CN108199906A - Abnormal flow processing method, device and user terminal in a kind of SDN frameworks - Google Patents

Abstract

The present invention provides a method, device, and user terminal for processing abnormal traffic in an SDN framework, wherein the method includes: parsing the data flow of the message to obtain parsing data information; performing traffic inspection on the parsing data information according to the abnormal traffic template library, Generate traffic inspection results; the abnormal traffic template library includes preset content and behavior characteristics of abnormal traffic; Packets corresponding to abnormal traffic are processed. The method provided by the present invention provides a response mechanism for abnormal traffic for the SDN framework, eliminates the out-of-control and paralysis of the network caused by abnormal traffic, effectively enhances the security of the SDN framework, and further provides users and maintenance personnel The use of the network provides great convenience.

Description

A method, device, and user terminal for processing abnormal traffic in an SDN framework

technical field

The present invention relates to the technical field of network communication, and more specifically, relates to a method, device and user terminal for processing abnormal traffic in an SDN framework.

Background technique

The SDN architecture was first proposed by the ONF organization. SDN is divided into data plane, control plane and application plane from bottom to top (or from south to north). Different from the traditional network architecture, the SDN architecture separates the control plane and data plane of the network. The control plane is the core of the SDN architecture, providing centralized control of the network. The control plane uses the services provided by the data plane network equipment through its southbound interface to collect the status of the network equipment or configure the network equipment; the application plane sends requests through the northbound interface provided by the control plane to realize the configuration or information acquisition of the network equipment. The SDN architecture provides an open programmable interface, which enables rapid deployment of new applications through simple programming.

The centralized control and open programmability of SDN architecture bring security issues to SDN. Among them, abnormal network traffic will bring more network bandwidth consumption, occupy CPU processing time, reduce link utilization, cause network congestion, and seriously affect network service quality. In the SDN architecture, abnormal traffic will cause the SDN controller to fail to provide external services, making the network out of control. At the same time, abnormal traffic will also cause network devices to fail to work normally, making the network paralyzed. Therefore, in the SDN network, it is necessary to have the ability to detect and defend against abnormal traffic.

To sum up, due to the existence of abnormal network traffic in the current SDN architecture and there is no relevant coping mechanism, the network consumes a large amount of bandwidth, occupies system CPU resources, and cannot provide external services, which in turn leads to network loss of control and paralysis. The use of the network by personnel brings huge security risks and inconvenience.

Contents of the invention

In view of this, the present invention provides a method, device and user terminal for processing abnormal traffic in an SDN framework to solve the deficiencies in the prior art.

In order to solve the above problems, the present invention provides a method for processing abnormal traffic in an SDN framework, including:

Analyze the data flow of the message to obtain the analysis data information;

Performing traffic inspection on the analysis data information according to the abnormal traffic template library to generate a traffic inspection result; the abnormal traffic template library includes preset content characteristics and behavior characteristics of abnormal traffic;

If the result of the traffic inspection is that the parsed data information is abnormal traffic, the packet corresponding to the abnormal traffic is processed according to the preset abnormal traffic template library.

Preferably, the "if the result of the traffic inspection is that the parsed data information is abnormal traffic, then process the message corresponding to the abnormal traffic according to the preset abnormal traffic template library" includes:

If the result of the traffic inspection is that the analytical data information is abnormal traffic, then judge whether the analytical data information is high-risk abnormal traffic according to the abnormal traffic template library;

If the analyzed data information is the high-risk abnormal traffic, discard or isolate the packet corresponding to the data information.

Preferably, after the "judging whether the parsed data information is high-risk abnormal traffic according to the abnormal traffic template library", it also includes:

If the analysis data information is not the high-risk abnormal traffic, send prompt information corresponding to the analysis data information to the external security APP, so as to process according to the decision information returned by the external security APP to the prompt information The packet corresponding to the parsed data information.

Preferably, the "if the analysis data information is not the high-risk abnormal traffic, send prompt information corresponding to the analysis data information to the external security APP, so as to provide the prompt according to the external security APP." After the decision information returned by the information processes the message corresponding to the parsed data information, it also includes:

Obtaining the decision information returned by the external security APP according to the prompt information;

converting the decision information into traffic policy information;

Changing the route of the abnormal traffic or prohibiting the abnormal traffic from entering the network according to the traffic policy information.

