, sends the acquired flow table information to the data processing unit 1012, the data processing unit 1012 performs data format conversion on the flow table information, performs data dimension reconstruction, and determines whether the size of an input window of the neural network model based on deep learning in the detection module 102 is reached, and if not, the flow table acquisition unit 1011 continues to acquire and process the flow table information; if yes, the data processing unit 1012 inputs the flow table information after the dimensionality reconstruction into the detection module 102, and the detection module 102 performs attack detection based on the deep learning neural network model; judging whether the result of the attack detection is attack flow, if not, not processing and keeping various statistical information unchanged; if the flow is attack flow, flow table generating unit 1031 in defense module 103 generates a cleaning flow table whose action is drop, and sends the cleaning flow table to flow table issuing unit 1032; the flow table issuing unit 1032 issues the cleaning flow table to the data plane to clean the attack flow, thereby implementing defense on the attack flow in the network.
Compared with the prior art, the SDN network system provided by the embodiment of the invention comprises a data plane, a control plane and an application plane, wherein the control plane comprises a plurality of slices, and each slice comprises a preprocessing module, a detection module and a defense module; the flow table cleaning device comprises a preprocessing module, a detection module, a defense module and a flow table cleaning module, wherein the preprocessing module is used for preprocessing acquired flow table information and inputting the preprocessed flow table information into the detection module, the detection module is used for detecting the flow table information and sending a detection result to the defense module, the defense module is used for issuing and cleaning a flow table according to the detection result when the detection result is abnormal, and the flow table information is cleaned according to the cleaning flow table. The control plane is divided into a plurality of slices, and a preprocessing module, a detection module and a defense module can be used in each slice to realize the detection and defense of network attacks, so that the data security in each slice is ensured; furthermore, the flow table is sent to be cleaned to clean the attack flow when the detection result of the flow table information is abnormal, so that the network attack can be automatically processed, the condition that the processing is not timely due to the fact that the network management personnel send the alarm message to the intrusion detection system and then process the alarm message in the prior art is avoided, and the efficiency of processing the network attack is improved.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
A second embodiment of the present invention relates to a network attack defense method, including: dividing the SDN control plane into a plurality of slices, wherein each slice comprises a preprocessing module, a detection module and a defense module; and executing the network attack defense of the slice by utilizing each slice, wherein the executing of the network attack defense of the slice comprises the following steps: collecting the flow table information of the slice, carrying out network attack detection according to the collected flow table information and the neural network model of the slice, issuing a cleaning flow table under the condition of determining to be attacked by the network, and cleaning the flow table information according to the cleaning flow table.
Please refer to fig. 5, which is a schematic flow chart illustrating the execution of the network attack defense of the slice in the network attack defense method according to the embodiment of the present invention, and the method specifically includes the following steps:
s201: and collecting flow table information of the slice.
S202: and performing network attack detection according to the acquired flow table information and the neural network model of the slice.
S203: and issuing a washing flow table under the condition of determining the network attack and washing the flow table information according to the washing flow table.
Further, executing the network attack defense of the slice further includes:
collecting flow table information from a data plane, performing data format conversion and dimension reconstruction on the flow table information, and inputting the flow table information subjected to dimension reconstruction into a neural network model for detection.
Further, executing the network attack defense of the slice further includes:
and performing network attack detection according to the deep learning-based neural network model of the slice.
Further, executing the network attack defense of the slice further includes:
and under the condition of determining the attack of the network, issuing a flushing flow table with action of drop and flushing flow table information according to the flushing flow table.
Compared with the prior art, the network attack defense method provided by the embodiment of the invention divides the SDN control plane into a plurality of slices, each slice comprises a preprocessing module, a detection module and a defense module, the network attack defense of the slice is executed by utilizing the slices, and the execution of the network attack defense of the slice comprises the following steps: collecting the flow table information of the slice, carrying out network attack detection according to the collected flow table information and the neural network model of the slice, issuing a cleaning flow table under the condition of determining to be attacked by the network, and cleaning the flow table information according to the cleaning flow table. The control plane is divided into a plurality of slices, and a preprocessing module, a detection module and a defense module can be used in each slice to realize the detection and defense of network attacks, so that the data security in each slice is ensured; furthermore, the flow table is sent to be cleaned to clean the attack flow when the detection result of the flow table information is abnormal, so that the network attack can be automatically processed, the condition that the processing is not timely due to the fact that the network manager sends the alarm message to the intrusion detection system and then processes the alarm message in the prior art is avoided, and the efficiency of processing the network attack is improved.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the steps contain the same logical relationship, which is within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
It should be understood that this embodiment is a method example corresponding to the first embodiment, and may be implemented in cooperation with the first embodiment. The related technical details mentioned in the first embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
A third embodiment of the present invention relates to a network device, as shown in fig. 6, comprising at least one processor 301; and a memory 302 communicatively coupled to the at least one processor 301; the memory 302 stores instructions executable by the at least one processor 301, and the instructions are executed by the at least one processor 301, so that the at least one processor 301 can execute the network attack defense method.
Where the memory 302 and the processor 301 are coupled in a bus, the bus may comprise any number of interconnected buses and bridges, the buses coupling one or more of the various circuits of the processor 301 and the memory 302. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 301 is transmitted over a wireless medium through an antenna, which further receives the data and transmits the data to the processor 301.
The processor 301 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 302 may be used to store data used by processor 301 in performing operations.
A fourth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, those skilled in the art can understand that all or part of the steps in the method of the foregoing embodiments may be implemented by a program to instruct related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (10)
1. An SDN network system comprising: a data plane, a control plane and an application plane, wherein the control plane comprises a plurality of slices, each of the slices comprising: the system comprises a preprocessing module, a detection module and a defense module;
the preprocessing module is used for preprocessing the acquired flow table information and inputting the preprocessed flow table information into the detection module;
the detection module is used for detecting the flow table information and sending a detection result to the defense module;
and the defense module is used for issuing a cleaning flow table according to the detection result and cleaning the flow table information according to the cleaning flow table when the detection result is abnormal.
2. The SDN network system of claim 1, wherein the pre-processing module comprises a flow table acquisition unit and a data processing unit;
the flow table acquisition unit is used for acquiring the flow table information from the data plane and sending the flow table information to the data processing unit;
the data processing unit is used for performing data format conversion and dimension reconstruction on the flow table information and sending the flow table information subjected to dimension reconstruction to the detection module.
3. The SDN network system of claim 1, wherein the detection module is configured to detect the flow table information based on a deep-learning neural network model.
4. The SDN network system of claim 1, wherein the defense module comprises a flow table generating unit and a flow table issuing unit;
the flow table generating unit is used for generating a flushing flow table with action of drop according to the flow table information corresponding to the abnormality of the detection result when the detection result is abnormal, and sending the flushing flow table to the flow table issuing unit;
and the flow table issuing unit is used for issuing the cleaning flow table to the data plane so as to enable the data plane to clean the flow table information according to the cleaning flow table.
5. A cyber attack defense method, comprising:
dividing the SDN control plane into a plurality of slices, wherein each slice comprises a preprocessing module, a detection module and a defense module;
executing the network attack defense of the slice by utilizing each slice, wherein the executing of the network attack defense of the slice comprises the following steps:
the method comprises the steps of collecting flow table information of a slice, carrying out network attack detection according to the collected flow table information and a neural network model of the slice, issuing a washing flow table under the condition of determining to be attacked by the network attack, and washing the flow table information according to the washing flow table.
6. The cyber attack defense method according to claim 5, wherein the execution of the cyber attack defense of the present slice further comprises:
collecting the flow table information from the data plane, performing data format conversion and dimension reconstruction on the flow table information, and inputting the flow table information subjected to dimension reconstruction into the neural network model for detection.
7. The cyber attack defense method according to claim 5, wherein the execution of the cyber attack defense of the present slice further comprises:
and performing network attack detection according to the deep learning-based neural network model of the slice.
8. The cyber attack defense method according to claim 5, wherein the execution of the cyber attack defense of the present slice further comprises:
and under the condition of determining the attack of the network, issuing a flushing flow table with action of drop and flushing the flow table information according to the flushing flow table.
