CN116032582A

CN116032582A - Network intrusion prevention method and system for port scanning

Info

Publication number: CN116032582A
Application number: CN202211639079.3A
Authority: CN
Inventors: 赵泽钧; 袁苇
Original assignee: Fujian Newland Communication Science Technologies Co ltd
Current assignee: Fujian Newland Communication Science Technologies Co ltd
Priority date: 2022-12-20
Filing date: 2022-12-20
Publication date: 2023-04-28

Abstract

The invention provides a network intrusion prevention method and a system aiming at port scanning, belonging to the technical field of network security protection, wherein the method comprises the following steps: step S10, the SDN controller acquires statistical data of all flows from the connected OpenFlow switch, analyzes the statistical data to obtain a source address, a target address, a port and the number of messages, and stores the source address, the target address, the port and the number of messages in a database; step S20, the SDN controller performs malicious flow verification based on the source address, the target address, the port and the message quantity, and adds the source address corresponding to the malicious flow into a blacklist; step S30, when the OpenFlow switch receives the data message, the data message is sent to the SDN controller through a PacketIn message; and S40, the SDN controller analyzes the received data message to obtain a source address, a target address and a port, checks the source address, the target address and the port obtained by analysis through a database, and updates a flow table in the OpenFlow switch. The invention has the advantages that: the resource consumption of network intrusion prevention is greatly reduced.

Description

Network intrusion prevention method and system for port scanning

Technical Field

The invention relates to the technical field of network security protection, in particular to a network intrusion prevention method and system aiming at port scanning.

Background

Security has become a non-negligible problem for computer networks due to resource abuse and malicious traffic intrusion. Before a network or system is attacked, a port scan is typically received from an attacker, from which the attacker obtains relevant vulnerabilities for subsequent attacks.

Port scanning is typically the orderly transmission of various network packets by an attacker to a target host (or target network), and by analyzing the response messages of the target host, the attacker can grasp relevant information attributes that contribute to network attacks, such as open ports, firewall information, network topology, etc. The port scan may be classified into a lateral port scan that scans the same port of different target hosts and a longitudinal port scan that scans multiple different ports of the same target host.

For network intrusion by port scanning, traffic is conventionally analyzed by an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) to detect whether malicious activity exists, but the IDS and the IPS need to analyze a message carried by the traffic first and then route the message, which may cause additional switching delay (i.e., message transmission delay), because the message is copied to the additional IDS for analysis, and may also cause performance consumption on the network.

Therefore, how to provide a network intrusion prevention method and system for port scanning, so as to reduce the resource consumption of network intrusion prevention, is a technical problem to be solved urgently.

Disclosure of Invention

The invention aims to solve the technical problem of providing a network intrusion prevention method and a system aiming at port scanning, which can reduce the resource consumption of network intrusion prevention.

In a first aspect, the present invention provides a network intrusion prevention method for port scanning, including the steps of:

step S10, an SDN controller acquires statistical data of all flows from a connected OpenFlow switch, analyzes the statistical data to obtain a source address, a target address, a port and the number of messages, and stores the source address, the target address, the port and the number of messages in a database;

step S20, the SDN controller performs malicious flow verification based on the source address, the target address, the port and the message quantity, and adds the source address corresponding to the malicious flow into a blacklist;

step S30, when the OpenFlow switch receives a data message, the data message is sent to the SDN controller through a PacketIn message;

and step S40, the SDN controller analyzes the received data message to obtain a source address, a target address and a port, checks the source address, the target address and the port obtained by analysis through the database, and updates a flow table in the OpenFlow switch.

Further, the step S10 specifically includes:

the SDN controller periodically requests a flow statistic device from the connected OpenFlow switch through an API, further acquires statistic data of all flows, analyzes the statistic data in real time to obtain a source address, a target address, a port and the number of messages, and stores the source address, the target address, the port and the number of messages in a database of the SDN controller.

Further, the step S20 specifically includes:

step S21, the SDN controller sets a message number threshold, a first access number threshold and a second access number threshold, judges whether the message number of each flow is smaller than or equal to the message number threshold, and if yes, enters step S22; if not, the description is not a malicious stream, and the process proceeds to step S30;

step S22, the SDN controller judges whether the number of the same ports accessing different target addresses exceeds a first access number threshold, if so, the corresponding flow is a malicious flow scanned by a transverse port, and the source address corresponding to the malicious flow is added into a blacklist; if not, go to step S23;

step S23, classifying the ports into hot ports and cold ports based on the scanning frequency of the ports by the SDN controller, carrying out weighted calculation on the access quantity of the hot ports and the cold ports under the same target address through a weighted formula to obtain weighted access times, judging whether the weighted access times exceed a second access quantity threshold, if so, explaining that the corresponding flow is a malicious flow scanned by the longitudinal port, and adding the source address corresponding to the malicious flow into a blacklist; if not, it is determined that there is no malicious flow, and the process proceeds to step S30.

