[go: up one dir, main page]

CN110366170A - A wireless network security defense method based on software-defined security - Google Patents

A wireless network security defense method based on software-defined security Download PDF

Info

Publication number
CN110366170A
CN110366170A CN201910518416.5A CN201910518416A CN110366170A CN 110366170 A CN110366170 A CN 110366170A CN 201910518416 A CN201910518416 A CN 201910518416A CN 110366170 A CN110366170 A CN 110366170A
Authority
CN
China
Prior art keywords
network
attack
data
wireless
environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910518416.5A
Other languages
Chinese (zh)
Inventor
杨帆
李荣鹏
赵志峰
张宏纲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910518416.5A priority Critical patent/CN110366170A/en
Publication of CN110366170A publication Critical patent/CN110366170A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/65Environment-dependent, e.g. using captured environmental data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于软件定义安全的无线网络安全防御办法。该办法基于软件定义安全网络架构,包括云平台、SDN控制器和无线接入点。无线接入点嗅探无线网络中的网络环境数据包,实时将网络环境数据上传到云平台;执行来自SDN控制器的网络流表,实现网络防御。云平台完成网络环境数据的攻击检测,并在检测出网络攻击后生成防御决策,下发至SDN控制器。SDN控制器管理与配置包括无线接入点在内的网络转发设备,根据防御决策下发网络流表。本发明实现了无线网络下的攻击检测与防御自动化、一体化,提高了防护效率。

The invention discloses a wireless network security defense method based on software-defined security. The approach is based on a software-defined secure network architecture, including cloud platforms, SDN controllers, and wireless access points. The wireless access point sniffs the network environment data packets in the wireless network, uploads the network environment data to the cloud platform in real time; executes the network flow table from the SDN controller to realize network defense. The cloud platform completes the attack detection of network environment data, and generates a defense decision after detecting a network attack, and sends it to the SDN controller. The SDN controller manages and configures network forwarding devices including wireless access points, and delivers network flow tables based on defense decisions. The invention realizes the automation and integration of attack detection and defense under the wireless network, and improves the protection efficiency.

Description

一种基于软件定义安全的无线网络安全防御办法A wireless network security defense method based on software-defined security

技术领域technical field

本发明涉及一种无线网络安全防御办法,属于网络安全领域。The invention relates to a wireless network security defense method, which belongs to the field of network security.

背景技术Background technique

随着互联网的迅速发展,网络和信息技术得到更广泛的运用,但也伴随而来了更大面积、更宽范围的网络攻击。With the rapid development of the Internet, network and information technology has been more widely used, but it is also accompanied by a larger area and a wider range of network attacks.

现有针对无线网络的检测防御方法使用无线嗅探设备部署在网络环境中来嗅探环境数据,依靠专家规则库检测网络环境数据是否存在攻击、确定网络攻击位置,再通过人工或其他网络工具对网络进行防御。现有方法依赖网络嗅探设备在网络中的部署,无法检测到部署范围之外的网络攻击;此外,现有方法往往只关注网络的监控和检测,无法在检测到攻击后执行自动化的网络防御,在实际部署中防护效率较低。The existing detection and defense methods for wireless networks use wireless sniffing devices deployed in the network environment to sniff the environmental data, rely on the expert rule base to detect whether there is an attack on the network environment data, determine the location of the network attack, and then manually or other network tools The network defends. Existing methods rely on the deployment of network sniffing devices in the network, and cannot detect network attacks outside the scope of deployment; in addition, existing methods often only focus on network monitoring and detection, and cannot perform automated network defense after an attack is detected , the protection efficiency is low in actual deployment.