Preferably, after the "perform traffic inspection on the parsed data information according to the abnormal traffic template library, and generate traffic inspection results", it also includes:

If the result of the traffic inspection is that the parsed data information is not abnormal traffic, then obtain the behavior statistics data of the parsed data information corresponding to the message within a preset time, and based on the behavior statistics data according to the abnormal traffic The template library performs traffic behavior feature detection on the parsed data information of the message, and generates a behavior feature detection result;

If the result of the behavior feature detection is that the parsed data information is abnormal traffic, the packet corresponding to the abnormal traffic is processed according to the abnormal traffic template library.

Preferably, after the "if the traffic inspection result shows that the analytical data information is not abnormal traffic, then perform traffic behavior characteristic detection on the analytical data information, and generate a behavior characteristic detection result", further include:

If the result of the behavior feature detection is that the analyzed data information is not abnormal traffic, record the analyzed data information as normal traffic.

Preferably, the parsed data information includes message header information and message content information.

In addition, in order to solve the above problems, the present invention also provides a device for processing abnormal traffic in the SDN framework, including: an analysis module, a verification module and a processing module;

The parsing module is used for parsing the data stream of the message to obtain parsing data information;

The inspection module is configured to perform traffic inspection on the analysis data information according to the abnormal traffic template library, and generate a traffic inspection result; the abnormal traffic template library includes preset content characteristics and behavior characteristics of abnormal traffic;

The processing module is configured to process the message corresponding to the abnormal traffic according to the abnormal traffic template library in advance if the traffic inspection result is that the parsed data information is abnormal traffic.

In addition, in order to solve the above problems, the present invention also provides a user terminal, including a memory and a processor, the memory is used to store the abnormal traffic processing program in the SDN framework, and the processor runs the abnormal traffic processing program in the SDN framework To enable the user terminal to execute the method for processing abnormal traffic in the SDN framework described above.

In addition, in order to solve the above problems, the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores the abnormal traffic processing program in the SDN framework, and the abnormal traffic processing program in the SDN framework is executed by the processor Realize the abnormal traffic processing method in the SDN framework as described above.

The present invention provides a method, device and user terminal for processing abnormal traffic in an SDN framework. Wherein, the method provided by the present invention aims at the deficiencies in the security of the existing SDN framework, and performs traffic inspection on the parsed data information of the message, and then judges whether the message is abnormal traffic according to methods such as the flow inspection result, if For abnormal traffic, the message will be further processed according to the traffic hazard strategy, which provides the SDN framework with a response mechanism for abnormal traffic, prevents the network from being out of control and paralyzed due to abnormal traffic, and effectively enhances the security of the SDN framework. Security, which in turn provides great convenience for users and maintenance personnel to use the network.

Description of drawings

Fig. 1 is a schematic structural diagram of the hardware operating environment involved in the embodiment scheme of the abnormal traffic processing method in the SDN framework of the present invention;

Fig. 2 is a schematic flow chart of the first embodiment of the abnormal traffic processing method in the SDN framework of the present invention;

3 is a schematic flow diagram of a second embodiment of the abnormal traffic processing method in the SDN framework of the present invention;

4 is a schematic flow chart of a third embodiment of the abnormal traffic processing method in the SDN framework of the present invention;

5 is a schematic flow diagram of a fourth embodiment of the method for processing abnormal traffic in the SDN framework of the present invention;

6 is a schematic diagram of functional modules of the abnormal traffic processing device in the SDN framework of the present invention;

7 is a schematic diagram of abnormal traffic processing of the application plane, SDN controller, abnormal traffic management server and data plane of the SDN security framework based on the abnormal traffic processing method in the SDN framework of the present invention;

Fig. 8 is a schematic diagram of the abnormal traffic processing flow of the SDN controller of the SDN security framework based on the abnormal traffic processing method in the SDN framework of the present invention;

9 is a schematic diagram of abnormal traffic processing in the application layer, control layer, and data layer of the SDN security architecture based on the method for processing abnormal traffic in the SDN architecture of the present invention.

The realization of the purpose of the present invention, functional characteristics and advantages will be further described in conjunction with the embodiments and with reference to the accompanying drawings.

Detailed ways

Embodiments of the present invention are described in detail below, wherein the same or similar reference numerals represent the same or similar elements or elements having the same or similar functions.

In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the present invention, "plurality" means two or more, unless otherwise specifically defined.

In the present invention, unless otherwise clearly specified and limited, terms such as "installation", "connection", "connection" and "fixation" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection , or integrated; it can be mechanically connected or electrically connected; it can be directly connected or indirectly connected through an intermediary, and it can be the internal communication of two components or the interaction relationship between two components. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention according to specific situations.

It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

As shown in FIG. 1 , FIG. 1 is a schematic structural diagram of a hardware operating environment of a terminal involved in the solution of an embodiment of the present invention.

The terminal in this embodiment of the present invention may be a PC, or may be a mobile terminal device with a display function such as a smart phone, a tablet computer, an e-book reader, or a portable computer.

As shown in FIG. 1 , the terminal may include: a processor 1001 , such as a CPU, a network interface 1004 , a user interface 1003 , a memory 1005 , and a communication bus 1002 . Wherein, the communication bus 1002 is used to realize connection and communication between these components. The user interface 1003 may include a display screen, an input unit such as a keyboard, and a remote controller, and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 can be a high-speed RAM memory, or a stable memory, such as a disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

Optionally, the terminal may further include a camera, an RF (Radio Frequency, radio frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like. In addition, the mobile terminal may also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which will not be repeated here.

Those skilled in the art can understand that the terminal shown in FIG. 1 does not constitute a limitation on the terminal, and may include more or less components than those shown in the figure, or combine some components, or arrange different components.

As shown in FIG. 1 , the memory 1005 as a computer-readable storage medium may include an operating system, a data interface control program, a network connection program, and an abnormal traffic processing program in the SDN framework.

The present invention provides a method, device and user terminal for processing abnormal traffic in an SDN framework. Wherein, the method provides the SDN framework with a response mechanism for abnormal traffic, prevents the network from being out of control and paralyzed due to abnormal traffic, effectively enhances the security of the SDN framework, and further provides users and maintenance personnel with a clear view of the network. The use provides great convenience.

Example 1:

Referring to Fig. 2, the first embodiment of the present invention provides a method for processing abnormal traffic in the SDN framework, including:

Step S10, analyzing the data flow of the message to obtain the analysis data information;

As mentioned above, what needs to be understood is that Software Defined Network (Software Defined Network, SDN) is a new network innovation framework of Emulex network and a way to realize network virtualization. Its core technology, OpenFlow, combines the control plane of network equipment with data The plane is separated, so that the flexible control of network traffic is realized, and the network becomes more intelligent as a pipeline.

As mentioned above, it should be understood that a message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at one time. The message contains the complete data information to be sent, and its length is very inconsistent, and the length is unlimited and variable. The message is also the unit of network transmission. During the transmission process, it will be continuously encapsulated into groups, packets, and frames for transmission. The way of encapsulation is to add some information segments, which are the data organized by the header in a certain format. In this embodiment, a message is a data unit for data exchange in the network.

As mentioned above, in the SDN framework, the messages sent by different sending ends are collected in real time or regularly, and the SDN controller monitors the data flow of all messages, and then analyzes the data flow, and obtains the analyzed data information. The parsing data information may include feature information or related data record information of the message.

Step S20, performing traffic inspection on the analysis data information according to the abnormal traffic template library, and generating a traffic inspection result; the abnormal traffic template library includes preset content and behavior characteristics of abnormal traffic;

As mentioned above, the traffic template library is a template library used to identify whether the traffic is abnormal traffic in the preset traffic monitoring, and can save the template of abnormal traffic, including the content characteristics, behavior characteristics, hazard level and suggested handling methods of abnormal traffic and so on. The abnormal traffic in the abnormal traffic template library is described with a set of simple and understandable description language according to the content characteristics or behavior characteristics of the traffic. For example: the characteristic of a Land attack is that the source and destination IPs are the same, which can be described as ip.src==ip.dst; the characteristic of a SYNFlood attack is that the number of syn packets exceeds 10,000 times within 5 seconds, which can be described as tcp.syn==1&&totalssn (10000, 5).

As mentioned above, the analysis data information is verified according to the abnormal traffic template library, and the traffic verification result generated according to the verification is obtained.

Step S30 , if the result of the traffic inspection is that the parsed data information is abnormal traffic, then process the message corresponding to the abnormal traffic according to the preset abnormal traffic template library.

As mentioned above, the abnormal traffic template library is a preset strategy that can classify traffic according to the content characteristics, behavior characteristics, or a combination of content characteristics and behavior characteristics according to the analysis data information of the message; Level and classification Process the data flow corresponding to the message. For example, it is divided into high-risk abnormal flow, dangerous abnormal flow, relatively dangerous abnormal flow, common abnormal flow, and normal flow. The analysis data information is classified according to different levels , and then perform processing methods corresponding to different classifications.

The method provided in this embodiment aims at the lack of security of the existing SDN architecture, and performs flow inspection on the parsed data information of the message, and then judges whether the message is abnormal flow according to the flow inspection result and other methods. The abnormal traffic will further process the message according to the traffic hazard policy, which provides the SDN architecture with a response mechanism for abnormal traffic, prevents the network from being out of control and paralyzed due to abnormal traffic, and effectively enhances the security of the SDN architecture , which in turn provides great convenience for users and maintenance personnel to use the network.

Example 2:

Referring to FIG. 3, the second embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework. Based on the first embodiment shown in FIG. is abnormal traffic, then process the message corresponding to the abnormal traffic according to the preset abnormal traffic template library” including:

Step S31, if the result of the traffic inspection is that the analyzed data information is abnormal traffic, then judge whether the analyzed data information is high-risk abnormal traffic according to the abnormal traffic template library;

As mentioned above, in this embodiment, different processing is performed on the detected abnormal traffic for different traffic inspection results of traffic processing. After it is judged as abnormal traffic, the hazard level of the analysis data information of the message is confirmed according to the relevant classification processing module in the SDN framework for the abnormal traffic.

As mentioned above, the hazard level and the corresponding hazard level processing method can be manually set through an external security APP according to the network environment and requirements. The abnormal traffic in the abnormal traffic template library has a corresponding hazard level corresponding to it. At the same time, this corresponding relationship can also be modified through an external security APP. Once the abnormal traffic is detected, corresponding processing will be done according to the hazard level of the abnormal traffic.

Step S32, if the analyzed data information is the high-risk abnormal traffic, discard or isolate the packet corresponding to the data information.

Step S33, if the analyzed data information is not the high-risk abnormal traffic, then send prompt information corresponding to the analyzed data information to the external security APP, so as to return the prompt information according to the external security APP The decision information processes the message corresponding to the analysis data information.

As mentioned above, the external security APP can provide management of security-related modules. Specific functions include: provide management (add/delete/modify) of abnormal traffic templates, set the hazard level of abnormal traffic; provide management of the hazard level of abnormal traffic, mainly dealing with abnormal traffic; receive abnormal traffic alarm information, Handle unhandled abnormal traffic; view abnormal traffic log information.

As mentioned above, if it is confirmed that the analytical data information of the message is high-risk abnormal traffic when judging whether the analytical data information is high-risk abnormal traffic, that is, the abnormal traffic is a hazard that directly endangers the normal functions of the operating system and the device terminal. For high-level abnormal traffic, discard or isolate the packets corresponding to the abnormal traffic.

As mentioned above, if the analyzed data information is not high-risk abnormal data traffic, it is judged that the abnormal traffic has no direct harm to the normal functions of the operating system and device terminals, and it is abnormal traffic with a normal hazard level, and the abnormal traffic is generated by an external APP According to the policy information, the packets determined to be abnormal traffic are processed. Classified registration can include high-risk abnormal traffic and non-high-risk abnormal traffic, which can be processed by category to further prevent waste of system resources.

Example 3:

Referring to Fig. 4, the third embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework. Based on the second embodiment shown in Fig. 3 above, the step S33 "if the analyzed data information is not the high-risk abnormal flow, then send prompt information corresponding to the analysis data information to the external security APP, so as to process the message corresponding to the analysis data information according to the decision information returned by the external security APP to the prompt information." After that, also include:

Step S34, obtaining the decision information returned by the external security APP according to the prompt information;

As mentioned above, the decision information is the received data information of the processing decision returned by the user according to the prompt information.