9. A network device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of network attack defense recited in any one of claims 5 to 8.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the cyber attack defense method according to any one of claims 5 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911410351.9A CN111224970A (en) | 2019-12-31 | 2019-12-31 | SDN network system, network attack defense method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911410351.9A CN111224970A (en) | 2019-12-31 | 2019-12-31 | SDN network system, network attack defense method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111224970A true CN111224970A (en) | 2020-06-02 |
Family
ID=70832699
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911410351.9A Pending CN111224970A (en) | 2019-12-31 | 2019-12-31 | SDN network system, network attack defense method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111224970A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN113219341A (en) * | 2021-03-23 | 2021-08-06 | 陈九廷 | Model generation and battery degradation estimation device, method, medium, and apparatus |
| CN116155731A (en) * | 2023-04-14 | 2023-05-23 | 中国人民解放军国防科技大学 | Communication control method and device supporting control path of RMT (remote management T) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911669A (en) * | 2017-01-10 | 2017-06-30 | 浙江工商大学 | A kind of DDOS detection methods based on deep learning |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| US20180316729A1 (en) * | 2015-10-13 | 2018-11-01 | Schneider Electric Industries Sas | Centralized management of a software defined automation system |
| CN109768981A (en) * | 2019-01-20 | 2019-05-17 | 北京工业大学 | A kind of network attack defence method and system under SDN framework based on machine learning |
| CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
| CN110249603A (en) * | 2017-01-31 | 2019-09-17 | 瑞典爱立信有限公司 | For detecting the method and attack detecting function of the Scattered Attack in wireless network |
| EP3557836A1 (en) * | 2017-01-24 | 2019-10-23 | Huawei Technologies Co., Ltd. | Method for negotiating security protection and network element |
-
2019
- 2019-12-31 CN CN201911410351.9A patent/CN111224970A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180316729A1 (en) * | 2015-10-13 | 2018-11-01 | Schneider Electric Industries Sas | Centralized management of a software defined automation system |
| CN106911669A (en) * | 2017-01-10 | 2017-06-30 | 浙江工商大学 | A kind of DDOS detection methods based on deep learning |
| EP3557836A1 (en) * | 2017-01-24 | 2019-10-23 | Huawei Technologies Co., Ltd. | Method for negotiating security protection and network element |
| CN110249603A (en) * | 2017-01-31 | 2019-09-17 | 瑞典爱立信有限公司 | For detecting the method and attack detecting function of the Scattered Attack in wireless network |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN107231384A (en) * | 2017-08-10 | 2017-10-03 | 北京科技大学 | A kind of ddos attack detection defence method cut into slices towards 5g networks and system |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| CN109768981A (en) * | 2019-01-20 | 2019-05-17 | 北京工业大学 | A kind of network attack defence method and system under SDN framework based on machine learning |
| CN110113328A (en) * | 2019-04-28 | 2019-08-09 | 武汉理工大学 | A kind of software definition opportunistic network DDoS defence method based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 佟平: "《国家信息化与信息化工具》", 30 June 2017 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112367213A (en) * | 2020-10-12 | 2021-02-12 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN112367213B (en) * | 2020-10-12 | 2022-02-25 | 中国科学院计算技术研究所 | SDN (software defined network) -oriented strategy anomaly detection method, system, device and storage medium |
| CN113219341A (en) * | 2021-03-23 | 2021-08-06 | 陈九廷 | Model generation and battery degradation estimation device, method, medium, and apparatus |
| CN113219341B (en) * | 2021-03-23 | 2023-04-07 | 陈九廷 | Model generation and battery degradation estimation device, method, medium, and apparatus |
| CN116155731A (en) * | 2023-04-14 | 2023-05-23 | 中国人民解放军国防科技大学 | Communication control method and device supporting control path of RMT (remote management T) |
| CN116155731B (en) * | 2023-04-14 | 2023-06-20 | 中国人民解放军国防科技大学 | Communication control method and device supporting control path of RMT (remote management T) |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240275805A1 (en) | Cognitive neuro-linguistic behavior recognition system for multi-sensor data fusion | |
| US10769006B2 (en) | Ensemble risk assessment method for networked devices | |
| WO2023093177A1 (en) | Device fault diagnosis method and apparatus, and electronic device and storage medium | |
| CN108964960B (en) | Alarm event processing method and device | |
| CN111224970A (en) | SDN network system, network attack defense method, device and storage medium | |
| CN112148772A (en) | Alarm root cause identification method, device, equipment and storage medium | |
| CN101783749B (en) | Network fault positioning method and device | |
| CN109144813B (en) | System and method for monitoring server node fault of cloud computing system | |
| JP2019513246A (en) | Training method of random forest model, electronic device and storage medium | |
| CN111106944B (en) | Fault alarm information processing method and equipment | |
| CN105607606B (en) | A kind of data acquisition device and method based on double mainboard frameworks | |
| CN114363212B (en) | Equipment detection method, device, equipment and storage medium | |
| CN104125115B (en) | A kind of log information transfer approach and device | |
| CN109818808A (en) | Method for diagnosing faults, device and electronic equipment | |
| CN111800312B (en) | Message content analysis-based industrial control system anomaly detection method and system | |
| CN110996289A (en) | Intelligent gateway, method and system for machine state monitoring diagnostic instrument | |
| CN109270885B (en) | Data communication method, device and equipment for monitoring PLC system and storage medium | |
| CN111162938A (en) | Data processing system and method | |
| CN109246331A (en) | A kind of method for processing video frequency and system | |
| US9699023B2 (en) | Initializing a network interface based on stored data | |
| CN113822453B (en) | Multi-user complaint commonality determining method and device for 5G slices | |
| CN114756301A (en) | Log processing method, device and system | |
| CN114048328A (en) | Knowledge graph link prediction method and system based on conversion hypothesis and message transmission | |
| CN113064966A (en) | Method, system and device for fault location | |
| US20140032159A1 (en) | Causation isolation using a configuration item metric identified based on event classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200602 |
|
| RJ01 | Rejection of invention patent application after publication |