软件定义网络(SDN)的兴起为网络信息安全的演进提供了重要支撑,其对网络转发设备的管理和控制使得网络防御成为可能。在SDN的基础上提出的软件定义安全(SDS)的安全防护思路,提升了安全检测和防御的主动性和联动性,增强了网络的管理能力、协同水平和服务质量。其思想是将数据平面与控制平面分离,自顶向下分为:应用层、控制层和物理层。由控制层统一管理物理层网络资源,集中控制它们根据指令实施具体的安全防御操作,应用层统一通过软件定义的方式进行智能化、自动化的业务编排和管理,以完成相应的安全功能,从而实现功能灵活、能力弹性、决策智能的安全防护机制。The rise of software-defined networking (SDN) provides important support for the evolution of network information security, and its management and control of network forwarding devices makes network defense possible. The security protection idea of software-defined security (SDS) proposed on the basis of SDN improves the initiative and linkage of security detection and defense, and enhances the management capability, coordination level and service quality of the network. The idea is to separate the data plane from the control plane and divide it from top to bottom: application layer, control layer and physical layer. The control layer uniformly manages the physical layer network resources, and centrally controls them to implement specific security defense operations according to instructions. The application layer uniformly performs intelligent and automatic business arrangement and management in a software-defined manner to complete the corresponding security functions, thereby realizing A security protection mechanism with flexible functions, flexible capabilities, and intelligent decision-making.

发明内容Contents of the invention

本发明的目的是提供一种基于软件定义安全架构的无线网络安全防御办法,它通过将网络安全代理与网络设备相结合实现环境感知,利用云平台完成智能算法检测与决策,并通过SDN控制器实现自动防御,实现无线网络下的攻击检测与防御自动化、一体化,提高防护效率。The purpose of the present invention is to provide a wireless network security defense method based on a software-defined security architecture, which realizes environmental awareness by combining a network security agent with a network device, uses a cloud platform to complete intelligent algorithm detection and decision-making, and uses an SDN controller to Realize automatic defense, realize the automation and integration of attack detection and defense under the wireless network, and improve the protection efficiency.

本发明实现其目的所采取的技术方案是:The technical scheme that the present invention realizes its object to take is:

本发明基于软件定义安全架构的无线网络安全防御办法具体为:在所述软件定义安全架构中,物理层的无线接入点包含安全代理器,应用层的云平台包含数据库、通信服务器和检测系统,控制层的SDN控制器包含防火墙;所述无线网络安全防御办法包括如下步骤:The wireless network security defense method based on the software-defined security architecture of the present invention is specifically: in the software-defined security architecture, the wireless access point at the physical layer includes a security agent, and the cloud platform at the application layer includes a database, a communication server, and a detection system , the SDN controller of the control layer includes a firewall; the wireless network security defense method includes the following steps:

(1)安全代理器嗅探无线网络环境,并上传网络环境数据至通信服务器;通信服务器对接收到的网络环境数据包进行解析,并将解析后的网络环境数据存入到所述数据库中;(1) The security agent sniffs the wireless network environment, and uploads the network environment data to the communication server; the communication server analyzes the received network environment data packets, and stores the analyzed network environment data into the database;

(2)检测系统检测解析后的网络环境数据中是否存在网络攻击数据,若存在,则检测系统根据网络攻击数据中的攻击类型,从数据库中调取对应的防御动作并从网络攻击数据中提取攻击特征信息,将防御动作与攻击特征信息封装成防御决策,并下发防御决策到SDN控制器;(2) The detection system detects whether there is network attack data in the analyzed network environment data. If it exists, the detection system calls the corresponding defense action from the database according to the attack type in the network attack data and extracts it from the network attack data. Attack feature information, which encapsulates defense actions and attack feature information into a defense decision, and sends the defense decision to the SDN controller;

(3)SDN控制器中的防火墙根据防御动作向网络转发设备下发网络流表,网络转发设备根据接收到的网络流表执行相应的防御动作。(3) The firewall in the SDN controller sends the network flow table to the network forwarding device according to the defense action, and the network forwarding device executes the corresponding defense action according to the received network flow table.

进一步地,本发明在所述步骤(1)中,安全代理器使用CoAP协议上传网络环境数据至所述通信服务器。Further, in the step (1) of the present invention, the security agent uploads the network environment data to the communication server using the CoAP protocol.

进一步地,本发明安全代理器包括通信客户端和环境嗅探模块;在所述步骤(1)中,由环境嗅探模块嗅探无线网络环境并将获得的网络环境数据发送给通信客户端,通信客户端将所接收到的网络环境数据上传至通信服务器。Further, the security agent of the present invention includes a communication client and an environment sniffing module; in the step (1), the environment sniffing module sniffs the wireless network environment and sends the obtained network environment data to the communication client, The communication client uploads the received network environment data to the communication server.

进一步地,本发明环境嗅探模块按以下方法获取网络环境数据:Further, the environment sniffing module of the present invention obtains the network environment data in the following way:

1)环境嗅探模块在应用进程中建立网络套接字,将网络套接字与无线接入点的无线网卡绑定;1) The environment sniffing module establishes a network socket in the application process, and binds the network socket to the wireless network card of the wireless access point;

2)环境嗅探模块通过无线接入点的无线网卡捕获该无线网卡所处的网络环境中的所有无线数据包,并通过网络套接字将无线数据包从无线网卡传输至环境嗅探模块;2) The environment sniffer module captures all wireless data packets in the network environment where the wireless network card is located through the wireless network card of the wireless access point, and transmits the wireless data packets from the wireless network card to the environment sniffer module through the network socket;

3)环境嗅探模块为无线数据包添加pcap格式包头,生成pcap格式数据,并为pcap格式数据添加通信协议包头,得到网络环境数据。3) The environment sniffing module adds a pcap format header to the wireless data packet to generate pcap format data, and adds a communication protocol header to the pcap format data to obtain network environment data.

进一步地,本发明检测系统包括攻击检测模块和决策下发模块;按以下方法执行所述步骤(2):Further, the detection system of the present invention includes an attack detection module and a decision delivery module; the step (2) is performed in the following way:

攻击检测模块分析网络环境数据,判断是否存在网络攻击数据;若存在,则决策下发模块根据攻击检测模块判断的攻击类型从数据库中调取对应的防御动作,并提取网络攻击数据中的攻击特征信息;决策下发模块将防御动作和攻击特征信息封装成防御决策,并将防御决策下发到SDN控制器。The attack detection module analyzes the network environment data to determine whether there is network attack data; if it exists, the decision delivery module retrieves the corresponding defense action from the database according to the attack type judged by the attack detection module, and extracts the attack characteristics in the network attack data Information; the decision delivery module encapsulates the defense action and attack feature information into a defense decision, and sends the defense decision to the SDN controller.

与现有技术相比,本发明的有益效果是:(1)通过将无线网络的检测防御分为环境感知、智能检测、自动防御三步,实现对无线网络攻击从检测到防御的完整闭环。(2)将无线接入点作为网络嗅探器捕获网络环境数据包,可在不依赖其他设备的情况下实现全域网络监控,解决了现有技术中依赖特定嗅探器部署时造成的设备依赖和覆盖范围有限的问题;极大程度上扩大网络嗅探范围,降低了网络嗅探和环境感知难度,实现大范围的网络环境实时感知。(3)将攻击检测部署在云平台可利用云平台强大的计算和存储能力实现复杂的算法检测和数据存储,解决现有技术中由于计算能力受限而无法实现算法检测和统一化监控和存储的问题。(4)利用SDN控制器管控无线网络并实现自动防御,解决了现有技术依赖人工防御或其他防御工具而导致的防御效率低的问题,实现防御自动化,提高防护效率。Compared with the prior art, the beneficial effects of the present invention are: (1) By dividing the detection and defense of the wireless network into three steps: environment perception, intelligent detection and automatic defense, a complete closed loop from detection to defense of wireless network attacks is realized. (2) Using the wireless access point as a network sniffer to capture network environment data packets can realize global network monitoring without relying on other devices, which solves the device dependence caused by relying on specific sniffer deployment in the prior art and the problem of limited coverage; it greatly expands the scope of network sniffing, reduces the difficulty of network sniffing and environmental perception, and realizes real-time perception of a wide range of network environments. (3) Deploying attack detection on the cloud platform can use the powerful computing and storage capabilities of the cloud platform to realize complex algorithm detection and data storage, and solve the problem of algorithm detection and unified monitoring and storage that cannot be realized due to limited computing power in the existing technology The problem. (4) Using the SDN controller to control the wireless network and realize automatic defense, which solves the problem of low defense efficiency caused by relying on manual defense or other defense tools in the existing technology, realizes defense automation and improves protection efficiency.