Step S35, converting the decision information into traffic policy information;

In the above, the decision-making information is converted into traffic policy information that can be directly interpreted in the SDN framework.

Step S36, changing the route of the abnormal traffic or prohibiting the abnormal traffic from entering the network according to the traffic policy information.

The detected abnormal traffic with a relatively low hazard level is notified to the external security APP through an alarm. The user makes a decision on how to handle the abnormal traffic according to the alarm content. The SDN controller translates the user's decision content into a traffic policy, and then downloads Send it to network devices, change the route of abnormal traffic in the network, or prohibit abnormal traffic from entering the network. For example, if the traffic from a certain address or certain network segments is found to be abnormal, you need to isolate the traffic from these places. Through the processing mode set by the external APP, the SDN controller generates corresponding access control rules to isolate these traffic.

Example 4:

Referring to FIG. 5, the fourth embodiment of the present invention provides a method for processing abnormal traffic in an SDN framework. Based on the first embodiment shown in FIG. After traffic inspection, generate traffic inspection results", it also includes:

Step S40, if the result of the traffic inspection is that the analyzed data information is not abnormal traffic, then obtain the behavior statistics data of the analyzed data information corresponding to the message within a preset time, and based on the behavior statistics data according to the The abnormal traffic template library performs traffic behavior feature detection on the analysis data information of the message, and generates a behavior feature detection result;

As mentioned above, if the traffic inspection result generated in the traffic inspection shows that the analysis data information corresponding to the data flow of the message is not abnormal traffic, further behavior characteristic detection is required. Obtain the behavioral statistical data of the analysis data information of the message within the preset time. The statistical data is the statistical data obtained by receiving the message data flow and analyzing the data flow, and then extracting the characteristic data in the analysis data information for statistics. . The statistical data may include, but not limited to, data such as the traffic speed and characteristic value of the data flow of the message within the preset time period. When performing behavioral characteristic detection, the characteristic data is compared with the relevant data in the abnormal traffic template library, so that Obtain the behavior feature detection results.

As mentioned above, the behavior feature inspection may be, after extracting the feature value of the traffic, comparing it with the content feature information set in the abnormal traffic template library, and classifying and counting the traffic. According to the statistical information on the amount of a certain type of traffic within a period of time, if the amount reaches the upper limit set for the corresponding type of traffic in the abnormal traffic template library, it is considered as abnormal traffic. For example, if there are more than 1 million icmp messages within 1 second, it is considered that a ddos attack has occurred.

Step S50, if the result of the behavior feature detection is that the analyzed data information is abnormal traffic, process the message corresponding to the abnormal traffic according to the abnormal traffic template library.

As mentioned above, if the behavioral characteristics of the statistical data are detected according to the behavioral characteristics of the data flow, and the result is that the data flow of the packet is abnormal traffic, then return to the step of "performing the packet corresponding to the abnormal traffic according to the abnormal traffic template library. Processing", and then further judge whether the data flow is high-risk abnormal traffic, and then perform corresponding processing according to the judgment result.

Step S60, if the result of the behavior feature detection is that the analyzed data information is not abnormal traffic, then mark the analyzed data information as normal traffic.

The parsed data information includes message header information and message content information.

As mentioned above, after analyzing the message information and confirming that the analyzed data information is not abnormal traffic, then it is comprehensively judged that the data flow of the message is normal traffic, and further data interaction can be performed.

As mentioned above, message header information may include but not limited to packet length, protocol type (ICMP, IGMP, TCP, UDP, etc.), source IP, destination IP, etc.; message content information may include specific transmission content.

In addition, with reference to FIG. 6, the present invention also provides a device for processing abnormal traffic in an SDN framework, including: an analysis module 10, a verification module 20, and a processing module 30;

The parsing module 10 is used for parsing the data flow of the message to obtain parsing data information;

The inspection module 20 is configured to perform traffic inspection on the analysis data information according to the abnormal traffic template library, and generate a traffic inspection result; the abnormal traffic template library includes preset content characteristics and behavior characteristics of abnormal traffic;

The processing module 30 is configured to process packets corresponding to the abnormal traffic according to the abnormal traffic template library in advance if the traffic checking result is that the parsed data information is abnormal traffic.

In addition, the present invention also provides a user terminal, including a memory and a processor, the memory is used to store the abnormal traffic processing program in the SDN framework, and the processor runs the abnormal traffic processing program in the SDN framework to make the user The terminal executes the method for processing abnormal traffic in the SDN framework as described above.

In addition, the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores the abnormal traffic processing program in the SDN framework, and the abnormal traffic processing program in the SDN framework is executed by the processor to achieve the above-mentioned Describe the abnormal traffic handling method in the SDN framework.

In addition, with reference to Figures 7-9, the present invention also provides an SDN security framework, in order to better understand the SDN security framework provided by the present invention, and the abnormal traffic processing program in the running SDN framework based on the SDN security framework The method for processing abnormal traffic in the implemented SDN framework, wherein the SDN security framework includes the following parts: external security APP, SDN network equipment, SDN controller and abnormal traffic management server;

Among them, the external security APP is at the top of the SDN architecture, the SDN network equipment is at the bottom of the SDN architecture, the SDN controller in the middle and the abnormal traffic management server connected to the SDN controller are the core parts of the SDN architecture;

The functions of the external security APP mainly include: managing the abnormal traffic template library, realizing the function of adding, modifying, and dynamically loading the abnormal traffic template library; Traffic is processed accordingly;

The SDN network device provides services for the control plane through the southbound interface of the control plane, or accepts the configuration policy of the control plane for configuration.

The modules designed for the security function in the SDN controller include:

Traffic collection module: collect traffic information on the data plane;

Flow rule generation module: generate traffic forwarding rules;

Traffic sending module: Send the network traffic information collected by the SDN controller to the abnormal traffic management server for detection;

Processing result receiving module: receives the traffic processing result of the abnormal traffic management server, forwards the abnormal traffic to the abnormal traffic processing module for processing, and records the abnormal traffic in the abnormal traffic log;

Abnormal traffic processing module: according to the traffic processing results of the abnormal traffic management server, directly discard and isolate the traffic with a high hazard level; for the abnormal traffic that is not a high hazard level, according to the processing method of the external APP, the user's decision-making content Translate it into a traffic policy, and then send it to the network device;

Abnormal traffic log module: save the detected abnormal traffic history information;

Abnormal traffic monitoring module: send the abnormal traffic detected by the SDN controller to the external security APP in the form of an alarm;

Abnormal traffic template management module: receives the configuration information of the external security APP, and at the same time sends the received abnormal traffic template management instructions to the abnormal traffic management server to manage the abnormal traffic template.

The abnormal traffic management server receives the traffic collected by the SDN controller, and analyzes and detects the traffic. The modules mainly include:

Traffic receiving module: receiving the traffic collected by the SDN controller;

Traffic classification module: Classify traffic according to the content characteristics, behavior characteristics, or a combination of content characteristics and behavior characteristics of traffic;

Traffic detection module: According to the traffic classification, combined with the abnormal traffic template library, the traffic is analyzed based on the method of combining the characteristics of the message content and the behavior of the message;

Traffic processing result sending module: send the traffic detection result to the SDN controller;

Abnormal traffic template library management module: add, modify, and delete abnormal traffic template entries in the abnormal traffic template library;

Abnormal traffic template library: save the templates of abnormal traffic, the content of which includes the content characteristics, behavior characteristics, hazard level, and suggested handling methods of abnormal traffic.

The SDN security framework provided by the present invention combines the abnormal traffic management server to increase the abnormal traffic detection and processing function, and provides a method for abnormal traffic detection and processing; at the same time, combined with the security application APP, the abnormal traffic template is dynamically loaded, and through the processing of abnormal traffic, effective To enhance the security of SDN architecture.

It should be noted that, as used herein, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or system comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or system. Without further limitations, an element defined by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system comprising that element.

The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present invention can be embodied in the form of a software product in essence or the part that contributes to the prior art, and the computer software product is stored in a storage medium (such as ROM/RAM) , magnetic disk, optical disk), including several instructions to enable a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in various embodiments of the present invention.

The above are only preferred embodiments of the present invention, and are not intended to limit the patent scope of the present invention. Any equivalent structure or equivalent process conversion made by using the description of the present invention and the contents of the accompanying drawings, or directly or indirectly used in other related technical fields , are all included in the scope of patent protection of the present invention in the same way.

Claims (10)

1. an abnormal flow processing method in an SDN framework, is characterized in that, comprises: Analyze the data flow of the message to obtain the analysis data information; Performing traffic inspection on the analysis data information according to the abnormal traffic template library to generate a traffic inspection result; the abnormal traffic template library includes preset content characteristics and behavior characteristics of abnormal traffic; If the result of the traffic inspection is that the parsed data information is abnormal traffic, the packet corresponding to the abnormal traffic is processed according to the preset abnormal traffic template library. 2. as claimed in claim 1, the abnormal flow processing method in the SDN framework is characterized in that, said "if the flow inspection result is that the analysis data information is an abnormal flow, then according to the pre-described abnormal flow template library for the abnormal flow process the packets corresponding to the above abnormal traffic" including: If the result of the traffic inspection is that the analytical data information is abnormal traffic, then judge whether the analytical data information is high-risk abnormal traffic according to the abnormal traffic template library; If the analyzed data information is the high-risk abnormal traffic, discard or isolate the packet corresponding to the data information. 3. The abnormal traffic processing method in the SDN framework as claimed in claim 2, characterized in that, after the "judging whether the analysis data information is a high-risk abnormal traffic according to the abnormal traffic template library", it also includes: If the analysis data information is not the high-risk abnormal traffic, send prompt information corresponding to the analysis data information to the external security APP, so as to process according to the decision information returned by the external security APP to the prompt information The packet corresponding to the parsed data information. 4. The method for processing abnormal traffic in the SDN framework according to claim 3, characterized in that, the "if the analytical data information is not the high-risk abnormal traffic, then send an external security APP corresponding to the analytical data information prompt information, so as to process the message corresponding to the analysis data information according to the decision information returned by the external security APP to the prompt information", it also includes: Obtaining the decision information returned by the external security APP according to the prompt information; converting the decision information into traffic policy information; Changing the route of the abnormal traffic or prohibiting the abnormal traffic from entering the network according to the traffic policy information. 5. the abnormal flow processing method in the SDN framework as claimed in claim 1, is characterized in that, after described " according to abnormal flow template storehouse, described analysis data information is carried out flow inspection, generates flow inspection result ", also comprises: If the result of the traffic inspection is that the parsed data information is not abnormal traffic, then obtain the behavior statistics data of the parsed data information corresponding to the message within a preset time, and based on the behavior statistics data according to the abnormal traffic The template library performs traffic behavior feature detection on the parsed data information of the message, and generates a behavior feature detection result; If the result of the behavior feature detection is that the parsed data information is abnormal traffic, the packet corresponding to the abnormal traffic is processed according to the abnormal traffic template library. 6. The abnormal traffic processing method in the SDN framework as claimed in claim 5, characterized in that, the "if the traffic inspection result is that the analytical data information is not abnormal traffic, then perform traffic behavior characteristics on the analytical data information Detect, and generate behavioral feature detection results", it also includes: If the result of the behavior feature detection is that the analyzed data information is not abnormal traffic, record the analyzed data information as normal traffic. 7. The method for processing abnormal traffic in the SDN framework according to any one of claims 1-6, wherein the analysis data information includes message header information and message content information. 8. An abnormal flow processing device in an SDN framework, comprising: an analysis module, a check module and a processing module; The parsing module is used for parsing the data stream of the message to obtain parsing data information; The inspection module is configured to perform traffic inspection on the analysis data information according to the abnormal traffic template library, and generate a traffic inspection result; the abnormal traffic template library includes preset content characteristics and behavior characteristics of abnormal traffic; The processing module is configured to process the message corresponding to the abnormal traffic according to the abnormal traffic template library in advance if the traffic inspection result is that the parsed data information is abnormal traffic. 9. A user terminal, characterized in that it includes a memory and a processor, the memory is used to store the abnormal traffic processing program in the SDN framework, and the processor runs the abnormal traffic processing program in the SDN framework so that the user The terminal executes the method for processing abnormal traffic in the SDN framework according to any one of claims 1-7. 10. A computer-readable storage medium, characterized in that, the computer-readable storage medium is stored with an abnormal traffic processing program in the SDN framework, and when the abnormal traffic processing program in the SDN framework is executed by a processor, it is realized as claimed in The method for processing abnormal traffic in the SDN framework described in any one of 1-7.