Further, the step S30 specifically includes:

when the OpenFlow switch receives a data message, judging whether the data message is a SYN message or not through a PacketIn message, and if so, sending the data message to an SDN controller; if not, discarding the data message, and updating the routing rule of the flow table in the OpenFlow switch based on the discarded data message.

Further, the step S40 specifically includes:

the SDN controller analyzes the received data message to obtain a source address, a target address and a port, judges whether the database has the matched source address, target address and port, if yes, adds a discarding rule aiming at the source address of the data message into a flow table in an OpenFlow switch; if not, adding a forwarding rule aiming at the source address of the data message in a flow table in the OpenFlow switch.

In a second aspect, the present invention provides a network intrusion prevention system for port scanning, including:

the statistical data analysis module is used for acquiring statistical data of all flows from the connected OpenFlow switch by the SDN controller, analyzing the statistical data to obtain a source address, a target address, a port and the number of messages and storing the source address, the target address, the port and the number of messages in a database;

the malicious flow verification module is used for carrying out malicious flow verification by the SDN controller based on the source address, the target address, the port and the message quantity, and adding the source address corresponding to the malicious flow into a blacklist;

the data message forwarding module is used for sending the data message to the SDN controller through a PacketIn message when the OpenFlow switch receives the data message;

and the flow table updating module is used for analyzing the received data message by the SDN controller to obtain a source address, a target address and a port, checking the analyzed source address, target address and port through the database, and updating the flow table in the OpenFlow switch.

Further, the statistical data analysis module is specifically configured to:

Further, the malicious flow verification module specifically includes:

the SDN controller is used for setting a message quantity threshold, a first access quantity threshold and a second access quantity threshold, judging whether the message quantity of each flow is smaller than or equal to the message quantity threshold, and entering a transverse scanning verification unit if the message quantity of each flow is smaller than or equal to the message quantity threshold; if not, indicating that the flow is not malicious and entering a data message forwarding module;

the transverse scanning verification unit is used for judging whether the number of the same ports accessing different target addresses exceeds a first access number threshold value or not by the SDN controller, if so, the corresponding flow is a malicious flow scanned by the transverse ports, and the source address corresponding to the malicious flow is added into a blacklist; if not, entering a longitudinal scanning checking unit;

the longitudinal scanning verification unit is used for classifying the ports into hot ports and cold ports based on the scanning frequency of the ports by the SDN controller, carrying out weighted calculation on the access quantity of the hot ports and the cold ports under the same target address through a weighted formula to obtain weighted access times, judging whether the weighted access times exceed a second access quantity threshold value, if so, indicating that the corresponding flow is a malicious flow scanned by the longitudinal ports, and adding the source address corresponding to the malicious flow into a blacklist; if not, the malicious flow is not existed, and the data message forwarding module is accessed.

Further, the data message forwarding module is specifically configured to:

Further, the flow table updating module is specifically configured to:

The invention has the advantages that:

analyzing the statistical data to obtain a source address, a target address, a port and the number of messages and storing the source address, the target address, the port and the number of messages in a database by acquiring the statistical data of all flows in an SDN network, judging whether the source address, the target address, the port and the number of messages are malicious flows scanned by a transverse port or a longitudinal port or not by an SDN controller, and adding the source address corresponding to the malicious flows into a blacklist of a flow table; when the OpenFlow switch receives the data message, the data message of the non-SYN message is filtered through the PacketIn message and then sent to the SDN controller; the SDN controller analyzes the data message to obtain a source address, a target address and a port, judges whether the database has the matched source address, target address and port, and further updates a flow table in the OpenFlow switch, namely, adopts a non-invasive method to maliciously check a flow scanned by the port, dynamically updates the flow table of the OpenFlow switch to ensure network safety, is lighter than traditional invasive IDS and IPS, has low network resource consumption, memory occupation and power consumption during data processing, further greatly reduces resource consumption of network intrusion defense, and also avoids extra exchange delay because the message content is not required to be analyzed first and then the message route is performed.

Drawings

The invention will be further described with reference to examples of embodiments with reference to the accompanying drawings.

Fig. 1 is a flow chart of a network intrusion prevention method for port scanning according to the present invention.

Fig. 2 is a schematic diagram of a network intrusion prevention system for port scanning according to the present invention.

Detailed Description

According to the technical scheme in the embodiment of the application, the overall thought is as follows: and carrying out malicious verification on the port-scanned flow by adopting a non-invasive method, and dynamically updating the flow table of the OpenFlow switch to ensure network security, thereby replacing the traditional invasive IDS and IPS and reducing the resource consumption of network intrusion prevention.