附图说明Description of drawings

图1是本发明的一个实施例的软件定义安全架构图。FIG. 1 is a software-defined security architecture diagram of an embodiment of the present invention.

具体实施方式Detailed ways

以下以一个具体的实施例对本发明做进一步阐述。图1示出了本实施例的软件定义安全架构,具体说明如下:The present invention will be further elaborated below with a specific embodiment. Figure 1 shows the software-defined security architecture of this embodiment, and the specific description is as follows:

无线接入点:为保障无线接入点的可开发性,在本实施例中,无线接入点的操作系统可采用开源操作系统。为使无线接入点适应OpenFLow协议,并实现SDN网络的接入,本实施例使用Open vSwitch(OVS)作为无线接入点内部网桥。此外,在无线接入点中还部署了一个安全代理器。安全代理器由一个通信客户端和一个环境嗅探模块组成。在本实施例中,考虑到无线接入点的硬件限制,通信客户端为CoAP客户端,通信协议为CoAP协议。本发明也可使用HTTP等其他应用层通信协议。无线接入点开机后,通信客户端启动,向云平台中的通信服务器发送类型为CON的CoAP数据包,数据包的Token中存放无线接入点的MAC地址;通信服务器通过认证无线接入点的MAC地址为无线接入点的接入授权,建立连接。通信连接建立后,无线接入点的环境嗅探模块启动。环境嗅探模块首先在应用进程中建立网络套接字,并将网络套接字与无线接入点的无线网卡绑定;然后,无线接入点的无线网卡捕获该网卡所处的网络环境中的所有无线数据包,通过网络套接字传输无线数据包至环境嗅探模块本地;环境嗅探模块为无线数据包添加pcap格式包头,生成pcap格式数据,并为pcap格式数据添加CoAP协议包头,得到网络环境数据。通信客户端实时地将得到的网络环境数据以NON类型上传至云平台中的通信服务器。Wireless access point: In order to ensure the developability of the wireless access point, in this embodiment, the operating system of the wireless access point may adopt an open source operating system. In order to make the wireless access point adapt to the OpenFLow protocol and realize the access of the SDN network, this embodiment uses Open vSwitch (OVS) as the internal bridge of the wireless access point. In addition, a security agent is deployed in the wireless access point. The security agent consists of a communication client and an environment sniffing module. In this embodiment, considering the hardware limitation of the wireless access point, the communication client is a CoAP client, and the communication protocol is a CoAP protocol. The present invention can also use other application layer communication protocols such as HTTP. After the wireless access point is turned on, the communication client starts and sends a CoAP data packet of type CON to the communication server in the cloud platform. The Token of the data packet stores the MAC address of the wireless access point; the communication server passes the authentication of the wireless access point The MAC address is the access authorization of the wireless access point, and the connection is established. After the communication connection is established, the environment sniffing module of the wireless access point starts. The environment sniffing module first establishes a network socket in the application process, and binds the network socket to the wireless network card of the wireless access point; then, the wireless network card of the wireless access point captures the network environment where the network card is located. All wireless data packets, transmit wireless data packets to the environment sniffer module locally through the network socket; the environment sniffer module adds a pcap format header to the wireless data packet, generates pcap format data, and adds a CoAP protocol header to the pcap format data, Get network environment data. The communication client uploads the obtained network environment data in NON type to the communication server in the cloud platform in real time.

云平台:云平台可由开源云平台架构实现,如OpenStack;也可以使用现有云平台服务商产品,如阿里云、AWS等。在本实施例中,云平台上至少部署一个通信服务器、一个检测系统和一个数据库。通信服务器用以接收来自无线接入点中通信客户端数据,通信协议与无线接入点中通信客户端相对应,在本实施例中为CoAP协议;检测系统包括一个用于检测攻击的攻击检测模块和一个用于下发决策的决策下发模块;数据库存储网络日志和用于防御网络攻击的防御动作。通信连接建立之初,通信服务器收到来自无线接入点中的通信客户端的认证数据包,认证成功后通信服务器返回ACK数据包,并在数据包的option中存放开始指令。通信连接建立后,通信服务器持续收到来自无线接入点中的通信客户端的网络环境数据。通信服务器将网络环境数据存储至数据库,同时将网路环境数据传输到检测系统进行攻击检测。在本实施例中,检测系统中的攻击检测模块使用算法匹配检测。本发明的攻击检测模块还可以使用专家库匹配检测等其他检测方式,算法匹配检测使用的算法可以是CNN、KNN、随机森林等人工智能算法。在本实施例中,攻击检测模块在使用算法匹配进行攻击检测前,先利用数据集训练人工智能算法生成算法模型;检测攻击时,攻击检测模块将网络环境数据作为输入数据,输入到训练好的算法模型中,模型输出的判断结果则为检测结果。输出的判断结果可能是正常,或某种类型攻击(如洪泛攻击、模拟攻击、注入攻击)。若检测结果中存在攻击,检测系统的决策下发模块根据攻击类型从数据库中调取对应的防御动作(drop、block、hopping),并提取攻击数据中的攻击特征信息。攻击特征信息根据攻击类型和防御动作的不同而不同,需根据具体情况做相应设置,例如,对于洪泛攻击和注入攻击,对应的防御动作可为“drop”,攻击特征信息为攻击数据包的源MAC地址;而对于干扰攻击,对应的防御动作可为“hopping”,攻击特征信息则为目的MAC地址、信道号。最后,决策下发模块将防御动作和攻击特征信息以JSON数据格式封装成防御决策,并通过HTTP协议将防御决策下发至SDN控制器。Cloud platform: The cloud platform can be implemented by an open source cloud platform architecture, such as OpenStack; it can also use existing cloud platform service provider products, such as Alibaba Cloud, AWS, etc. In this embodiment, at least one communication server, one detection system and one database are deployed on the cloud platform. The communication server is used to receive data from the communication client in the wireless access point, and the communication protocol corresponds to the communication client in the wireless access point, which is the CoAP protocol in this embodiment; the detection system includes an attack detection system for detecting attacks module and a decision-making module for issuing decisions; the database stores network logs and defense actions for defending against network attacks. At the beginning of the establishment of the communication connection, the communication server receives the authentication data packet from the communication client in the wireless access point. After the authentication is successful, the communication server returns the ACK data packet, and stores the start command in the option of the data packet. After the communication connection is established, the communication server continuously receives network environment data from the communication client in the wireless access point. The communication server stores the network environment data in the database, and at the same time transmits the network environment data to the detection system for attack detection. In this embodiment, the attack detection module in the detection system uses algorithm matching for detection. The attack detection module of the present invention can also use other detection methods such as expert database matching detection, and the algorithm used for algorithm matching detection can be artificial intelligence algorithms such as CNN, KNN, and random forest. In this embodiment, the attack detection module first uses the data set to train the artificial intelligence algorithm to generate an algorithm model before using algorithm matching for attack detection; when detecting an attack, the attack detection module takes network environment data as input data and inputs it to the In the algorithm model, the judgment result output by the model is the detection result. The output judgment result may be normal, or a certain type of attack (such as flood attack, simulation attack, injection attack). If there is an attack in the detection result, the decision delivery module of the detection system retrieves the corresponding defense action (drop, block, hopping) from the database according to the attack type, and extracts the attack characteristic information in the attack data. The attack feature information varies according to the attack type and defense action, and needs to be set accordingly according to the specific situation. For example, for flooding attack and injection attack, the corresponding defense action can be "drop", and the attack feature information is the The source MAC address; for interference attacks, the corresponding defense action can be "hopping", and the attack characteristic information is the destination MAC address and channel number. Finally, the decision delivery module encapsulates the defense action and attack feature information into a defense decision in JSON data format, and sends the defense decision to the SDN controller through the HTTP protocol.

SDN控制器:SDN控制器接收到来自云平台的防御决策后,防火墙根据防御决策内容生成网络流表,在流表中的动作项填入防御决策中的防御动作,对象项中填入防御决策中的攻击特征信息。防火墙通过OpenFLow协议的packet-out消息,将生成的网络流表下发至所述无线接入点所在无线局域网中所有的网络转发设备中。无线接入点中的OVS网桥根据流表信息执行防御动作,实现网络自动防御。SDN controller: After the SDN controller receives the defense decision from the cloud platform, the firewall generates a network flow table according to the content of the defense decision, fills the action item in the flow table with the defense action in the defense decision, and fills the defense decision in the object item Attack signature information in . The firewall sends the generated network flow table to all network forwarding devices in the wireless local area network where the wireless access point is located through the packet-out message of the OpenFLow protocol. The OVS bridge in the wireless access point performs defense actions based on the flow table information to realize automatic network defense.

下面以洪泛攻击为例,就本发明的一次典型检测防御以具体的实施例进行说明。Taking flooding attack as an example, a typical detection and defense of the present invention will be described in a specific embodiment.

无线接入点开机,启动通信客户端。无线接入点中的通信客户端首先与云平台中的通信服务器进行连接认证。若认证失败,无线接入点返回错误消息,程序结束。若认证成功,云平台向无线接入点返回开始指令,无线接入点收到开始指令后启动环境嗅探模块,环境嗅探模块通过无线接入点的无线网卡捕获所在无线网络的网络数据,并添加pcap数据格式和CoAP协议包头,生成网络环境数据包。通信客户端持续地将环境嗅探模块捕获到的网络环境数据通过CoAP协议上传至云平台中的通信服务器。The wireless access point turns on and starts the communication client. The communication client in the wireless access point first performs connection authentication with the communication server in the cloud platform. If the authentication fails, the wireless access point returns an error message, and the program ends. If the authentication is successful, the cloud platform returns the start command to the wireless access point, and the wireless access point starts the environment sniffing module after receiving the start command, and the environment sniffing module captures the network data of the wireless network where it is located through the wireless network card of the wireless access point, And add pcap data format and CoAP protocol header to generate network environment data packets. The communication client continuously uploads the network environment data captured by the environmental sniffing module to the communication server in the cloud platform through the CoAP protocol.

无线接入点所处的网络环境中存在攻击者,攻击者通过对无线接入点发送大量认证数据包作为攻击数据包实施洪泛攻击。这些攻击数据包被无线接入点的环境嗅探模块捕获并混杂在正常网络环境数据中上传至云平台。There are attackers in the network environment where the wireless access point is located. The attacker sends a large number of authentication packets to the wireless access point as attack packets to implement a flood attack. These attack data packets are captured by the environment sniffing module of the wireless access point and mixed with the normal network environment data and uploaded to the cloud platform.

云平台中的通信服务器收到网络环境数据包后解析数据包,将解析后的网络环境数据存入数据库中。同时,云平台检测系统中的攻击检测模块将网络环境数据输入到训练好的CNN模型中进行攻击检测。由于网络环境数据中有洪泛攻击的攻击数据包,攻击检测模块检测出攻击数据包,并判定攻击类型为洪泛攻击。After receiving the network environment data packet, the communication server in the cloud platform analyzes the data packet, and stores the analyzed network environment data in the database. At the same time, the attack detection module in the cloud platform detection system inputs the network environment data into the trained CNN model for attack detection. Since there are attack data packets of a flood attack in the network environment data, the attack detection module detects the attack data packets and determines that the attack type is a flood attack.

根据攻击检测模块判定的攻击类型,检测系统的决策下发模块从数据库中调取洪范攻击的防御动作,此处为“drop”,此动作具体的防御方式为丢弃来自某MAC地址的所有数据包。同时,根据攻击类型和防御动作,决策下发模块提取攻击数据包中的攻击特征信息,此处为源MAC地址。According to the attack type determined by the attack detection module, the decision delivery module of the detection system retrieves the defense action of Hongfan attack from the database, here is "drop", the specific defense method of this action is to discard all data from a certain MAC address Bag. At the same time, according to the attack type and defense action, the decision delivery module extracts the attack characteristic information in the attack data packet, here is the source MAC address.

决策下发模块将攻击特征信息和防御动作以JSON格式封装,并通过HTTP协议转发至SDN控制器。The decision delivery module encapsulates the attack feature information and defense actions in JSON format, and forwards them to the SDN controller through the HTTP protocol.

SDN控制器收到来自云平台的消息后,防火墙解析防御决策,根据防御决策中的防御动作和攻击特征信息生成网络流表,以Openflow协议的packet-out消息下发至无线接入点所在无线局域网内所有的网络转发设备。After the SDN controller receives the message from the cloud platform, the firewall analyzes the defense decision, generates a network flow table according to the defense action and attack feature information in the defense decision, and sends the packet-out message of the Openflow protocol to the wireless network where the wireless access point is located. All network forwarding devices in the LAN.

无线接入点的OVS网桥上新增一条动作为“drop”,对象为上述MAC地址的网络流表,OVS网桥将丢弃所有来自该MAC地址的数据消息,完成网络防御。Add an action "drop" to the OVS bridge of the wireless access point, and the object is the network flow table of the above MAC address. The OVS bridge will discard all data messages from the MAC address to complete network defense.

循环无线接入点捕获网络环境数据并上传至云平台攻击检测系统检测攻击的过程,一旦检测出攻击数据,则云平台与SDN控制器响应,防御攻击,以保护网络。The cycle wireless access point captures network environment data and uploads it to the cloud platform attack detection system to detect attacks. Once the attack data is detected, the cloud platform and SDN controller respond to defend against attacks to protect the network.

Claims (5)

1. a kind of wireless network secure based on software definition security architecture defends method, it is characterised in that: fixed in the software In adopted security architecture, the wireless access point of physical layer includes broker security, and the cloud platform of application layer includes database, communication clothes Business device and detection system, the SDN controller of control layer include firewall;The wireless network secure defence method includes following step It is rapid:
(1) broker security sniff wireless network environment, and network environment data is uploaded to the communication server;The communication server pair The network environment data packet received is parsed, and the network environment data after parsing is deposited into the database;
(2) it whether there is network attack data in the network environment data after detection system detection parsing, and if it exists, then detection system System acts and from network attack data according to the attack type in network attack data from corresponding defence is transferred in database Extracting attack characteristic information by defence movement and attack signature Information encapsulation at defence decision, and issues defence decision and controls to SDN Device processed;
(3) firewall in SDN controller, which is acted according to defence to network forwarding equipment, issues network flow table, network forwarding equipment Corresponding defence movement is executed according to the network flow table received.
2. wireless network secure according to claim 1 defends method, it is characterised in that: in the step (1), safety Proxy server uploads network environment data to the communication server using CoAP agreement.
3. wireless network secure according to claim 1 or 2 defends method, it is characterised in that: broker security includes logical Believe client and environment sniff module;In the step (1), by environment sniff module sniff wireless network environment and it will obtain Network environment data be sent to communication customer end, received network environment data is uploaded to communication clothes by communication customer end Business device.
4. wireless network secure according to claim 3 defends method, it is characterised in that: environment sniff module is pressed with lower section Method obtains network environment data:
1) environment sniff module establishes web socket in application process, by the wireless network of web socket and wireless access point Card binding;
2) environment sniff module captures the institute in network environment locating for the wireless network card by the wireless network card of wireless access point There is wireless data packet, and wireless data packet is transmitted to from wireless network card by environment sniff module by web socket;
3) environment sniff module is that wireless data packet adds pcap format packet header, generates pcap formatted data, and is pcap format Data add communication protocol packet header, obtain network environment data.
5. wireless network secure according to any one of claim 1 to 4 defends method, it is characterised in that: detection system Module is issued including attack detection module and decision;The step (2) are executed by the following method:
Attack detection module analyzing network circumstance data, judge whether there is network attack data;If it exists, then decision issues mould The attack type that root tuber judges according to attack detection module transfers corresponding defence movement from database, and extracts network attack number Attack signature information in;Decision issues module for defence movement and attack signature Information encapsulation into defence decision, and will prevent Imperial decision is issued to SDN controller.
CN201910518416.5A 2019-06-15 2019-06-15 A wireless network security defense method based on software-defined security Pending CN110366170A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910518416.5A CN110366170A (en) 2019-06-15 2019-06-15 A wireless network security defense method based on software-defined security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910518416.5A CN110366170A (en) 2019-06-15 2019-06-15 A wireless network security defense method based on software-defined security

Publications (1)

Publication Number Publication Date
CN110366170A true CN110366170A (en) 2019-10-22

Family

ID=68217314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910518416.5A Pending CN110366170A (en) 2019-06-15 2019-06-15 A wireless network security defense method based on software-defined security

Country Status (1)

Country Link
CN (1) CN110366170A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230056749A1 (en) * 2021-08-18 2023-02-23 Korea University Research And Business Foundation Intrusion detection and prevention solution system in iot network using explainable ai
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection
WO2025156588A1 (en) * 2024-01-25 2025-07-31 杭州迪普科技股份有限公司 Automatic detection method and apparatus for next-generation firewall
WO2025194680A1 (en) * 2024-03-20 2025-09-25 国网智能电网研究院有限公司 Software-defined-network-based cloud-edge collaborative defense system and method for unknown attacks

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104580168A (en) * 2014-12-22 2015-04-29 华为技术有限公司 Method, device and system for processing attack data packages
US20160381069A1 (en) * 2012-06-11 2016-12-29 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks
CN108063747A (en) * 2016-11-09 2018-05-22 北京君正集成电路股份有限公司 Wireless data processing method and apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160381069A1 (en) * 2012-06-11 2016-12-29 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104580168A (en) * 2014-12-22 2015-04-29 华为技术有限公司 Method, device and system for processing attack data packages
CN108063747A (en) * 2016-11-09 2018-05-22 北京君正集成电路股份有限公司 Wireless data processing method and apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230056749A1 (en) * 2021-08-18 2023-02-23 Korea University Research And Business Foundation Intrusion detection and prevention solution system in iot network using explainable ai
CN116319114A (en) * 2023-05-25 2023-06-23 广州鲁邦通物联网科技股份有限公司 Method and system for network intrusion detection
WO2025156588A1 (en) * 2024-01-25 2025-07-31 杭州迪普科技股份有限公司 Automatic detection method and apparatus for next-generation firewall
WO2025194680A1 (en) * 2024-03-20 2025-09-25 国网智能电网研究院有限公司 Software-defined-network-based cloud-edge collaborative defense system and method for unknown attacks

Similar Documents

Publication Publication Date Title
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
US11032314B2 (en) Triggering targeted scanning to detect rats and other malware
Zarpelão et al. A survey of intrusion detection in Internet of Things
US12218937B2 (en) Packet processing method and apparatus, device, and computer-readable storage medium
CN101789931B (en) Network intrusion detection system and method based on data mining
US12438892B2 (en) Correlating endpoint and network views to identify evasive applications
CN110366170A (en) A wireless network security defense method based on software-defined security
CN113259943B (en) Method and system for analyzing and blocking abnormal flow of power wireless private network
US20060031928A1 (en) Detector and computerized method for determining an occurrence of tunneling activity
KR102088299B1 (en) Apparatus and method for detecting drdos
CN101286850A (en) Router security defense device, defense system and method
Chung et al. Machine learning based path management for mobile devices over MPTCP
CN106341337A (en) An application-aware traffic detection and control mechanism and method under SDN
CN116528274A (en) Network quality regulation and control method and related equipment
CN113452676B (en) A detector allocation method and Internet of things detection system
CN106656648B (en) Application flow dynamic protection method and system based on home gateway and home gateway
Saad et al. ICMPv6 flood attack detection using DENFIS algorithms
Lin et al. MECPASS: Distributed denial of service defense architecture for mobile networks
Panda et al. A taxonomy on man-in-the-middle attack in IoT network
CN110213233A (en) Defend the emulation platform and method for building up of power grid distributed denial of service attack
Zheng Research on SDN-based IoT security architecture model
CN106550241A (en) Video traffic identifying system and virtualization dispositions method
CN112671662A (en) Data stream acceleration method, electronic device, and storage medium
Thorat et al. SDN-based machine learning powered alarm manager for mitigating the traffic spikes at the IoT gateways
CN108667804A (en) A DDoS attack detection and protection method and system based on SDN architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191022