Referring to fig. 1 to 2, a preferred embodiment of a network intrusion prevention method for port scanning according to the present invention includes the following steps:

step S20, the SDN controller performs malicious flow verification based on the source address, the target address, the port and the message quantity, and adds the source address corresponding to the malicious flow into a blacklist of a flow table;

Abstracting data having common characteristics or attributes over the same network at the same time into one stream, for example, regarding data accessing the same destination address as one stream, the stream is generally defined by a network administrator, and different policies can be executed according to different streams; in the OpenFlow system, data is handled in units of flows. A flow table is a collection of policy entries for a particular flow, responsible for the lookup and forwarding of packets, and a single flow table includes a series of flow entries (flowports).

The step S10 specifically includes:

the SDN controller periodically requests a flow statistic device from the connected OpenFlow switch through an API, so that statistic data of all flows in the SDN network are obtained, and the statistic data are analyzed in real time to obtain a source address, a target address, a port and the number of messages and are stored in a database of the SDN controller.

The SDN controller acquires statistical data with a period of 3 seconds, the attack detection is delayed due to the overlong period, and the traffic load is increased due to the excessively short period.

Software Defined Networking (SDN) is a new paradigm in today's computer networks, separating the control logic of the network from the underlying devices, controlling the entire network using a logically centralized SDN controller; the OpenFlow protocol is an open source implementation of SDN for communication between an SDN controller and a switch; the SDN controller can acquire network real-time conditions through intermittent OpenFlow messages, and the invention uses the network real-time conditions to realize the detection and the prevention of intrusion.

The step S20 specifically includes:

the message number threshold is preferably 5, because there are only three messages (such as SYN, SYN/ACK, ACK of TCP connection) in the case of one port scan, and the interval time of port scan is short, and because retransmission may occur for three messages of TCP connection, two more messages need to be considered.

Step S22, the SDN controller judges whether the number of the same ports accessing different target addresses exceeds a first access number threshold, if so, the corresponding flow is a malicious flow scanned by a transverse port, and the source address corresponding to the malicious flow is added into a blacklist; if not, go to step S23; since the finger scan for one port is not an attack, the first access number threshold is preferably 3;

The weighting formula is specifically as follows: totalweight=a cps+b OPS;

wherein, totalweight represents the weighted access times; CPS represents a hot port; OPS represents a cold gate port; a and b each represent a weight threshold, a is preferably 5, b is preferably 3; the second access number threshold is preferably 15.

The step S30 specifically includes:

when the OpenFlow switch receives a data message, judging whether the data message is a SYN message or not through a PacketIn message, and if so, sending the data message to an SDN controller; if not, discarding the data message, and updating the routing rule of the flow table in the OpenFlow switch based on the discarded data message, thereby preventing ACK/FIN attack and Christmas tree attack.

The step S40 specifically includes:

Deleting the flow table items in the flow table through a request of an SDN controller or a set timer so as to prevent overflow of the flow table items; the duration of the timer is preferably 15 seconds.

The preferred embodiment of the network intrusion prevention system for port scanning according to the present invention comprises the following modules:

the malicious flow verification module is used for carrying out malicious flow verification by the SDN controller based on the source address, the target address, the port and the message quantity, and adding the source address corresponding to the malicious flow into a blacklist of a flow table;

The statistical data analysis module is specifically configured to:

The malicious flow verification module specifically comprises:

The transverse scanning verification unit is used for judging whether the number of the same ports accessing different target addresses exceeds a first access number threshold value or not by the SDN controller, if so, the corresponding flow is a malicious flow scanned by the transverse ports, and the source address corresponding to the malicious flow is added into a blacklist; if not, entering a longitudinal scanning checking unit; since the finger scan for one port is not an attack, the first access number threshold is preferably 3;

The weighting formula is specifically as follows: totalweight=a cps+b OPS;

The data message forwarding module is specifically configured to:

The flow table updating module is specifically configured to:

In summary, the invention has the advantages that:

While specific embodiments of the invention have been described above, it will be appreciated by those skilled in the art that the specific embodiments described are illustrative only and not intended to limit the scope of the invention, and that equivalent modifications and variations of the invention in light of the spirit of the invention will be covered by the claims of the present invention.

Claims

1. A network intrusion prevention method aiming at port scanning is characterized in that: the method comprises the following steps:

2. The network intrusion prevention method for port scanning according to claim 1, wherein: the step S10 specifically includes:

3. The network intrusion prevention method for port scanning according to claim 1, wherein: the step S20 specifically includes:

4. The network intrusion prevention method for port scanning according to claim 1, wherein: the step S30 specifically includes:

5. The network intrusion prevention method for port scanning according to claim 1, wherein: the step S40 specifically includes:

6. A network intrusion prevention system for port scanning, characterized by: the device comprises the following modules:

7. A network intrusion prevention system for port scanning according to claim 6, wherein: the statistical data analysis module is specifically configured to:

8. A network intrusion prevention system for port scanning according to claim 6, wherein: the malicious flow verification module specifically comprises:

9. A network intrusion prevention system for port scanning according to claim 6, wherein: the data message forwarding module is specifically configured to:

10. A network intrusion prevention system for port scanning according to claim 6, wherein: the flow table updating module is specifically configured to: