WO2025180269A1 - Endogenous-security network method and architecture, medium, and device - Google Patents

Abstract

The present application provides an endogenous-security network method and architecture, a medium, and a device. The method comprises: extracting forwarding characteristic information of normal service data flows; delivering the forwarding characteristic information of the normal service data flows to a transport network element, so as to form a forwarding table entry, a flow table, and a forwarding white list, wherein forwarding modes in a method for binding service data flow forwarding characteristics to forwarding table entries of transport network elements comprises: an authentication and authorization mode and an automatic learning mode; the transport network element performing packet forwarding according to the forwarding characteristic information of the normal service data flows; and discarding packets of abnormal service data flows, wherein packet identification is performed for forwarding operations on the basis of a whitelist automatically generated from configuration files of switches and routers. The present application solves the technical issue of an IP network having low inherent security protection capabilities due to the openness thereof and thus requiring the deployment of a large number of external security protection facilities. The issue results in poor effectiveness, high costs, and difficulty in establishing low-cost security protection capabilities, and ultimately makes the IP network easy to attack but difficult to defend.

Description

Intrinsically secure network methods, architectures, media, and devices Technical Field

The present application relates to the field of communication network technology, and specifically to endogenous security network methods, architectures, media and equipment.

Background Art

As shown in Figure 1, in the existing technology, IP/TCP-based network communication systems are usually composed of switches, routers, gateways, terminals, and servers, which have open accessibility to each other. This leads to risks of data leakage, integrity, availability, and network availability. To address this security risk, the usual security defense concept is the idea of zoning and isolation. In the communication information system, security areas are divided based on location, business, etc., and then a large number of devices such as FW (firewall), IDS (intrusion detection system), IPS (intrusion protection system), WAF, sandbox, DLP, EDR, NDR, etc. are added for isolation and protection.

When it comes to enterprise network security protection, network security domain isolation is one of the most important and fundamental means of network security defense, and it's also a fundamental consideration when building enterprise data centers and information systems. A network security domain is a group of computers, servers, databases, business systems, and other systems with the same security level and similar service types and functions. Specifically, in a network, this might be an IP segment (a C segment, a B segment) or several segments, a VLAN or several VLANs, an entire network area connected to a firewall interface, or a cabinet or cabinets in a computer room. Network security domain isolation essentially divides the entire network into smaller, secure trust domains. Otherwise, an attacker who compromises a single address could scan and detect the entire network.

Although the existing border defense architecture deploys a protection mechanism at the network boundary, it currently has certain limitations. It has the following defects: (1) Since the border defense architecture only sets up protection measures at the network boundary, it blocks unsafe external threats outside the boundary. However, the presence of internal malicious users and users who lack security awareness will bring security risks to the system. See Figure 1. The green data flow is the normal business flow. A large amount of junk traffic (yellow data flow in the figure) and a large amount of malicious traffic (red data flow in the figure) can be forwarded within a security domain. Therefore, it cannot prevent security threats from within the network. (2) It cannot prevent attacks that bypass the border defense. Border defense is a single, relatively static security protection technology. As long as a file carrying a virus bypasses the detection of the border defense by some means, it can enter the network and spread the virus, threatening the security of the entire system. The data flow and ⑥ in Figure 1 are the traffic that penetrates the border defense. (3) It is difficult to resist DoS and DDoS attack data flows. In the network infected with viruses and controlled by zombies, there are even a large number of one-way traffic attacks (data flows in Figure 1), which can attack enterprise resources, other terminals, transmission equipment control planes, and even security equipment such as FW, IDS, and IPS, causing services, network equipment, and security protection equipment to be paralyzed. (4) Furthermore, it cannot resist data-driven attacks. In the border defense architecture, it is usually unable to resist data-driven network attacks such as data poisoning. (5) It is also difficult to prevent various zero-day attacks. (6) Deploying a large number of various security devices in the network is costly and increases the access delay of normal business. (7) Finally, since security management and business deployment are not deployed synchronously, continuous security management deployment, risk management and configuration are required. On the one hand, there are problems with timeliness and risk management lags, and on the other hand, it also leads to high maintenance costs.

Although the aforementioned existing solutions have the above problems, they are still the mainstream security deployment methods. For example, in the "GB/T25070-2019 Information Security Technology Network Security Level Protection Security Design Technical Requirements", the internal network of the enterprise is divided into security domains according to different levels of protection. Security domains of different levels use secure interconnection components for data exchange, as shown in Figure 2.

As shown in Figure 3, to address the complexity of security devices and solutions, the Single Security Architecture (SSA) has been implemented. The SSA's security capabilities encompass all JIE security capabilities: perimeter protection, endpoint security, mobile endpoint security, data center security, network security situational awareness and analysis, and identity and access management. The number of processing nodes has been reduced from over 1,000 to 50. The SCCA (Secure Cloud Computing Architecture) product components include:

Cloud Access Point (CAP): Provides access to the cloud (provides connectivity to approved cloud providers) and protects the DISN from cloud-initiated attacks. Simplifies protection and focuses on protecting the network perimeter.

As shown in Figure 4, the Virtual Data Center Security Stack (VDSS) provides virtual network enclave security to protect applications and data in commercial cloud products. Figure 4 also shows the domain-based NFW, NIDS, NIPS, WAF, and traditional security components for packet capture and detection.

Virtual Data Center Management Services (VDMS): Application host security, patching, configuration, and management accessible to privileged users in a business environment. See Figure 4.

Trusted Cloud Credential Manager (TCCM): A cloud credential manager that enforces RBAC (role-based access control) and least privilege access. See Figure 4.

With the rise of cloud computing, network boundaries have become blurred. The ZTA (Zero Trust Security Architecture) concept proposed in 2010 assumes that the network is untrustworthy. Every access and every link must be authenticated and authorized before access, and security assessment and re-authentication must be performed continuously. See Figure 5. The core component of zero trust in the ZTA architecture diagram is a device with a policy engine, policy manager, and policy execution point, usually called a cloud security agent. Before accessing cloud resources, you must first access the security agent. The security agent will combine many external components to perform access authentication and assessment. Only after passing the authentication and assessment can you access cloud resources/enterprise resources.

As shown in Figure 5, in order to adapt to the virtualization of the cloud computing environment, micro-isolation is used to reduce the security domain, which brings difficulties to the use of traditional firewalls. Therefore, a virtualized firewall is used, which will consume host computing resources.

The core concept of zero trust is that devices and systems inside and outside the network are never trusted by default. The trust foundation of access control needs to be rebuilt based on authentication and authorization, and continuous verification is required. The implementation of zero trust faces the following difficulties:

1) Complexity of implementing zero trust:

The actual implementation and operation of Zero Trust has significant complexity in terms of network configuration, software-defined networking (SDN), data labeling, analytics, access control, policy orchestration, encryption, automation, and end-to-end ICAM (identity, credential, and access management). Enterprise-level considerations also include determining the data, applications, assets, and services that need to be protected, as well as mapping transaction flows, policy decisions, and policy enforcement locations.

2) Zero Trust requires new analytical capabilities:

Analytics will require additional capabilities to process the required sensor and log data associated with zero-trust security.

Different processes and procedures may be needed to measure the health of the network and identify anomalous behavior. For example, end-to-end encryption between resources within the network will limit the ability to inspect internal packets to detect problems. New analytical measures will be needed to ensure that only authorized communications can occur.

3) The resources required to transition to ZTA are substantial. Organizations implementing ZTA will require additional computing resources as well as new tools, practices, and training, which can be expensive and time-consuming. For example, to establish appropriate access policies, organizations need to develop and maintain complete information about systems, networks, and data.

4) Interoperability. Since there is no single-technology ZTA solution, ZTA implementation requires integrating existing technologies with each other and with new technologies. These technologies may not work together, especially in organizations with significant investments in legacy technologies.

5) ZTA Standards. The governance framework and technical standards for ZTA are still being formed, and there is currently no consensus on how to apply existing industry standards to ZTA implementation.

Therefore, ZTA requires a lot of manpower and resources, and is difficult to implement.

Zero Trust essentially means that all users and devices attempting to connect to a military network will be identified and authenticated before being granted access, with the goal of "never trust" and "always verify" before allowing network connection.

The existing reference architecture that describes the target state of security technology capabilities is the current mainstream security deployment approach. This comprehensive security technology deployment architecture diagram comprehensively depicts the network landscape of government and enterprise organizations, the integration of information technology and cybersecurity, and the overall security landscape, showcasing the target state of cybersecurity technology deployment. For example, by region, the information technology systems of government and enterprise organizations are divided into various types, including headquarters, regional centers, branches, and network nodes. Based on business categories and functions, the information technology of government and enterprise organizations is further divided into layers and components, including the global network, backbone network, regional boundaries, communication networks, information systems, cloud platforms, big data platforms, and digital terminals, with their locations and forms marked. Based on this foundation, all security capability components are rationally deployed in the form of systems, services, and software and hardware resources to different regions, nodes, and layers of the information technology system. These various security components collaborate through networks and data, ensuring comprehensive security capability coverage across all aspects of information technology, enabling management at all levels, eliminating blind spots, and enhancing the richness, flexibility, and integrity of security resources. It can be seen from the figure that a large number of security components are deployed. Its architecture is to sort out the existing security components, arrange them in different locations of the network and information system, and link some security components together to form a security layer. Qi'anxin adds a large number of external security devices to the information system without changing the existing network architecture, and links them together. This requires a large number of external devices, which is costly and troublesome to deploy and maintain.

In summary, traditional protection methods assume that security is not everywhere and require a large number of external security components to be added to the network, resulting in high security deployment costs, difficult security deployment and operation and maintenance, and difficulty in standardization and reducing security costs. This has led to security fatigue in many enterprises and institutions, and even small businesses cannot afford the high security costs and give up deploying security equipment and strategies.

Due to the above reasons, information network security is easy to attack but difficult to defend, the protection cost is very high, and security is non-standardized, resulting in a fragmented security market. This has led to the following drawbacks in the current security industry:

1) There are many diverse products, and product R&D lacks a unified development platform or architecture, making it impossible to reuse R&D personnel and resources;

2) Security capabilities cannot be coordinated and iteration is slow;

3) Product categories are becoming increasingly complex, but coordination is extremely difficult, making it impossible to form integrated, low-cost security value;

4) The product's non-core functions are redundant, the configuration is complex, and it is difficult to use;

5) The product's value is too focused on compliance, failing to deliver real value in customer scenarios and unable to help customers maintain a normalized safety level;

6) The core competitive advantage of manufacturers lies in the competition for sales and channel resources around major customers and high-gross-profit industries. Products are highly homogenized, with little difference in performance indicators.

7) The degree of informatization of customer scenarios and the level of personnel vary, and the proportion of customization is relatively high;

8) The delivery, deployment, operation and maintenance personnel are highly dependent and costly; a large amount of adaptation and configuration work needs to be done, and even some fault issues unrelated to the product itself need to be responded to.

Exploiting vulnerabilities, patching, virus detection and antivirus, even setting up honeypots and sandboxes, and other layers of additional protection measures are still difficult to deal with unknown threats. 0day attacks often occur, and a large number of DDoS attacks exist. Based on this situation, the concept of mimicry defense was proposed by Wu Jiangxing, an academician of the Chinese Academy of Engineering in 2008. In 2013, the theoretical system of mimicry defense was formed, and the core technology of dynamic heterogeneous redundancy (DHR) was proposed to resolve or avoid the principles and methods of "known unknown risks" or "unknown unknown threats" within the target object, namely Cyberspace Mimic Defense (CMD).

As shown in Figure 6, the Dynamic Heterogeneous Redundancy (DHR) architecture is based on the logical expression of "relative correctness axioms" and closed-loop robust control. It is a closed-loop, iterative, multi-dimensional, dynamically reconfigurable robust control structure based on policy adjudication. It consists of functionally equivalent heterogeneous executors, input and output agents, and iterative policy adjudication, feedback control, and a scheduler. The input agent distributes external input signal sequences (optional), while the output agent and iterative adjudication (composed of multiple voting algorithms) form a normalized decision interface. The core of the feedback control and scheduler consists of a set of pre-set scheduling policies and intelligent learning algorithms. Upon receiving information from the adjudicator that an anomaly has been detected, the feedback scheduler is activated and instructs relevant components to replace, migrate, clean, reorganize, and reconfigure the current operating environment. This process is iteratively executed until the adjudicator's anomaly disappears or its occurrence frequency falls below a set threshold.

The DHR structure has a unique "uncertainty" operating mechanism that can suppress or control the impact of generalized uncertain disturbances in the heterogeneous executor set K, forming a "security defense fog". Whether it is reliability risks caused by natural factors or security threats caused by intentional human behavior, as long as they are expressed in differential mode, they can be 100% suppressed. The expression of common mode that is sensitive to the judgment link can also be controlled within the threshold range given by the design.

However, the biggest problem with mimetic defense is its high cost. The same function requires multiple heterogeneous executors, and the more heterogeneous executors, the stronger the security protection. This is similar to the one-time pad system favored by the cryptography community, but due to its high cost, it has not yet been implemented. While increasing the cost of attack through multiple internal heterogeneous modes, the cost itself also increases significantly. For example, requiring at least three executors means that the work originally completed by one executor now requires three or more. While improving attack defense capabilities, the cost itself increases even faster. Fifteen years after the theory was proposed, it has yet to be widely adopted, primarily due to its high cost. Furthermore, it is unlikely to be accepted by mainstream security vendors in the near future.

NAC (Network Admission Control) is called network access control and is an access control mechanism that includes 802.1X authentication, MAC authentication and Portal authentication.

The NAC security solution starts with the security control of terminals accessing the network, combining terminal security status with network access control. Through inspection, isolation, reinforcement and auditing, it strengthens the active defense capabilities of network user terminals, ensuring the security of every terminal in the enterprise and thus protecting the security of the entire enterprise network.

As shown in Figure 7, the NAC security architecture includes three key components: NAC terminal, network access device, and access server.

Comparison of three authentication methods

NAC includes three authentication methods: 802.1X authentication, MAC authentication, and Portal authentication. Because the three authentication methods have different authentication principles, they are suitable for different scenarios. In actual applications, you can deploy a suitable authentication method according to the scenario, or you can deploy a hybrid authentication method composed of several authentication methods. The combination of hybrid authentication methods is based on the actual support of the device. The following table compares the three authentication methods:

Table 1 Comparison of authentication methods

Problems with NAC technology:

NAC is an access control technology. Whether or not a terminal is allowed access is based on terminal identity verification and the deployment of traditional security measures, such as antivirus software and operating system vulnerability patches. Only after a user passes authentication is the NAC device's data port opened or a MAC address entry created, allowing network access. Once connected, there are no corresponding access restrictions within the same VLAN or even across VLANs. Therefore, in practice, authenticated host terminals typically have significant access freedom. However, since it's impossible to completely prevent host infection, such as through the exploitation of zero-day vulnerabilities, an infected host terminal can still spread viruses, botnet malware, and other malware to numerous other terminals and servers, potentially compromising business systems, data, and networks. Therefore, while NAC technology can reduce the risk of attack, it doesn't reduce reliance on traditional security deployment and maintenance methods, and security deployment and maintenance costs remain high.

The existing invention patent application document "Method and Apparatus for Isolation Support in Network Slicing" with publication number CN115843429A, includes the following steps: receiving a slice isolation policy of a network slice subnet (NSS) in a transport network (TN) domain, mapping the slice isolation policy to a network resource isolation policy and a service isolation policy, and mapping the network resource isolation policy and the service isolation policy to a network resource allocation policy and a data service forwarding policy, respectively. The network resource allocation policy and the data service forwarding policy can be applied to the creation of a TN NSS. The aforementioned existing technology is used for a method for isolation support in network slicing. 5G network slicing itself divides different bearer resources (forwarding resources, management resources, and monitoring resources) based on the different service characteristics it carries. It is somewhat similar to virtual private network technology. In essence, it is a technology that virtualizes resources into multiple copies for different uses. However, the aforementioned existing technology cannot achieve fine-grained security control and three-sided isolation based on security considerations, and network security still has loopholes.

The existing invention patent application document, "A Zero-Trust Based Immune Security Defense Method," with publication number CN116707980A, implements continuous security testing of access entities, fine-grained control of access behavior, and controls the spread of risks to ensure the normal operation of uninfected applications. It also uses big data analysis and AI technology to self-improve security policies based on historical data. Based on network security technology and combined with systems such as entity behavior analysis, it implements an adaptive immune security mechanism for network security systems. Zero trust itself is a concept that adheres to the principles of never trusting, starting from scratch, and dynamic verification. It is typically implemented in data centers. It assumes compromise and distrusts network infrastructure and perimeter security. Every user's access is authenticated and authorized to determine whether access is permitted. This requires extensive detection and analysis capabilities, and therefore, a significant amount of computing power. Its drawbacks are the same as those of the zero-trust architecture discussed earlier.

In summary, existing security technology solutions rely on exploiting vulnerabilities, patching, virus detection and antivirus, and even setting up honeypots, sandboxes, firewalls, and intrusion protection, a layered approach of additional protection. Even with these measures, it's still difficult to handle unknown threats. Zero-day attacks frequently occur, and a large number of DDoS attacks exist. This patch-based protection approach means that even with a large number of security devices deployed, the network remains vulnerable to attack and difficult to defend, making it difficult to form an effective three-dimensional defense system and low-cost security capabilities. The network's resilience is low, and it consumes a lot of computing and manpower, resulting in high security operation and maintenance costs.

Summary of the Invention

The technical problem to be solved by this application is: how to solve the technical problem in the existing technology that due to the openness of the IP network, its own security protection capability is low, a large number of external security protection facilities are required, the effect is poor, the cost is high, it is difficult to form a low-cost security protection capability, and it is easy to attack but difficult to defend.

This application adopts the following technical solutions to solve the above technical problems: The endogenous security network method includes:

S1. Extract forwarding feature information of normal business data flow;

S2. Send forwarding feature information of normal service data flow to the transmission network element to form forwarding table entries, flow table and forwarding whitelist. Among them, the endogenous security network method includes: authentication and authorization method and automatic learning method;

S3. The transmission network element forwards the message based on the forwarding characteristic information of the normal service data flow;

S4. Execute a discard operation on the abnormal business data flow message, wherein the message automatically generates a forwarding table or a whitelist for forwarding operation judgment based on the configuration files of the switch and router and the normal business data flow characteristics.

In a more specific technical solution, under the authentication and authorization mode, the method for binding the service data flow forwarding characteristics to the transmission network element forwarding table entry further includes:

S21', using the host terminal to send an access request message to a specific server or specific resource;

S22', using the transmission network element to send the access request message to the authentication server and the authorization server for authorization and authentication;

S23', when authorization and authentication are successful, automatically extract the forwarding feature information of the normal business data flow and generate the forwarding feature of the authorized successful business data flow message;

S24', when authorization or authentication fails, returns failure information and discards the access request message;

S25', sending the forwarding characteristic information of the normal service data flow to the transmission network element, and using the processor of the control plane of the transmission network element to receive the forwarding characteristic information;

S26', the processor in the control plane generates and sends forwarding entries, flow tables, and forwarding whitelists to the forwarding plane;

S27', when the transmission network element receives the authorization success service data flow message, it forwards the normal service data flow message according to the forwarding table entry, flow table and forwarding whitelist.

In a more specific technical solution, in an automatic learning mode, the method for binding service data flow forwarding characteristics to transmission network element forwarding table entries further includes:

S21″: During the operation of the transmission network element, a forwarding table entry is generated. Specifically, the forwarding table entry includes but is not limited to:

Flow table, ACL table, MAC table, FIB table, ARP table;

S22″, read the table entry data from the forwarding table according to the preset reading time, store the table entry data in a temporary table, and store the temporary table with the transmission network element;

S23 ″, when the preset learning time threshold is not reached, continue to execute step S2 ″ to record the forwarding entries generated by normal business access in the temporary table;

S24”, when a preset learning time threshold is reached, generating a forwarding baseline database, storing the forwarding baseline database in a transmission network element, switching the transmission network element to a baseline control mode based on the forwarding baseline database, querying the forwarding baseline database, generating subsequent forwarding table entries, and adding the forwarding table entries to the forwarding plane, wherein the storage method of the forwarding baseline database includes: distributed storage and centralized storage; specifically, the learning processing method includes but is not limited to: distributed and centralized;

S25”, obtaining baseline data from a forwarding baseline database, determining a forwarding baseline based on the data, and controlling the transmission network element to forward data packets according to the forwarding baseline;

S26”, when the data message exceeds the forwarding baseline, record and extract the forwarding information of the current data message;

S27″, perform abnormal message judgment to determine and discard abnormal business messages, and when the data message is determined to be a normal business data message, obtain and update the forwarding baseline database according to the current message forwarding information.

In a more specific technical solution, in step S22", the temporary table is stored in each transmission network element, wherein the temporary table storage method includes: distributed storage and centralized storage; in the centralized storage method, the temporary table is stored in the server of the control plane.

In a more specific technical solution, the endogenous security network method also includes an endogenous security elastic network. The logical components of the endogenous security elastic network include: host terminal, transmission network element, application server and resources, security network controller, policy server, identity authentication and authorization audit server, network management switch, server, log sampling and threat analysis server; specifically, the transmission network element includes but is not limited to: Ethernet transmission network element, IP transmission network element.

In a more specific technical solution, the logical architecture of the intrinsically secure elastic network includes: management plane, control plane, and forwarding plane;

In the management plane, the management ports of all service switches are connected to the management switch using a management switch, isolating the interfaces of the management switch and the service switches. Specifically, the management plane includes but is not limited to: a management switch, a management plane server, and an end-to-end component management unit. The management server is used to configure devices with end-to-end layout management units in an inherently secure elastic network. To ensure security, each transmission network element and the management server perform bidirectional authentication to communicate on the management plane.

The forwarding plane includes the host terminal business unit, application server and data resource business unit, and the forwarding module of the transmission network element. Specifically, the forwarding module serves as the execution point of the security forwarding policy. The forwarding network element includes the message forwarding component, ACL component, statistics component, sampling component, and log tracing component to perform forwarding control, log auditing, threat analysis, log tracing and accountability, and data statistics sampling for threat response.

The control plane includes: a secure network controller, a policy server, an identity management authorization server, a log sampling and analysis server, and a control module for transmission network elements; the control plane is used to perform bidirectional authentication on intercommunication request devices to enable communication on the control plane; specifically, the identity management authorization server authenticates and authorizes the service data flow to form corresponding blacklists, whitelists, and graylists; the transmission network elements are deployed in a distributed manner, and anti-loop operations are performed using preset protocols. The network topology is discovered based on preset routing protocols, and distributed path calculations are performed; the secure network controller is used to perform centralized path calculations to find the transmission network elements related to the optimal path, and the control unit and policy execution unit in the transmission network element are used to generate and send forwarding table entries to the forwarding unit.

In more specific technical solutions, the intrinsically secure network architecture includes:

Forwarding information extraction module, used to extract forwarding feature information of normal business data flow;

A forwarding basis formation module is used to send forwarding feature information of normal business data flows to the transmission network element to form forwarding table entries, flow tables and forwarding whitelists. The forwarding basis formation module also includes: an authentication and authorization module and an automatic learning module;

A message forwarding module is used to forward messages based on the forwarding characteristic information of normal business data flows in the transmission network element;

A discard operation is performed on abnormal business data flow messages, wherein the messages are automatically generated into a whitelist for forwarding operation judgment based on the configuration files of the switch and router and the characteristics of normal business data flow, and the message forwarding module is connected to the forwarding basis formation module.

In a more specific technical solution, the authentication and authorization module also includes:

An access request sending unit, configured to send an access request message to a specific server or specific resource using a host terminal;

An authentication and authorization processing unit, configured to use a transmission network element to send an access request message to an authentication server and an authorization server for authorization and authentication, and the authentication and authorization processing unit is connected to the access request sending unit;

The forwarding feature extraction unit is used to automatically extract the forwarding feature information of the normal business data flow when authorization and authentication are successful; when authorization and authentication fail, it returns failure information and discards the access request message. The forwarding feature extraction unit is connected to the authentication and authorization processing unit;

The forwarding feature processing unit sends the forwarding feature information of the normal service data flow to the transmission network element, uses the processor of the control plane of the transmission network element to receive the forwarding feature information, and is connected to the forwarding feature extraction unit;

A forwarding basis generation and delivery unit is used to generate and deliver forwarding table entries, flow tables, and forwarding whitelists to the forwarding plane in the processor of the control plane. The forwarding basis generation and delivery unit is connected to the forwarding feature processing unit.

The authorization and authentication normal message forwarding unit is used to forward the normal business data flow message according to the forwarding table, flow table and forwarding whitelist when the transmission network element receives the authorization successful business data flow message. The authorization and authentication normal message forwarding unit is connected to the forwarding basis generation and issuance unit.

In a more specific technical solution, the automatic learning module also includes:

A forwarding table entry generating unit, configured to generate forwarding table entries during operation of the transmission network element;

The table entry data reading and storage unit is used to read the table entry data from the forwarding table entry according to the preset reading time, store the table entry data in a temporary table, and store the temporary table in the transmission network element. The table entry data reading and storage unit is connected to the forwarding table entry generation unit;

A table entry data continuous processing unit, configured to continuously execute step S2' when the preset learning time threshold is not reached, so as to record the forwarding entries generated by normal business access in a temporary table, the table entry data continuous processing unit being connected to the table entry data reading and storing unit;

A baseline database generation storage unit is configured to generate a forwarding baseline database when a preset learning time threshold is reached, store the forwarding baseline database in a transmission network element, and switch the transmission network element to a baseline control mode accordingly to query the forwarding baseline database, generate subsequent forwarding table entries, and add forwarding table entries to the forwarding plane. The forwarding baseline database storage method includes: distributed storage and centralized storage. The baseline database generation storage module is connected to the table entry data reading storage unit.

A service data forwarding control unit is used to obtain baseline data from a forwarding baseline database, determine a forwarding baseline based on the baseline data, and control the transmission network element to forward service data packets according to the forwarding baseline. The service data forwarding control unit is connected to a storage unit generated by the baseline database;

An exceeding baseline processing unit, used to record and extract forwarding information of the current service data message when the service data message exceeds the forwarding baseline, and the exceeding baseline processing unit is connected to the service data forwarding control unit;

The exception handling and baseline update processing unit is used to judge abnormal messages to determine and discard abnormal business messages. When the business data message is determined to be a normal business data message, it obtains and updates the forwarding baseline database based on the current message forwarding information. The exception handling and baseline update processing unit is connected to the exceeding baseline processing unit and the business data forwarding control unit.

In a more specific technical solution, in the item data reading storage unit, a temporary table is stored in each transmission network element, wherein the temporary table storage methods include: distributed storage and centralized storage; in the centralized storage method, the temporary table is stored in the server of the control plane.

In a more specific technical solution, a computer storage medium stores a plurality of instructions, wherein the instructions are suitable for an intrinsic security network method loaded and executed by a processor.

In a more specific technical solution, an electronic device includes: a processor and a memory; wherein the memory stores a computer program, and the computer program is suitable for an endogenous security network method loaded and executed by the processor.

Compared with the prior art, this application has the following advantages:

This application provides business security capabilities based on a routing and switching architecture platform, eliminating the need for various complex hardware platforms, enabling platform reuse, inherent security, and simultaneous improvement of security and business capabilities.

This application is based on a routing and switching platform, has inherent security, and can form an integrated, low-cost security value without causing increasing complexity in product types and difficulties in coordination.

The security configuration of this application is automatically generated and issued based on normal business, thereby reducing configuration workload, lowering usage difficulty and maintenance costs.

This application can always be online to play its value and maintain a normalized basic level of security, not just for compliance.

By reducing the difficulty of deploying and using the product, the application reduces deployment costs and enables adoption by both large and small customers, further amortizing costs and increasing customer value. The inherent security of this application is integrated into the infrastructure budget, eliminating the need for separate security equipment procurement. This application's technical solution possesses universal basic security attributes, addressing customization issues.

This application reduces the reliance on delivery, deployment, and operation and maintenance personnel through automated associated deployment, thereby reducing deployment costs. This application addresses the openness of IP communication systems, which can lead to a wide range of attack points and surfaces. It implements policy control on transmission and information processing network element devices, and each transmission and information processing network element is a policy execution point, thereby building a three-dimensional defense, and constructing enterprise, park, data center and other networks into networks through which only normal business traffic can pass (guaranteed by authentication and traceability capabilities).

This application links the control and forwarding capabilities of network devices with the authentication and authorization system through a policy controller, blocking the path of attack traffic on each network information processing unit, making it difficult for attack traffic to penetrate the network, thereby effectively protecting assets such as business, network and data.

This application uses transmission network elements, rather than adding a lot of external security devices, to build a relatively closed network based on business attributes on an open IP system. The transmission network elements can not only continue to develop along with the development of open IP network equipment capabilities, but also solve the problem of high protection costs brought by open networks in networks with clear business attributes, thereby realizing an endogenous security solution.

At the same time, in order to facilitate transition and implementation, this application also designs supplementary technologies for automatic learning and protection.

This application provides a technical solution that eliminates various security risks by enabling transmission network elements such as switches and routers to only forward normal business data streams and not forward other data streams, thereby filtering out illegal access.

This application is based on the distributed router computing of traditional switches and routers, and superimposed with SDN functions. If the SDN controller fails, it can still operate in the form of a traditional switching and routing network.

This application solves the technical problem that due to the openness of IP networks, their own security protection capabilities are low, a large number of external security protection facilities are required, the effect is poor and the cost is high, it is difficult to form low-cost security protection capabilities, and it is easy to attack but difficult to defend.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a data flow of a traditional network security architecture of background technology;

FIG2 is an architectural diagram of the technical requirements for security design of information security technology network security level protection in the background technology;

FIG3 is a JIE framework diagram of the U.S. military in the background art;

FIG4 is a schematic diagram of the SCCA secure cloud computing architecture in the U.S. military JIE of the background technology;

FIG5 is a ZTA architecture diagram of background technology;

FIG6 is a diagram of the inherent security mechanism of the background technology of mimicry defense technology - dynamic heterogeneous redundant construction;

FIG7 is a typical NAC networking diagram of the background technology;

FIG8 is a schematic diagram of the basic steps of the endogenous security network method of Example 1 of the present application;

FIG9 is a schematic diagram of a specific implementation process of the endogenous security network method using the authentication and authorization method in Example 1 of the present application;

FIG10 is a schematic diagram of the logical architecture of binding and forwarding service feature data streams according to Example 1 of the present application;

FIG11 is a schematic diagram of the authentication, authorization and forwarding process for a user to access a service in Example 1 of the present application;

12 is a schematic diagram of steps for processing service packets based on a forwarding table and an ACL by a transmission unit in Example 1 of the present application;

FIG13 is a schematic diagram of specific steps for binding normal service data flows to a forwarding table and a whitelist through automatic learning in Example 1 of the present application;

FIG14 is a schematic diagram of the basic structure of the endogenous security network architecture of Example 2 of the present application;

FIG15 is a schematic diagram of the data effect flow of the elastic network with inherent security according to Example 2 of the present application;

FIG16 is a logical architecture diagram of the endogenous security network architecture of Example 2 of the present application;

FIG17 is a schematic diagram of the actual deployment of the endogenous security network architecture of Example 3 of the present application;

FIG18 is a schematic diagram of a basic module of a transmission network element according to Example 3 of the present application;

FIG19 is a schematic diagram of the functional modules of the endogenous security network security policy server of Example 3 of the present application;

FIG20 is a flowchart of the self-learning method of Example 3 of the present application;

FIG21 is a schematic diagram of the abnormal message reporting process of the host terminal and the application server business unit in Example 3 of the present application;

FIG22a is a schematic diagram of the centralized distributed storage of the MA address library according to Example 3 of the present application;

FIG22 b is a schematic diagram of several methods of adding a MAC address to a MAC address database according to Example 3 of the present application;

FIG22 c is a schematic diagram of the MAC address library self-learning process in Example 3 of the present application;

FIG22 d is a schematic diagram of a process for preventing non-owned devices from accessing the system according to Example 3 of the present application;

FIG23 is a schematic diagram of fast-start forwarding, cache entry writing, and reading of a switch in Example 3 of the present application.

DETAILED DESCRIPTION

To make the purpose, technical solutions, and advantages of the embodiments of this application more clear, the technical solutions in the embodiments of this application will be clearly and completely described below in conjunction with the embodiments of this application. Obviously, the described embodiments are part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without making creative efforts are within the scope of protection of this application.

Example 1

As shown in FIG8 , the basic steps of the endogenous security network method provided by this application include but are not limited to:

S1. Extract forwarding feature information of normal business data flow;

In this embodiment, forwarding feature information includes but is not limited to 5-tuple information such as source IP, destination IP, destination port, IP protocol type, source port, and protocol. In addition, the information extraction supported in this embodiment also includes, for example, destination MAC, source MAC, Ethernet type, VLAN ID, VLAN priority, IP service type, and key fields of the application layer.

S2. Send forwarding information of normal service data flow to the transmission network element;

In this embodiment, the characteristic information of the normal service data flow is sent to the transmission network element to form a forwarding table, a flow table or a forwarding whitelist. In this embodiment, it can be, for example, a MAC table, a FIB table, a flow table, a whitelist based on an ACL or a user-defined list (UDL).

S3, the transmission network element forwards the message based on the characteristic information of the normal service data flow;

In this embodiment, since the forwarding table entries, flow table or whitelist have been issued according to the characteristics of the normal service data flow in the aforementioned step S2, when a normal service data packet arrives at a transmission network element such as a switch, router, or gateway, the aforementioned transmission network element will forward the normal packet according to the corresponding table entry;

S4. Abnormal business data flow packets are discarded.

In this embodiment, since the default policy is not to forward messages, abnormal data messages that do not form table entries and arrive at transmission network elements such as switches, routers, and gateways will be discarded. In this embodiment, routing protocol messages will automatically generate a whitelist based on the configuration files of switches and routers, and can be forwarded. In this embodiment, messages include but are not limited to: routing protocols. In this embodiment, in addition to normal business messages, some control plane related messages need to be forwarded, including but not limited to: routing protocol messages. The aforementioned messages can use multicast addresses, where the content of some messages includes their own protocol type, for example: the protocol type of OSPF messages is 89, and that of IGMP is 2;

In this embodiment, after authentication, NAC opens the access control port on the access control device. Authenticated terminals can access servers and other terminals within the network. There is also the ability and possibility to forward lateral and vertical traffic. Therefore, if infected by malware such as zero-day attacks, it can spread horizontally and vertically within the network. Compared with the aforementioned solutions, the method of the present application also differs from NAC in that it binds normal service traffic characteristics to the forwarding table, flow table, and whitelist of the transmission network element. Only normal service data flows can be forwarded, and the transmission network element cannot forward abnormal service data flows. Moreover, it can be effective on all transmission network elements, not just the access control device. Therefore, the present application can isolate the host terminal from accessing unauthorized services, resources, and other terminals, thereby avoiding the existence of junk traffic and malicious traffic.

As shown in FIG9 , in this embodiment, the method for binding service data flow forwarding characteristics to transmission network element forwarding entries further includes the following specific implementation process using authentication and authorization:

S1’, the host terminal initiates an access request to a specific server and resource;

S2’, perform authentication and authorization processing;

In this embodiment, the message will be sent by the transmission network element to the authentication and authorization server for authorization and authentication;

S3’, determine whether the authorization is successful;

S4', if not, the transmission network element discards the message;

In this embodiment, abnormal service messages are not forwarded by default;

S5', if yes, extract the service data flow forwarding characteristics of successful authorization;

In this embodiment, if the aforementioned service access request is authorized successfully, the forwarding characteristic information of the normal service data flow is automatically extracted. In this embodiment, the aforementioned forwarding characteristic information includes but is not limited to: 5-tuple information, including: source IP, destination IP, destination port, IP protocol type, source port, and protocol.

S6', sending the forwarding flow characteristics to the transmission network element;

In this embodiment, the characteristic information of the normal service data flow is sent to the transmission network element, and the control plane CPU of the transmission network element receives the characteristic information of the normal service data flow. In this embodiment, the transmission network element includes but is not limited to: a switch, a router, and a gateway;

S7’, the transmission network element generates forwarding entries and ACL whitelist;

In this embodiment, the control plane CPU of the transport network element forms a forwarding table entry, a flow table, and a forwarding whitelist for normal service data flows, which may be, for example, a MAC table, a FIB table, a flow table, a whitelist based on an ACL or a user-defined list (UDL), and sends it to the forwarding plane.

S8’, the transmission network element forwards the service data flow that is successfully authorized.

In this embodiment, if the transmission network element receives a service data flow message that is successfully authorized, it forwards the normal service message according to the forwarding table entry and the whitelist.

As shown in FIG10 , in this embodiment, the service feature data flow binding forwarding logic architecture includes but is not limited to: a host terminal module, a transmission forwarding module, a service resource module, a forwarding feature extraction module, an authentication and authorization module, and a self-learning module;

In this embodiment, the transmission forwarding module is connected to the host terminal module, the service resource module, and the forwarding feature extraction module, and the forwarding feature extraction module is connected to the self-learning module, the authentication and authorization module, and the transmission forwarding module;

When the host terminal module in this embodiment accesses the business resource module, the forwarding feature extraction module, with the help of the authentication and authorization module or the self-learning module, extracts the forwarding feature information of the access data flow and sends it to the transmission forwarding module for binding the flow table or forwarding table and ACL table. After that, the transmission forwarding module can forward the data packets with normal access. In this embodiment, abnormal data packets without binding table entries will not be forwarded, which can prevent the forwarding of malicious traffic and achieve the effect of isolation and protection.

As shown in FIG11 , in this embodiment, the process of a transmission network element processing a service message based on a forwarding table and an ACL includes:

S101, the host initiates access to the application server and various resources;

S102, the transmission network element checks the forwarding table and the blacklist and whitelist;

S103: If the message to be forwarded is in the blacklist, it is discarded;

S104. If the message to be forwarded is in the forwarding table and in the whitelist, forward it;

S105: If the message to be forwarded is in the whitelist but not in the forwarding table, a forwarding table is created and forwarded;

S106: If the message to be forwarded is not in the forwarding table and is not in the blacklist or whitelist, the message to be forwarded is forwarded to the security network controller through the control plane;

S107, the security network controller forwards the message to be forwarded to the identity authentication authorization audit server;

S108, the identity authentication and authorization audit server authenticates and authorizes the user to access the network according to the authorization policy and sends the access policy to the security network controller;

S109. The security network controller adds the access policy to the whitelist and sends it to the transmission network element;

S1010. The transmission network element generates a corresponding forwarding table entry;

S1011. When the message to be forwarded is in the forwarding table but not in the blacklist or whitelist, the above situation is determined to belong to the gray list, and a default processing policy can be predefined and processed according to the policy definition;

S1012. When the gray list does not forward the message, report the exception to the security network controller through the control plane and discard the message to be forwarded;

S1013. When the gray list is forwarded, the abnormality is reported to the security network controller through the control plane and the message to be forwarded is forwarded according to the forwarding table;

S1014. The control plane processes the graylist message and determines how to handle it. The control plane reports the exception to the security network controller and sends the message to be forwarded to the security network controller for processing.

S1015. The security network controller integrates various policy information to convert the gray list into specific operations. In this embodiment, the specific operations include: white list, black list, deletion, etc.

In this embodiment, the forwarding table entries, ACLs, and flow tables of switches and routers are utilized for fine-grained access control of business flows. Encryption, authentication, authorization, or self-learning are used to ensure that only normal business data flows are sent, avoiding abnormal vertical and horizontal data flows, reducing security risks, and avoiding the consumption of large amounts of computing power and the delay impact on normal business.

Referring to Figure 11, in the blue box part of the figure in this embodiment, not only the authorization success is returned, but also the forwarding service characteristics of the authorized access object are obtained by checking DNS and other methods, usually the IP address, IP protocol, port number and other information, and the business data flow characteristics of normal access can be returned after further security review. In this embodiment, the authorized access objects include but are not limited to: servers and resources. The process of the green box part in the figure is not just to open the port of the access device, but to send it to the access control device based on the characteristics of the authorized access data flow, and further to form corresponding entries and whitelists in all transmission network elements along the entire path. In the light blue box of Figure 11, the access control of the host terminal and the accessed server can be further controlled, so that the full-path, end-to-end data forwarding control is achieved, thereby forming a path for normal data flow, and other abnormal data flows have no path. Therefore, junk flow and malicious traffic cannot be forwarded in the network.

As shown in Figure 12, in this embodiment, compared to SDN switches that support flow tables, traditional switches can use a forwarding table and an ACL table to perform forwarding control. See Figure 12, which shows the specific process of the transmission unit processing service messages based on the forwarding table and ACL. In Figure 12, the host terminal initiates access to the application server and various resources. The processing process of the transmission network element includes but is not limited to: the transmission network element will process different situations. In this embodiment, the above-mentioned processing can be carried out in different orders, checking whether the characteristics of the data message to be forwarded are in the blacklist. If it is in the blacklist, the data is directly discarded. If it is in the forwarding table item and in the forwarding whitelist, the data is forwarded. If it is in the whitelist but not in the forwarding table, a forwarding table is established and forwarded. In this embodiment, the security network controller can be reported to issue a forwarding table establishment instruction before forwarding the message. If the data is not in the forwarding table and is not on the blacklist or whitelist, the data is sent to the security network controller through the control plane, which forwards the message to the identity authentication and authorization audit server. The identity authentication and authorization audit server passes the authentication and determines that it can access the network based on the authorization policy, and then feeds it back to the security network controller. The security network controller adds the access policy to the whitelist and sends it to the transmission network element. In this embodiment, the aforementioned transmission network element is a logical concept and may correspond to multiple. The security network controller has global switching and routing information, and can send whitelist policies to all relevant network elements. In this embodiment, if the authentication fails, it can be discarded. If multiple frequent authentication behaviors of the same host terminal are found, an early warning prompt can be issued. If it is found to be a malicious terminal, it can be directly added to the blacklist.

In this embodiment, the identity authentication authorization audit server authentication includes but is not limited to: two-way authentication, one-way authentication;

In this embodiment, the security network based on the service whitelist only allows clear service messages to pass through the entire network, and all unclear service messages are discarded, thereby forming a three-dimensional closed service network.

In this embodiment, a graylist mechanism is added for adaptability and flexibility. In this embodiment, the graylist policy can be defined, and the default graylist does not forward and reports exceptions. It can also be defined as sending the graylist message to the control plane for processing, and the control plane changes the graylist into a whitelist, blacklist, or deletes it according to the corresponding policy and information. There are many ways to define a graylist. As shown in Table 2, a special graylist list type is directly defined, and this list type can be converted into a whitelist or a blacklist. Therefore, the scheme adopts a dynamic whitelist, dynamic blacklist and graylist mechanism. By dynamically refreshing the business whitelist, access is only allowed with authorization, and clear threat IPs and URLs are added to the blacklist and access is prohibited.

Table 2 below adds status flags to the ACL table to distinguish between blacklist, whitelist, and graylist. Status 11 indicates whitelist, status 00 indicates blacklist, and status 10 indicates graylist.

Table 2

In this embodiment, an implicit grey list method is also included. FIG12 defines the grey list as an entry in the forwarding table but not in the white list or the black list. The grey list default policy can be defined. The message can be forwarded to the policy management component and then connected to the business unit to confirm whether it meets the business requirements. After confirmation, it is sent to the white list and the message is forwarded. If it is incorrect, the message is discarded and sent to the black list.

In this embodiment, the aforementioned forwarding table includes, but is not limited to, a switch's Layer 2 forwarding table based on MAC and VLAN, a route-based Layer 3 forwarding table, and a forwarding table based on 5-tuples or even more tuples. In this embodiment, the forms of blacklists, whitelists, and graylists include, but are not limited to, MAC, VLAN, IP, Port, and corresponding combinations. In this embodiment, the access control policy can be such that at the end of a session, the application server or service proxy gateway notifies the policy server to delete the access control list. It can also be automatically deleted, for example, through an aging mechanism. For frequently accessed internal services, a long lifecycle policy can also be used to reduce the pressure of continuous authentication analysis and frequent entry downloads.

In this embodiment, further access control policies can be issued to the application server and the main terminal side to close all unauthorized ports, thereby greatly reducing the exposure risk of the application server and the host.

In this embodiment, access control is performed on the forwarding network element, ensuring that only messages with genuine business needs that have passed authentication and authorization can be forwarded. Unauthorized and blacklisted messages cannot pass through. This includes internal traffic, external traffic to the internal network, and internal traffic to the Internet. All traffic is included in the authentication, authorization, and access control mechanisms. This creates a strict forwarding control plane, and the enterprise's internal network is no longer an open network, but a network with strict access control. This prevents external attack traffic from entering and infecting internal machines. Even if there are vulnerabilities, they are difficult to exploit. Internal traffic is also monitored, and any infection scanning or other activities can be immediately detected, eliminating internal botnets, Trojans, and viruses. This application can increase attack costs, reduce protection costs, and curb the formation of a black market industry. In this embodiment, access to Internet content can be controlled by using an access whitelist; a content classification and security classification mechanism based on URLs and IP addresses, generated by a cloud-based threat analysis server, is used to assist in access filtering and control; and access control is performed in conjunction with other security filtering methods.

In this embodiment, the forwarding plane automatically deploys CP-CAR and IP+MAC+port binding to protect against address spoofing attacks and DDoS traffic attacks. In this embodiment, the control plane protection against address spoofing attacks and DDoS traffic attacks includes, but is not limited to, DHCP snooping, RADIUS snooping, and IGMP snooping. In this embodiment, ARP attack protection is enabled by default. By associating automatic deployment, this application simplifies deployment and improves attack prevention capabilities, replacing the manual deployment method used in traditional technologies.

In this embodiment, forwarding network elements are deployed in a distributed manner, protocols such as STP, RSTP, MSTP, and ERPS can prevent loops, and the routing protocol automatically discovers the network topology and has a high self-healing ability. The security network controller has the forwarding information of the entire network, can perform forwarding optimization, and send the corresponding forwarding information to the corresponding network elements. Therefore, this network structure has both centralized full-network optimization capabilities and distributed self-healing capabilities, and has strong elasticity. Even if the security controller fails, distributed routing and forwarding can still be performed. The security network controller is preferably deployed redundantly, with dual-machine backup or even multi-machine distributed deployment to further enhance the network's elasticity.

As shown in FIG13 , in this embodiment, the method for binding service data flow forwarding characteristics to transmission network element forwarding table entries further includes the following method of binding normal service data flows to the forwarding table and whitelist through automatic learning. The specific implementation process of this method includes:

S1", the normal operation of the transmission network element automatically generates various table entries; in this embodiment, the aforementioned table entries include but are not limited to: MAC table, FIB table, ARP table;

S2”, read the data of each table item at a certain interval and store it in a temporary table. In this embodiment, the above-mentioned interval can be set to, for example, 60 seconds;

In this embodiment, the data of each table entry is read at regular intervals and stored in a temporary table. This temporary table can be distributed and stored in a medium such as the memory, flash, SSD, or hard disk of the transmission network element, or can be centrally stored in a control plane server, such as a security network controller. The centralized storage here refers to the transmission network element. The control plane server can also be redundantly distributed on two or more machines. In this embodiment, the aforementioned interval can be set to, for example, 60 seconds.

S3”, the learning time is reached; in this embodiment, the learning time may be, for example, 12 hours;

S4”, when the learning time is reached, a forwarding baseline database is formed;

S5”, when the learning time is reached, the transmission network element switches to the baseline control mode;

In this embodiment, after the set learning time is reached, a forwarding baseline database is formed. The baseline database can be distributedly stored in the memory, flash, or SSD storage of the transmission network element, or centrally stored in a service, such as a security controller. When the transmission network element switches to the baseline control mode, the baseline database must be queried when subsequent forwarding entries are generated. Only when the entry information found in the baseline database is added to the corresponding forwarding entry at the forwarding layer;

S6”, when the learning time has not been reached, jump to execute the above step S2”;

In this embodiment, if the set learning time has not been reached, the operation of reading each entry and storing it in the temporary table is continuously performed at a certain interval. Different services occur at different times, and the entries usually have an aging mechanism. Therefore, the MAC table, FIB table, and ARP table obtained each time are usually different. By repeatedly learning over a period of time, such as multiple times within 12 hours, all entries generated by normal service access can be recorded in the temporary table. It is preferable to set the interval to be less than or equal to the aging time to obtain more comprehensive entries.

S7”, using the transmission network element to forward the message with the baseline data;

In this embodiment, abnormal message judgment can be performed automatically in conjunction with other components or manually confirmed. If it is an abnormal service message, it is discarded and logged. If it is determined to be a newly added normal service data message, the message forwarding information is added to the baseline database, thereby updating the service baseline database.

S8”, when there are messages exceeding the baseline, record and extract forwarding information;

S9”, determine whether it is normal business data; in this embodiment, the determination method includes but is not limited to: automatic determination and manual confirmation;

S10", if not, discard the message.

The automatic learning business binding method has the advantages of strong adaptability and good compatibility.

This self-learning mode can be used in MAC authentication mode to automatically learn and generate a MAC address library, thereby generally solving the problem of registering MAC addresses and complex management, thereby enhancing the adaptability of the MAC authentication mode and avoiding the complex deployment of 802.1X.

In large and medium-sized enterprises, it is better to have corresponding IT management personnel to deploy the automatic binding mode of authentication and authorization business data flow.

In small and micro enterprises, as well as some small local area networks, such as warships, tanks, armored vehicles, and self-driving vehicles, lightweight authentication and authorization solutions or automated learning methods can be deployed. In industrial networks, where business changes are slow, automated learning methods are more effective.

The above two modes disclosed in this embodiment both realize the automatic binding of normal business data flows and the forwarding table entries and whitelists of transmission network elements, thereby realizing endogenous security and automation. There is no need for external equipment and separate deployment of security policies as before, which increases procurement costs and operation and maintenance costs. In addition, the method of preventing unknown attacks has always been difficult. However, this application is automatically bound and deployed with normal business. Therefore, abnormal data flows are difficult to penetrate the network, which improves the basic security protection level and reduces security operation and maintenance costs.

Example 2

As shown in Figure 14, the endogenous security network architecture provided by this application includes: n host terminals, n transmission network elements, n servers, and a security network controller. In this embodiment, the host terminals are connected to the transmission network elements, which are connected to the servers. The transmission network elements are connected to the security network controller, and the transmission network elements forward normal service packets, discard abnormal service packets, and generate alarms. In this embodiment, the transmission network elements include: Ethernet transmission network elements and IP transmission network elements.

In this embodiment, access control functions and sampling, statistics and other functions are integrated into the transmission network element. Based on encryption, identity authentication and authorization, with access control as the center and log auditing to ensure traceability, the IP network is evolved from a completely open network to a business-based elastic, dynamic closed network, forming a three-dimensional defense, thereby ensuring the inherent security of the network. Even if there are some unknown vulnerabilities inside, they are difficult to exploit. This application also integrates traditional distributed path calculation with forwarding and software-defined network functions, combining distributed high survivability with centralized optimization control. By integrating the traditional distributed path calculation and security control network architecture with the centralized path calculation and security control network architecture of SDN, the elasticity of network robustness is improved.

As shown in Figure 15, in this embodiment, the transmission network element deployed in the enterprise network is a non-open forwarding table. The entire network is not divided into different trust domains. Instead, a forwarding table entry or a control list is generated according to the actual business data flow. Only the actual business data flow can be forwarded. Referring to Figure 15, the first data flow 101 is the actual business flow, and there are forwarding table entries on the Ethernet/IP transmission network element A1 and the Ethernet/IP transmission network element B1; and because the abnormal business data flow has no corresponding forwarding table entry, in this embodiment, the second data flow 102, the third data flow 103, the fourth data flow 104, the fifth data flow 105, and the sixth data flow 106 are abnormal business data flows and do not exist, thereby eliminating the generation and forwarding of junk traffic and malicious traffic.

As shown in Figure 16, in this embodiment, within the logical architecture of an endogenously secure and resilient network, the entire network is divided end-to-end into a management plane, a control plane, and a forwarding plane. These three planes are isolated from each other, particularly to limit data impact on the forwarding plane. Traditional solutions lack a strict three-dimensional separation, which can easily lead to risk proliferation. In this embodiment, the main terminals, servers, data assets, storage devices, and other components are incorporated into the overall management of the secure network as part of the network services. In this embodiment, the logical components of the network architecture include, but are not limited to: host terminals, transmission network elements, application servers, various resource security network controllers, policy servers, identity authentication and authorization audit servers, network management switches, servers, and log sampling and threat analysis servers. All network elements include encryption and authentication units. Encryption ensures the confidentiality of information and the accuracy and integrity of authentication information, while authentication ensures the legitimacy of identity. Authentication precedes authorization.

In this embodiment, referring to the management switch, management server, and management units of each end-to-end component in FIG16 , they are located in the management plane. The management server will configure the devices with management units in the network accordingly. To ensure security, two-way authentication is required between each network element by default. The management switch and management server can access the management units of each network element through preset usernames, passwords, digital certificates, etc., and perform mutual authentication. Communication on the management plane can only be carried out after mutual authentication. It is best for the application server and the management units and control units of various data resources to communicate with the rest of the management and control plane components through independent interfaces;

In this embodiment, the forwarding plane includes but is not limited to: the business unit of the host terminal, the business units of the application server and various data resources, and the forwarding unit of the forwarding network element. In this embodiment, the forwarding unit serves as the execution point of the security forwarding policy, including but not limited to: message forwarding, ACL, statistics, sampling, and logging to support forwarding control, log auditing, threat analysis and other functions. Log retention facilitates tracing and accountability, and data statistical sampling facilitates threat analysis and attack detection, as well as rapid response.

In this embodiment, the distributed sampling and logging functions built into the transmission network element are adopted. Compared with the existing solutions in which probes are deployed separately, this has the advantages of wide distribution and no need for separate deployment. The sampled data coverage is more comprehensive, which is more conducive to data analysis.

In this embodiment, the control plane includes but is not limited to: a secure network controller, a policy server, an identity management authorization server, and a log sampling and analysis server. The devices that need to communicate with each other on the control plane also undergo two-way authentication. Control plane communication can only be carried out after authentication is passed. In order to improve compatibility, non-authentication mode is also supported. In order to improve security, authentication is supported by default. Protocol messages, multicast and unknown unicast messages have blacklists, whitelists and speed limit measures, and are sent to the secure network controller only after security review by the transmission network element. After the service data flow passes the authentication and authorization of the identity management authorization server and the policy audit of the policy server, the secure network controller finds the transmission network element related to the optimal path through centralized path calculation, and sends the forwarding table entries to the forwarding unit through the control unit and the policy sending unit to realize the forwarding of normal service data flow.

In this embodiment, the transmission network element also includes: a control protocol unit and a distributed path calculation unit, which can collect network topology and perform distributed path calculation. When centralized control cannot be performed due to a security network controller failure or a link failure, the transmission network element can perform distributed path calculation and forwarding, using a customized default policy. Each forwarding network element performs access control for unknown traffic based on the customized default policy. The transmission network element also includes: ML and AI units that can learn to form a forwarding baseline, thereby forwarding normal business traffic.

In this embodiment, since the host terminal is not managed and controlled, a management unit and a control unit are added. The aforementioned management unit and control unit can exist in the form of software, for example; for example, the control unit of the host terminal can control the software installed on the local machine, only allow software on the white list to be installed or only allow software on the white list to communicate externally, review the peripherals connected to the host terminal and report data checks, etc. The control unit and management unit of the host terminal usually interact with the management plane server and relevant components of the control plane through in-band communication, and the control unit of the host terminal is included in the security network controller for control. Only the service port opened by the host terminal is allowed to be accessed by other devices, and access to the network is allowed only after complying with the necessary specifications and installing the necessary patches, etc. Similarly, application servers and various data resources can be controlled accordingly.

In this embodiment, the transport network element is a mandatory logical component of the logical architecture. Its form can be adapted to different scenarios. For example, in some small enterprises, the security network controller, policy server, and identity association authorization and audit server can be deployed on a single server. In large enterprises, identity authentication, authorization, and audit can be deployed on different servers. To improve reliability, the security network controller can also be deployed in dual-server backup or even in a distributed deployment. Application servers and various resources typically have a management network port, which can be connected to a network management switch for management, or to a server management platform for management.

Example 3

As shown in Figure 17, in this embodiment, a transmission network element in a secure network architecture also includes: switches and routers. The aforementioned transmission network elements no longer only provide open forwarding capabilities, but participate in service-level access control, associating normal service access with the transmission network element's forwarding table or whitelist, and only authorized access is allowed to be forwarded.

In this embodiment, referring to Figure 17, the network includes but is not limited to: access switches, aggregation switches, core switches, DC switches, and routing gateways; in this embodiment, the transmission units in the forwarding plane constitute the basic network, in which the business class devices include but are not limited to: internal application servers, cloud business servers, and host terminals; the network control plane includes but is not limited to: security network controllers, policy servers, sampling, log analysis servers, LDAP servers, DNS servers, local threat analysis servers, and cloud threat intelligence servers; in this embodiment, the management plane of the network includes but is not limited to: management switches and network management servers.

In this embodiment, the network is deployed and isolated based on the management plane, control plane, and forwarding plane. On switches and routers, the management plane uses the management interface, the management port connected to the CPU. Switches and routers have one or two Ethernet management ports directly connected to the CPU. A management switch is used to link the management ports of all service switches to the management switch, forming a single management plane. The switch's management and service ports are isolated by default, and service port messages cannot be sent to the management port. Furthermore, switches also have console ports, which can be linked to the service switch's console ports using a serial port server/management switch. This allows for deeper management of switches and routers and enables appropriate intervention and management during the startup process. This allows the management plane to be hidden within the network, preventing messages from the external forwarding plane from entering the management plane, thereby achieving three-sided isolation for security reasons.

In this embodiment, access switches include but are not limited to: wireless AP-type access devices; DC switches include but are not limited to: data center switches, TOP switches, aggregation switches, core switches, and spine-leaf structures; in this embodiment, LDAP server is used for identity management and authorization functions.

In this embodiment, the control plane of the network, terminal, cloud, and service includes, but is not limited to, controllers related to connection and forwarding control of the network, terminal, cloud, and service, servers, security network controllers, terminal controllers, policy servers, LDAP servers, sampling statistics log servers, and threat analysis servers. In this embodiment, the terminal controller and the security network controller can be integrated into one, and a unified controller can be used. The centralized routing calculation module of the security network controller can select an optimized path based on the implementation traffic situation, and can determine the transmission network element through which the data flow is to pass based on the optimized path. It can bind and send the forwarding characteristics of normal service messages to the flow table, forwarding table, and ACL table of each transmission network element on the path, so that all transmission network elements have the characteristic of forwarding only normal service data flows, thereby realizing three-dimensional protection; the policy server includes, but is not limited to, a policy engine unit and a policy management unit; the LDAP server includes, but is not limited to, identity authentication management and authorization functions.

In this embodiment, the control plane messages of the switch itself are processed by the CPU, and the control plane and forwarding plane can be logically isolated. The connection and communication between the switch, router, etc. and the network controller use dedicated interfaces and automatically configure forwarding tables and ACLs. Non-transmission unit IP addresses cannot access the controller. In this way, the traffic of the forwarding plane will not impact the communication between the switching, routing and other network elements and the controller. Of course, it can also be transmitted in-band, through encrypted transmission and ACL control to achieve relative isolation. Control messages such as routing protocols are transmitted between transmission network elements, usually in-band. In order to improve security, it is necessary to automatically generate ACLs for protection. According to the configured protocol type and peer address, an ACL whitelist based on the protocol and peer address can be automatically generated.

In this embodiment, encryption, authentication, authorization, logging and other technologies are used to ensure the authenticity and traceability of the business, and the key characteristics of the real business data traffic are associated with the forwarding table items or access control lists or flow tables of the transmission network elements, so as to ensure that only normal business messages are forwarded.

As shown in Figure 18, in this embodiment, during the authentication, authorization, and forwarding process for user access to a service, the main terminal 1 sends an access authentication request message for the service. This message passes through the access switch or wireless AP. In this embodiment, because the switch does not have a forwarding table entry, it is sent via a control channel to the secure network controller. In this embodiment, the secure network controller can be, for example, a controller in an SDN network or a traditional network manager. The controller then sends the user authentication message to the policy server for access policy query. The policy server obtains the user's username and password and sends an administrator bind request message to the LDAP server using the administrator DN and password as parameters to obtain query permission. After receiving the administrator bind request message, the LDAP server verifies whether the administrator DN and password are correct. If the administrator DN and password are correct, the binding is successful, and the LDAP server sends an administrator bind response message to the policy server. After receiving the bind response message, the policy server constructs a filtering condition using the user-entered username as a parameter and sends a user DN query request message to the LDAP server. For example, the constructed filtering condition is CN=User1. After receiving the user DN query request message, the LDAP server searches for the user DN based on the query starting point, query scope, and filtering condition in the message. If the query is successful, a successful query response message is sent to the policy server. The user DN obtained from the query can be one and/or at least two. In this embodiment, the query starting point is "dc=lhzs,dc=com", and the returned DNs are "CN=User1, Departments=R&D, OU=People, dc=lhzs,dc=com" and "CN=User1, Departments=R&D, OU=Equipment, dc=lhzs,dc=com". The policy server sends a user bind request message to the LDAP server based on the user DN obtained from the query and the password entered by the user. After receiving the user bind request message, the LDAP server checks whether the password entered by the user is correct. If the password entered by the user is correct, the LDAP server sends a bind response message to the policy server indicating that the binding is successful. If the password entered by the user is incorrect, the LDAP server sends a bind failure response message to the policy server. The policy server uses the next user DN found in the query as a parameter and continues to send binding requests to the LDAP server until one DN is successfully bound; if all user DNs fail to bind, the policy server notifies the user of the authentication and authorization failure through the security network controller; if the policy server receives information that the LDAP server has successfully authorized, it performs a DNS query on the authorized service. If there is an SRV record in the DNS, it returns the IP address, protocol type, and port number information corresponding to the service to the policy server; the policy server checks other relevant policies, including compliance review of the host client, compliance of the accessed application server, and whether it is Internet access; if it is Internet access, it will query the accessed URL and remote IP for infection risks. If the address is included in the risk blacklist, access is not allowed. If the security review is passed, access is allowed; after the policy check is passed, the authorization pass information is sent to the security network controller. In this embodiment, the authorization pass information includes but is not limited to: host terminal IP address, business server IP address, protocol type, and protocol port number information. In this embodiment, the security network controller uses the reply information from the policy server and the network topology database to calculate the transmission unit passed through the forwarding path and generate the table entry corresponding to the transmission unit. In this embodiment, the transmission unit includes but is not limited to: flow table, forwarding table, and ACL. The matching items of the flow table are shown in Table 3 below:

Table 3

The security network controller sends corresponding table entries to switches, routers, and other transmission network elements at all levels. Typical forwarding table entries are shown in Table 4 below, forming a forwarding path for this authorized data flow on the forwarding plane:

In this embodiment, the accessible ACL is sent to the corresponding service server, the server opens the access restriction, and an authorization success message is sent to the host terminal 1, and the host terminal 1 opens the access control.

The host terminal 1 accesses the authorized services normally.

In this embodiment, transmission network elements such as switches and routers at all levels continuously perform logging, sampling, and analysis operations.

In this embodiment, if the authentication and authorization fails, the default policy is executed, which is usually discarded and the event is reported to the log server for analysis and audit. All access information is logged for easy tracing.

In this embodiment, black, white, and gray list control is implemented on transmission network elements such as switches and routers to control service data flows.

As shown in Figure 18, in this embodiment, data transmission network elements such as switches, routers, and gateways not only perform forwarding functions, but should also have more unit modules when implemented. In this embodiment, the transmission network elements include but are not limited to: forwarding unit, access control unit, statistics unit, sampling unit, log unit, encryption unit, control protocol unit, policy execution unit, authentication unit, sending and receiving unit, ML AI unit, and security unit. Some of the functions of the security unit are implemented in the forwarding engine, and some are implemented on the CPU. The ML AI unit can perform intelligent statistical analysis and processing based on some information. The description of each module is as follows:

Encryption unit: Provides encryption functions for authentication, control information, and forwarded messages. It can be implemented in hardware form, such as ASIC or FPGA, or in software plus CPU form. The CPU can support commercial encryption algorithms including but not limited to AES, DES, RSA, SM2, SM3, and SM4. An encryption unit is provided in the forwarding module to support the MacSec function.

Authentication Unit: This unit authenticates the device's identity and authenticates the management server, security network manager, authentication and authorization server, security policy server, log, sampling, and threat analysis servers. In this embodiment, authentication can be performed using, for example, a username and password. Using a certificate system can provide higher security, such as Kerberos-based authentication. Kerberos uses TCP/UDP port 88 for authentication and TCP/UDP port 464 for password resets. Ports 88 and 464 must be open on the transmission network element and related servers.

Management unit: used to manage the transmission network element. Supported management protocols include but are not limited to: SSH, telnet, Https, SNMP, and use a dedicated management interface. Figure 18 shows the eth0-0-1 port connected to the CPU. This management port is isolated from the control plane network port and the forwarding plane and does not communicate with each other, thereby isolating the security risk transmission of the forwarding plane and the control plane. The management server needs to first authenticate with the management unit of the transmission network element. After the authentication is passed, a connection is established and an access control list is automatically generated. For example: the IP address of the management server in the figure is 10.0.0.1, so after the authentication is passed, the following ACL table entry is associated and established:
10 permit src-ip host 10.0.0.1 dest-ip 10.0.0.2;
20 permit src-ip host 10.0.0.2 dest-ip 10.0.0.1;
30 deny src-ip any dest-ip any;

When the management connection is disconnected, the ACL automatically adjusts to:
10 permit src-ip any dest-ip 10.0.0.2;
20 permit src-ip host 10.0.0.2 dest-ip any;
30 deny src-ip any dest-ip any;

In this embodiment, for example, a new management connection and authentication of the 10.0.0.0/24 network segment may be received.

Forwarding unit: can forward or discard data packets based on MAC table, ARP table, FIB table, and flow table.

In this embodiment, the MAC table has the following format:

Table 5 Mac Address Table:

In this embodiment, the ARP table is in the following format:

In this embodiment, the IP routing table is in the following format:
Codes:C-connected,S-static,R-RIP,
O-OSPF, I-IS-IS, B-BGP, P-PIM,
>-selected route,*-FIB route,
[*]-[AD/Metric]
C>*10.0.2.0/24is directly connected,vlan1
C>*10.0.0.2/32is directly connected,loopback0
C>*0 10..1.0/24is directly connected,,eth0-0-2

In this embodiment, the structure of the flow table is as follows:

Match Field is used to match messages and consists of the ingress port and message header.

Priority field: For flow tables with the same priority, the message will be matched with the flow table entry that is delivered first. The value range is 0-65535, and the default value is 32768.

Counters flow table statistics field, recording the count of packets matching the flow table.

Instruction field supports immediate execution of apply-actions.

Timeout supports hard_timeout and idle_timeout. Hard_timeout indicates the fixed lifetime of the flow table, which will be automatically deleted upon expiration. Idle_timeout indicates the aging time of the flow table, which will be refreshed if a message matches.

Cookie The Cookie field is mainly used by the controller to filter the flow table, such as cookie to modify/delete an existing flow table.

In this embodiment, the available matching items of the flow table are shown in Table 3 above, and the typical flow table format is shown in Table 4 above.

The Action field supports many types, as shown in Table 6 below. Commonly used are OUTPUT, Drop, and Normal. OUTPUT indicates the outbound interface, Drop indicates discarding, and Normal indicates the traditional forwarding process, that is, forwarding based on the MAC table, ARP table, and FIB table.

Table 6

In this embodiment, specifically referring to FIG. 18 , the host terminal accesses the service server. After authentication is passed, the security network controller sends the following flow table to the transmission network element:

dl_src=14-a5-1a-b0-3c-2a, dl_dst=b6-2e-55-5b-d2-a4, actions=output:eth1-1-2-Oopenflow13

dl_src=b6-2e-55-5b-d2-a4, dl_dst=14-a5-1a-b0-3c-2a, actions=output:eth1-1-1-Oopenflow13

And/or send the following flow table by IP pair

ip,nw_src=10.0.2.1,nw_dst=10.0.2.6,actions=output:eth1-1-2-O openflow13

ip,nw_src=10.0.2.6,nw_dst=10.0.2.1,actions=output:eth1-1-1-O openflow13

Packets that match the flow table are forwarded according to the flow table. For example, there is a data flow with a source address of 10.0.2.10 and a destination address of 10.0.2.6. Since no flow table is matched, the packet is sent to the control plane process. It is first rate-limited and then forwarded to the security network controller for authentication and identification. If the authentication fails, the packet is discarded and the following flow table is issued:

ip,nw_src=10.0.2.10,nw_dst=10.0.2.6,actions=drop-O openflow13

Subsequent packets with such characteristics will be discarded until the flow table ages and then sent to the authentication process.

In this embodiment, the access control unit generates a dynamic whitelist, a dynamic blacklist, and a dynamic graylist. Methods for generating these lists include, but are not limited to, issuing them from a secure network controller or generating them by a machine learning or artificial intelligence learning unit. In this embodiment, the forwarding unit, statistics unit, sampling unit, and access control unit may be implemented separately or in combination.

In this embodiment, access control entries (ACEs): Each ACE includes an action element (allow or deny) and a series of standard-based filtering elements, such as source address, destination address, protocol, and specific protocol parameters. Layer 2 reference elements include MAC-SA, MAC-DA, and other Layer 2 fields for filtering packets, such as COS, VLAN-ID, INNER-COS, INNER-VLAN-ID, and L2 type. Layer 3 reference elements include IP-SA, IP-DA, and other Layer 3 fields for filtering packets, such as DSCP, L4 Protocol field, and other fields (TCP port, UDP port, etc.).

MAC ACL: MAC ACL can filter packets based on MAC-SA and MAC-DA. MAC addresses can be configured with masks or configured as host MAC. MAC ACL can also filter packets based on other Layer 2 fields.

In this embodiment, examples include COS, VLAN ID, INNER-COS, INNER-VLAN ID, and L2 type. IP ACL: IP ACLs can filter packets based on IP-SA and IP-DA. IP addresses can be configured with masks or host IP addresses. IP ACLs can also filter packets based on other Layer 3 fields, such as DSCP, L4 Protocol, and other fields (TCP port, UDP port, etc.).

Time period: defines a time period or time cycle during which the ACE is valid; outside this time period or cycle, the ACE is invalid.

Table 7 The format of the ACL table is as follows:

In this embodiment, the forwarding unit with flow table function gives priority to using flow table forwarding, and the forwarding of data packets from the host terminal to the server can be completed according to Table 7 and Table 5 if there is no flow table function, while the remaining non-business packets are discarded.

In this embodiment, to isolate the forwarding and control planes, CoPP is automatically configured. The forwarding plane limits the rate of packets sent to the control plane. CoPP ACLs process packets based on the CPU exceptions associated with the packets. Supported exceptions include: any, ipda, fwd-to-cpu, slow-protocol, bpdu, erps, eapol, smart-link, dhcp, rip, ospf, pim, bgp, vrrp, ldp, ptp, rsvp, icmp-redirect, mcast-rpf-fail, macsamismatch, vlan-security-discard, port-security-discard, ip-option, udld, dot1x-macbypass, 12protocol-tunnel, arp, igmp, ssh, mlag, and telnet. CoPP only limits or filters packets sent to the CPU and does not process forwarded packets.

In this embodiment, the activation status of the control plane protocol can be determined based on the configuration of the transmission network element. The protocol packets that are not enabled can be further discarded. For example, if ospf is not enabled, the IP packet with protocol number 89 can be configured with a corresponding ACL to be discarded. The enabled protocol packets can be limited in the upload rate after learning.

Statistics: Statistics can be collected based on port, VLAN, IP, and quintuple data, including packet pps, bps, packet loss, and latency. In this embodiment, these statistics can be used as input for the ML AI unit for analysis and learning.

Sampling unit: It can sample and send the sampled data to the corresponding server based on SNMP, CLI, Syslog, NetStream, sFlow, and IPFIX. In this embodiment, the sampled data information can be used as learning input information for the ML AI unit for analysis and learning. The CTC7132 chip has a Flow Tracing engine that can support, for example, sFlow and IPFIX flow sampling. In this embodiment, sFlow is a technology for monitoring the traffic entering the device. It is applied on the monitoring device, samples at a certain rate through a sampling mechanism, and then sends the sampled information to the monitoring server. The traffic status of multiple agents can be viewed on the server. In this embodiment, Sflow has two types of sampling information: one is the statistical information of the port, and the other is the header of the sampled message. In this embodiment, the SFLOW Flow-sampling field supports, for example: Raw packet Header: intercepting all or part of the original message header; Ethernet Frame Data: for Ethernet messages, parsing the Ethernet header information of the message; IPV4 Data: for IPV4 messages, parsing the IPV4 header information of the message; Extended Router Data: for routed forwarded messages, recording the route forwarding information of the message; Extended Switch Data: for Ethernet messages forwarded at Layer 2, recording the VLAN conversion of the message and the conversion of the VLAN priority. The SFLOW Counter-sampling field supports: Generic Interface Counters: general interface statistics, including basic interface information and general interface traffic statistics; Ethernet Interface Counters: for Ethernet interfaces, used to count Ethernet-related traffic statistics;

Processor Information: Used to collect statistics on device CPU usage and memory usage. sFlow uses the UDP protocol for data transmission, with the default destination port being 6343. This can be configured to a different port for improved security. By combining these sampling methods and sending the sampled information to the collector, a data flow-based information database can be formed, facilitating machine learning and analysis.

In this embodiment, after sFlow is configured, the transmission network element can view the following sFlow information:
sFlow Version:5
sFlow Global Information:
Agent IPv4 address:10.0.1.8
Counter Sampling Interval:15 seconds
Collector 1:
IPv4 Address:10.0.1.5
Port:6342
sFlow Port Information:

In this embodiment, the above configuration can enable sFlow on the eth1-1-1 port connected to the host terminal and the eth1-1-2 port connected to the service server, and send the sampled information to the sampling server 10.0.1.5 through the 6342 port of the UDP protocol.

Log unit: records information such as forwarding table entries and control table entries, message protocol types and quantities, and forms a log, which is then sent to the log server. In this embodiment, the control table entries include but are not limited to: separate control table entries and unified control table entries.

ML AI unit: used to analyze and learn the protocol data of the control plane, the management data of the management plane, the table items, sampling, and statistical data of the forwarding plane, and form relevant strategies for execution or reporting to the upper-level control entity. This unit is an optional function for transmission network elements and can be learned on a remote server.

Control protocol unit: The unit that processes the inherent Layer 2, Layer 3, and application layer protocols of the transmission network element. For example, control protocols such as STP, RSTP, MSTP, RIP, OSPF, BGP, and IGMP used for topology information collection, identification, and presentation, and network application processing such as DHCP, DNS, 802.1X, and AAA.

Distributed path calculation unit: performs distributed path calculation. Traditional routers use distributed routing calculation, and the network survivability is relatively high. Since the path information does not take into account the usage status of the link, the selected path is often not optimal. The centralized path calculation method based on the security network controller can calculate a better path and can perform path optimization and adjustment. This technical solution combines the two. When the centralized path calculation fails, the path calculation can be performed independently, which can improve network resilience.

Policy execution unit: executes the relevant policies issued by the network control unit and security control unit and sends them to the forwarding unit and access control unit.

Transmitter and receiver units: These transmit and receive functions communicate with other devices on the management and control planes. Control plane messages pass through dedicated interfaces. Figure 18 shows eth0-0-2 used to establish a connection with the security network controller after authentication. The protocols used can be SNMP, Netconf, OpenFlow, and others. Once the connection is established, the following ACL is automatically generated:
10 permit src-ip host 10.0.1.1 dest-ip 10.0.1.8
20 permit src-ip host 10.0.1.8 dest-ip 10.0.1.1
30 deny src-ip any dest-ip any

If the management connection is disconnected, the ACL is automatically adjusted to
10 permit src-ip any dest-ip 10.0.1.8
20 permit src-ip host 10.0.0.8 dest-ip any
30 deny src-ip any dest-ip any

In this embodiment, a security controller connection and authentication may be received on the 10.0.1.0/24 network segment.

As shown in Figure 19, in this embodiment, the policy execution unit, forwarding unit, and access control unit collaborate to execute the authentication and authorization-based forwarding policy issued by the security network controller. The self-learning unit records and compiles forwarding entries over a period of time based on a normal service baseline, forming a historical record baseline. If data that exceeds this baseline requires forwarding, an alarm is generated, initiating the authentication and authorization process.

Refer to Figure 19, which describes the internal modules of the security policy server and the internal and external connection relationships.

Sending and receiving unit: This unit acts as the security policy server to interact with other devices in the endogenous security network and is connected to the rest of the internal modules.

Management unit: This unit is connected to the sending and receiving unit. The function of this unit is similar to the management unit of the transmission network element. It also establishes a connection with the management server after passing the authentication.

Authentication and authorization proxy unit: This unit is connected to the sending and receiving unit. On the one hand, the function of this unit is to perform self-identity authentication between other devices in the endogenous security network. On the other hand, it connects the security network controller and the authentication and authorization server, and acts as an authentication and authorization agent for the complete network controller, thereby providing a basis for forwarding message feature extraction.

DNS query unit: This unit is connected to the authentication and authorization proxy unit, the forwarding feature extraction unit, and the sending and receiving unit. After the authentication is passed, the domain name information of the authorized domain name is usually returned. The domain name information needs to be converted into IP and port number information. This unit provides this function as the basis for forwarding feature extraction. If the authentication and authorization proxy unit returns the IP address and port number of the accessible business server, there is no need to perform a DNS query and this unit can be directly bypassed.

Forwarding feature extraction unit: This unit is connected to the security policy generation unit, the sending and receiving unit, the DNS unit, the sampling analysis learning unit, the forwarding table learning unit, and the statistical analysis learning unit. The function of this unit is to extract the IP source address, IP destination address, protocol number, destination port number, and source port number information between authenticated access connections for use by the security policy generation unit.

Forwarding Table Learning Unit: This unit is connected to the sending and receiving unit and the forwarding feature extraction unit. It continuously reads forwarding table entries from the transmission network element and generates temporary table entries. Table entries include but are not limited to: MAC table, ARP table, FIB table, and flow table. The format is described in Figure 18.

Sampling, Analysis, and Learning Unit: This unit connects to the sending and receiving units and the forwarding feature extraction unit. It reads data from the collection and collection units, performs data analysis, and extracts forwarding data features from the sampled data for use by the forwarding feature extraction unit. For example, IPFIX sampling is based on the concept of "flows." A flow is a packet originating from the same sub-interface with the same source and destination IP addresses, protocol type, source and destination protocol port numbers, and ToS, typically a 5-tuple. IPFIX records statistics for this flow, including timestamp, number of packets, and total byte count. IPFIX primarily consists of three devices: Exporter, Collector, and Analyzer. The relationship between these three devices is as follows: Exporter analyzes and processes network flows, extracts qualified flow statistics, and outputs these statistics to Collector. Collector parses Exporter data packets and collects the statistics into a database for analysis by Analyzer. Analyzer extracts the statistics from Collector for subsequent processing, providing a basis for various services. The Sampling, Analysis, and Learning Unit acts as an analyzer, extracting characteristics of the data flows forwarded by transmission network elements over a period of time and sending them to the forwarding feature extraction unit for use.

Statistical analysis and learning unit: This unit is connected to the sending and receiving unit and the forwarding feature extraction unit. It receives statistical information on convection, port, CPU utilization, etc. provided by transmission network elements and collectors, uses machine learning methods to monitor traffic conditions, and can generate corresponding rules for use by the security policy generation unit.

The remaining security policy input units are connected to the sending and receiving units and the security policy generation unit. They receive threat information and other server information provided by the local threat analysis server and the cloud security threat analysis server, and sort out their features into the form of, for example, 5-tuples and 7-tuples, and provide them to the security policy generation unit for use.

Security Policy Generation Unit: This unit is connected to the forwarding feature extraction unit, other security policy input units, the sending and receiving unit, and the security policy management unit. This unit integrates the input information of the aforementioned related units and generates a security policy, which is then output to the security policy management unit.

Security policy management unit: This unit is connected to the security policy generation unit and the sending and receiving unit. This unit is mainly responsible for maintaining the security policy library, optimizing the rule set, and issuing security policies.

As shown in Figure 20, the self-learning method of this embodiment establishes a whitelist rule table for normal service data flows and distributes it to the flow table, forwarding table, and ACL table of the transmission network element. The forwarding table entry learning unit continuously reads forwarding table entries, ACLs, and flow tables at regular intervals (e.g., 60 seconds) during the learning period to form a temporary database of table entries. The statistical analysis learning unit continuously reads and preprocesses statistical data to form a statistical database. The sampling, analysis, and learning unit reads flow sampling data in real time, performs preprocessing to form flow data, and then queries whether the flow data rules are in the flow table. If so, it returns to the step of reading the flow sampling data. If not, it queries whether it is in the ACL. If so, it returns to the step of reading the flow sampling data. If not, it counts the number of source and destination host accesses and reads the set threshold. If the host access count is less than the set threshold, the access count of the path is increased by 1. If it is greater than the set threshold, it is added to the default security list. The security policy generation unit determines whether to add to the whitelist rule table based on the health status of the port bandwidth, CPU, and memory usage provided by the statistical analysis and learning unit. If the health status is good, the new rule is added to the whitelist rule table. If the port bandwidth, CPU, or memory usage exceeds the health threshold, an alarm is issued and the process stops. The security policy management unit optimizes the whitelist rule set generated by the security policy generation unit. It usually optimizes based on the priority of the service and the size of the data flow, placing the higher priority rules at the top of the rule base, followed by the higher traffic flow. The unit is responsible for issuing the security policy to the security policy execution unit of the transmission network element through the security network controller.

In this embodiment, the self-learning algorithm based on the access path of the source host and the destination host includes but is not limited to the following logic:

Input: rule set R, threshold threshold

Output: New rule list set

Algorithm process:
(1) //Initially, RuleSets is empty
(2)For each rule r∈R
(3) r[count] = 1;
(4)End for
(5)Set threshold;
(6)While r∈R; r[count]>threshold do
(7)Add whitelist;
(8)Else
(9) R[count]=r[count]+1;
(10)End while
(11)Output all updated set of rules

In the aforementioned algorithm, the function r[count] represents the number of visits to the source host and the destination host, which also corresponds to the number of times the transmission network element receives the corresponding message. The threshold value is set by the network administrator based on the actual data pattern in the recorded processing method-level network. After a period of machine learning, the data statistically generated by machine learning can also be used as the threshold value.

In this embodiment, a service baseline is established by using methods such as automatic learning or artificial intelligence, and a forwarding table or flow table and an access control list are formed in the transmission network element to ensure that only normal service data packets are forwarded.

In this embodiment, a secure network architecture also includes: a management plane, a control plane, and a service forwarding plane. The management plane, the control plane, and the service forwarding plane are isolated from each other to achieve risk isolation and ensure that attacks and risks on the service forwarding plane do not spread to the control plane and the management plane.

In this embodiment, in order to make the network architecture have network resilience, traditional distributed path calculation is integrated with forwarding and software-defined network functions, and distributed high survivability and centralized optimization control are combined together. In the event of failure or damage of the security network controller, the effectiveness of distributed routing calculation and forwarding can be guaranteed, and the security network controller is used for redundant deployment and distributed deployment.

In this embodiment, specific malicious or potential threat access is added to the blacklist and access is prohibited; a dynamic graylist mechanism can be used for unknown traffic access, and the forwarding network element transmits it to the security controller and authentication and authorization system through the management control channel for authentication or through manual confirmation or automatic security review. If it passes, it is placed in the whitelist; if it fails, it is discarded by default and notified to relevant platforms such as threat analysis; how to handle graylist traffic can be customized. If the authentication fails, according to the macro security policy, it can be prohibited, an alarm can be issued, or it can be temporarily forwarded and included in the monitoring. In this embodiment, a dynamic blacklist can be added, etc. When the security policy, authentication, and authorization server are unavailable, a customized default policy is adopted. Each forwarding network element performs access control for unknown traffic based on the customized default policy, or adopts distributed automatic learning and AI statistics.

In this embodiment, transmission network element statistics are used for reporting operations, including but not limited to statistics and sampling, to collaborate with relevant servers for threat analysis, attack detection, and response. Based on the latest threat analysis results, access control lists are issued to isolate risks. In this embodiment, isolation is based on security enhancements required for network deployment, implementation, and management, with the goal of preventing the cross-plane spread of risks.

In this embodiment, all communication information-related resources are included in the overall management of the secure network as part of the network service. Only the normally open service ports of servers and terminals are open to access, and access to non-open ports is prohibited. Access control can be based on ACLs and flow tables on transmission network elements, or on units with strong forwarding processing capabilities such as smart network cards and data processing units. In this embodiment, communication information-related resources include but are not limited to: main terminals, servers, storage devices, and data assets.

In this embodiment, an attack detection mechanism based on a business processing unit/program is set in the software of the host terminal and the server. When the business unit/program receives an abnormal message during normal communication, the abnormal message is forwarded to the local control unit for processing. The local control unit extracts the characteristics of the abnormal message. In this embodiment, the characteristics of the abnormal message include but are not limited to: source IP, source MAC, protocol type and source port, and reports the characteristic information to the corresponding device of the control plane, which issues a blocking strategy and notifies the relevant analysis and processing unit to start analysis and processing.

As shown in FIG21 , in this embodiment, the process of reporting abnormal service unit messages of the host terminal and the application server includes the following specific steps:

S101', the business unit opens the port to establish a normal session;

S102': The service unit receives a message of an abnormal session;

S103', the business unit sends the abnormal message to the control unit for processing;

S104', the control unit extracts abnormal message features, source IP, source MAC, protocol type, source port and other information;

S105', the control unit reports the characteristic information to the security network controller, which issues a blocking strategy and notifies the relevant analysis unit to process;

In this embodiment, through the end-to-end access control of the management plane, control plane, and forwarding plane, malicious access and attacks are essentially eliminated. Referring to FIG19 , in this embodiment, detection enhancement is performed, and a host terminal and application server attack detection mechanism based on a service processing unit/program is designed. When a service unit/program receives an abnormal message during normal communication, the abnormal message is forwarded to the local control unit for processing. The local control unit extracts the characteristics of the abnormal message and reports the characteristic information to the corresponding device on the control plane, such as the security network controller, which issues a blocking policy and notifies the relevant analysis and processing unit to initiate analysis and processing. The report to the security network controller can be based on the pre-configured IP address of the other end (usually mutual authentication is done) or a specific multicast address. The advantage of using a multicast address is that multiple devices can receive the information and start processing synchronously. In this embodiment, the characteristics of the abnormal message include, but are not limited to: source IP, source MAC, protocol type, and source port.

Through this embodiment, the TCP port or UDP port used for normal business can detect abnormal messages and attacks, report them for processing, and automatically issue a forwarding blacklist, thereby further enhancing the inherent security of the network. It has very good application value in industrial scenarios, autonomous driving and other scenarios that attach great importance to security.

In this embodiment, the abnormal message acquisition method includes but is not limited to: message sequence number, source port number, source IP address, etc., and refer to the following Table 4:

Table 4 Abnormal message list

As shown in Figures 22a, 22b, 22c and 22d, in this embodiment, a MAC restriction solution can be used to facilitate transitional deployment. Referring to Figure 22a, the MAC addresses of the enterprise's host terminals, servers, etc. are input into the enterprise's MAC address library through camera scanning or manual input, and stored in the network controller or authentication server. The switch has ASIC and CPU, and can perform hardware MAC learning based on ASIC or software MAC learning based on CPU; referring to Figure 22b, which shows the process of hardware MAC learning, and referring to Figure 22c, which shows the process of CPU software MAC learning. The function of address library verification is added to the flowchart of CPU software learning, and MAC learning is configured as a soft learning solution (sent to CPU for learning). When a new message arrives, if there is no MAC table entry, it is sent to the CPU for source MAC learning. During learning, it is connected to the security network controller or authentication server. When communicating with the server, the source MAC address is verified to see if it exists in the address database. Only if it does, it is learned and sent to the forwarding layer's MAC table. If it does not exist, it is discarded and not learned into the forwarding layer's MAC table. Furthermore, an unknown MAC address is sent as an alarm for review and processing. To speed up processing, the MAC address database can also be stored/cached within the switch's control layer for verification. See Figure 22d. To improve learning speed, hardware learning can be used at startup to form a forwarding table. After a period of startup, the MAC table is sent to the CPU for soft learning. The MAC table entry is then checked against the company's MAC address database. If not, the packet is discarded, the entry is not added, and an alarm is generated. If the MAC address is manually confirmed to be the company's device, it can be added to the company's address database. If it is confirmed to be a non-company device, it can be added to a blacklist, prohibiting packet forwarding, further improving security. This prevents access by non-company devices. Figures 22a, 22b, 22c, and 22d illustrate the formation and use of the company's MAC address database, with Figure A demonstrating the use of a distributed MAC address database. In small and medium-sized enterprises, there are few IT operation and maintenance personnel and the IT system is not well-developed. This solution can improve network security while reducing the complexity and difficulty of operation and maintenance.

As shown in Figure 23, in this embodiment, to quickly boot up and restore network forwarding when network devices lose power, a mechanism for rapid forwarding capacity recovery is demonstrated. After a period of operation, for example, 10 minutes, switches and routers store learned MAC and IP table entries, or flow tables and ACL rule tables. This storage operation is performed every 10 minutes. When the switch restarts, the cached MAC and IP table entries, flow tables, and ACL rule tables are quickly retrieved and distributed to the forwarding plane, enabling rapid service recovery. The control layer then refreshes the cached MAC and IP table entries. This further enhances network resiliency. Rapid communication restoration is a crucial requirement in networks such as military vehicles, ships, and unmanned equipment, ensuring the survivability of both the equipment itself and its personnel. This feature meets these requirements.

The automatic learning service binding method adopted in this application has the advantages of strong adaptability and good compatibility. The disadvantage is that when adding a new service, either learning or reconfirmation is required.

This self-learning mode can be used in MAC authentication mode to automatically learn and generate a MAC address database, thereby solving the problem of registering MAC addresses and complex management, thereby enhancing the adaptability of MAC authentication mode and avoiding the complex deployment of 802.1X.

Example 3

A device for binding service data flow forwarding characteristics to transmission network element forwarding table entries, comprising:

processor;

Memory;

A computer execution program, wherein the computer execution program is set in the memory, and the computer execution program is executed by the processor. When the processor executes the computer execution program, the method for binding the service data flow forwarding characteristics to the transmission network element forwarding table items as described in the aforementioned embodiment 1 is implemented.

Example 4

In this embodiment, the device for binding service data flow forwarding characteristics to transmission network element forwarding entries is a computer-readable storage medium including a memory, a processor, a communication interface, and a bus.

In this embodiment, the aforementioned memory may include a large-capacity memory for data or instructions. By way of example and not limitation, the memory may include: an HDD, a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a universal serial bus (USB) drive, or a combination of two or more of these. Where appropriate, the memory may include a removable or non-removable and/or fixed computer program stored in a computer-readable storage medium. Where appropriate, the memory may be in a forwarding table entry for a type of service data flow forwarding feature binding transmission network element;

When the computer program is executed, the computer-readable storage medium is controlled to be inside or outside the external device. In a specific embodiment, the aforementioned memory may be, for example, a non-volatile solid-state memory. In a specific embodiment, the aforementioned memory includes a read-only memory (ROM). Where appropriate, the ROM may be, for example, a mask-programmable ROM, a programmable ROM (PROM), an erasable PROM (EPROM), an electrically erasable PROM (EEPROM), an electrically rewritable ROM (EAROM), or a flash memory, or a combination of two or more of these.

In this embodiment, the processor may include a central processing unit (CPU) or an application specific integrated circuit (ASIC).

Alternatively, it may be configured to implement one and/or multiple integrated circuits of the embodiments of the present application.

The communication interface is mainly used to realize the communication between the modules and units in the embodiments of the present application.

The memory, the processor and the communication interface are connected via the bus and communicate with each other.

That is, the aforementioned memory is used to store program code. The aforementioned processor reads the executable program code stored in the memory to run the program corresponding to the executable program code to implement the endogenous security network method. The method for binding service data flow forwarding characteristics to transmission network element forwarding table entries includes but is not limited to steps S1 to S4 in the above-mentioned embodiment.

In summary, this application is suitable for large and medium-sized enterprises with corresponding IT management personnel to deploy the automatic binding mode of authentication and authorization business data flow.

In small and micro enterprises, as well as some small local area networks, such as warships, tanks, armored vehicles, and self-driving vehicles, lightweight authentication and authorization solutions or automated learning methods can be deployed. In industrial networks, where business changes are relatively slow, automated learning methods are also more effective.

This application adopts two modes, both of which realize the automatic binding of normal business data flow and the forwarding table items and whitelists of transmission network elements, thereby realizing endogenous security and automation. There is no need for external equipment and separate deployment of security policies as before, which increases procurement costs and operation and maintenance costs. In addition, the method of preventing unknown attacks has always been difficult. This application is automatically bound and deployed with normal business. Therefore, abnormal data flows are difficult to penetrate the network, which improves the basic security protection level and greatly reduces the security operation and maintenance costs.

This application provides business security capabilities based on the routing and switching architecture platform, without the need for various complex hardware platforms;

Platform reuse, inherent security, and simultaneous improvement of security and business capabilities;

Based on a routing and switching platform, it provides inherent security and can form an integrated, low-cost security value chain, without causing increasing complexity in product types and difficulties in coordination.

Secure configuration is automatically generated and issued based on normal business operations, thus reducing configuration workload, ease of use, and maintenance costs.

Ability to always be online to deliver value and maintain a normalized basic level of security, not just for compliance purposes;

By reducing the difficulty of product deployment and use, the deployment and use costs are reduced, and large, medium and small customers can also use it, thereby further amortizing costs and improving customer value;

Built-in security follows the infrastructure budget, eliminating the need to purchase security equipment separately.

Universal basic security attributes to solve customization problems.

Automated associated deployment reduces reliance on delivery, deployment, operations, and maintenance personnel, thereby reducing deployment costs.

This application solves the technical problem that due to the openness of IP networks, their own security protection capabilities are low, a large number of external security protection facilities are required, the effect is poor and the cost is high, it is difficult to form low-cost security protection capabilities, and it is easy to attack but difficult to defend.

The above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (14)

The method for an endogenous secure network comprises: S1. Extract forwarding feature information of normal business data flow; S2. Sending the forwarding feature information of the normal service data flow to the transmission network element to form a forwarding table, a flow table, and a forwarding whitelist, wherein the implementation method of the endogenous security network method includes: an authentication and authorization method and an automatic learning method; S3, the transmission network element forwards the message according to the forwarding characteristic information of the normal service data flow; S4. Execute a discard operation on the abnormal business data flow message, wherein the message automatically generates a forwarding table and the whitelist for forwarding operation judgment based on the configuration files of the switch and router and the normal business data flow characteristics. The intrinsic security network method according to claim 1 is characterized in that, under the authentication and authorization mode, the method of binding the service data flow forwarding feature to the transmission network element forwarding table entry further includes: S21', using the host terminal to send an access request message to a specific server or specific resource; S22', using the transmission network element to send the access request message to the authentication server and the authorization server for authorization and authentication; S23', when the authorization and authentication are successful, automatically extract the forwarding feature information of the normal service data flow and generate the forwarding feature of the authorized successful service data flow message; S24', when the authorization or authentication fails, returning failure information and discarding the access request message; S25′, sending the forwarding characteristic information of the normal service data flow to the transmission network element, and using the processor of the control plane of the transmission network element to receive the forwarding characteristic information; S26', the processor in the control plane generates and sends forwarding entries, flow tables, and forwarding whitelists to the forwarding plane; S27'. When the transmission network element receives the authorized successful service data flow message, it forwards the normal service data flow message according to the forwarding table entry, the flow table and the forwarding whitelist. The endogenous security network method according to claim 1 is characterized in that, in the automatic learning mode, the method of binding the service data flow forwarding characteristics to the transmission network element forwarding table entry further includes: S21″, during the operation of the transmission network element, generating the forwarding table entry, wherein the forwarding table entry includes: a flow table and an ACL table; S22″, reading entry data from the forwarding table according to a preset reading time, storing the entry data in a temporary table, and storing the temporary table in the transmission network element; S23", when the preset learning time threshold is not reached, continue to execute step S2", so as to record the forwarding entries generated by normal business access in the temporary table; S24", when the preset learning time threshold is reached, generating a forwarding baseline database, storing the forwarding baseline database in the transmission network element, switching the transmission network element to a baseline control mode accordingly, querying the forwarding baseline database, generating subsequent forwarding table entries, and adding the forwarding table entries to the forwarding plane, wherein the storage mode of the forwarding baseline database includes: distributed storage and centralized storage, and the learning mode includes: distributed learning mode and centralized learning mode; S25″, obtaining baseline data from the forwarding baseline database, determining a forwarding baseline based on the baseline, and controlling the transmission network element to forward data packets according to the forwarding baseline; S26″, when the data message exceeds the forwarding baseline, record and extract the current forwarding information of the data message; S27″, perform abnormal message judgment to determine and discard abnormal business messages, and when the data message is determined to be a normal business data message, obtain and update the forwarding baseline database according to the current message forwarding information. The endogenous security network method according to claim 3 is characterized in that, in step S2″, the temporary table is stored in each of the transmission network elements, wherein the temporary table storage method includes: distributed storage and centralized storage; in the centralized storage method, the temporary table is stored in the control plane server. The endogenous security network method according to claim 1 is characterized by further comprising an endogenous security elastic network, wherein the logical components of the endogenous security elastic network include: a host terminal, a transmission network element, an application server and resources, a security network controller, a policy server, an identity authentication and authorization audit server, a network management switch, a server, and a log sampling and threat analysis server; The transmission network elements include: Ethernet transmission network elements and IP transmission network elements. The endogenous security network method according to claim 5, characterized in that the logical architecture of the endogenous security elastic network includes: a management plane, a control plane, and a forwarding service plane; In the management plane, a management switch is used to link the management ports of all service switches to the management switch, isolating the interfaces of the management switch and the service switches. The management plane includes: a management switch, a management plane server, and an end-to-end component management unit. The management server is used to configure devices with the end-to-end layout management unit in the inherently secure elastic network. To ensure security, each transmission network element performs bidirectional authentication with the management server to communicate in the management plane. The forwarding plane includes: a host terminal service unit, an application server and data resource service unit, and a forwarding module of the forwarding network element; wherein, the forwarding module is used as the execution point of the security forwarding policy, and the forwarding module includes: a message forwarding component, an ACL component, a statistics component, a sampling component, and a log tracing component to perform forwarding control, log auditing, threat analysis, log tracing and accountability, and data statistics sampling for threat response; The control plane includes: a security network controller, a policy server, an identity management authorization server, a log sampling and analysis server, and a control module of the transmission network element; the control plane is used to perform bidirectional authentication on the intercommunication request device to communicate on the control plane, wherein the identity management authorization server authenticates and authorizes the business data flow to form a corresponding blacklist, whitelist and graylist, and the identity management authorization server authenticates and authorizes the business data flow; the policy server is used to perform policy auditing; the transmission network element is distributedly deployed, and a preset protocol is used to perform anti-loop operations. The network topology is discovered according to the preset routing protocol, and distributed routing calculations are performed; the security network controller is used to perform centralized path calculations to find the transmission network element related to the optimal path, and the control unit and policy execution unit in the transmission network element are used to generate and send forwarding table entries to the forwarding unit to forward the normal business data flow. An intrinsic security network architecture, relating to the intrinsic security network method according to any one of claims 1 to 6, characterized in that the architecture comprises: Forwarding information extraction module, used to extract forwarding feature information of normal business data flow; A forwarding basis forming module, configured to send the forwarding characteristic information of the normal service data flow to the transmission network element to form a forwarding table entry, a flow table and a forwarding whitelist, wherein the forwarding basis forming module further includes: an authentication and authorization module and an automatic learning module; A message forwarding module, configured to forward messages in the transmission network element according to the forwarding characteristic information of the normal service data flow, wherein the normal message forwarding module is connected to the forwarding basis forming module; A discard operation is performed on abnormal business data flow messages, wherein the message automatically generates a forwarding table and the white list for forwarding operation judgment based on the configuration files of the switch and router and the normal business data flow characteristics, and the message forwarding module is connected to the forwarding basis formation module. The endogenous security network architecture according to claim 7, wherein the authentication and authorization module further comprises: An access request sending unit, configured to send an access request message to a specific server or specific resource using a host terminal; an authentication and authorization processing unit, configured to use the transmission network element to send the access request message to the authentication server and the authorization server for authorization and authentication, the authentication and authorization processing unit being connected to the access request sending unit; a forwarding feature extraction unit, configured to automatically extract forwarding feature information of a normal service data flow when the authorization and authentication succeed; and return failure information and discard the access request message when the authorization and authentication fail, the forwarding feature extraction unit being connected to the authentication and authorization processing unit; a forwarding feature processing unit, which sends the forwarding feature information of the normal service data flow to the transmission network element, receives the forwarding feature information by using a processor of the control plane of the transmission network element, and the forwarding feature processing unit is connected to the forwarding feature extraction unit; A forwarding basis generating and issuing unit, configured to generate and issue a forwarding table entry, a flow table, and a forwarding whitelist to the forwarding plane on the processor of the control plane, wherein the forwarding basis generating and issuing unit is connected to the forwarding feature processing unit; The authorization and authentication normal message forwarding unit is used to forward the message of the normal business data flow according to the forwarding table entry, the flow table and the forwarding whitelist when the transmission network element receives the authorization successful business data flow message. The authorization and authentication normal message forwarding unit is connected to the forwarding basis generation and sending unit. The endogenous security network architecture according to claim 7, wherein the automatic learning module further comprises: a forwarding entry generating unit, configured to generate the forwarding entry during operation of the transmission network element; a table entry data reading and storage unit, configured to read table entry data from the forwarding table entry according to a preset reading time, store the table entry data in a temporary table, and store the temporary table in the transmission network element, the table entry data reading and storage unit being connected to the forwarding table entry generating unit; A table entry data continuous processing unit, configured to continuously perform table entry data continuous processing when a preset learning time threshold is not reached, so as to record the forwarding table entries generated by normal business access in the temporary table, the table entry data continuous processing unit being connected to the table entry data reading and storing unit; A baseline database generation storage unit is used to generate a forwarding baseline database when the preset learning time threshold is reached, store the forwarding baseline database in the transmission network element, and switch the transmission network element to a baseline control mode accordingly to query the forwarding baseline database, generate subsequent forwarding table entries, and add the forwarding table entries to the forwarding plane, wherein the storage method of the forwarding baseline database includes: distributed storage and centralized storage, and the baseline database generation storage module is connected to the table entry data reading storage unit; a service data forwarding control unit, configured to obtain baseline data from the forwarding baseline database, determine a forwarding baseline based on the baseline data, and control the transmission network element to forward data packets according to the forwarding baseline, wherein the service data forwarding control unit is connected to a storage unit generating the baseline database; an exceeding-baseline processing unit, configured to record and extract current forwarding information of the data message when the data message exceeds the forwarding baseline, the exceeding-baseline processing unit being connected to the service data forwarding control unit; The exception handling and baseline update processing unit is used to perform abnormal message judgment to determine and discard abnormal business messages. When the data message is determined to be a normal business data message, the forwarding baseline database is obtained and updated according to the current message forwarding information. The exception handling and baseline update processing unit is connected to the exceeding baseline processing unit and the business data forwarding control unit. The endogenous security network architecture according to claim 9 is characterized in that in the item data reading storage unit, the temporary table is stored in each of the transmission network elements, wherein the storage method of the temporary table includes: distributed storage and centralized storage; in the centralized storage method, the temporary table is stored in the server of the control plane. The endogenous security network architecture according to claim 7 is characterized by further comprising an endogenous security elastic network, wherein the logical components of the endogenous security elastic network include: host terminals, transmission network elements, application servers and resources, security network controllers, policy servers, identity authentication and authorization audit servers, network management switches, servers, and log sampling and threat analysis servers; The transmission network elements include: Ethernet transmission network elements and IP transmission network elements. The intrinsic security network architecture according to claim 11, wherein the logical architecture of the intrinsic security elastic network includes: a management plane, a control plane, and a forwarding service plane; In the management plane, a management switch is used to link the management ports of all service switches to the management switch, isolating the interfaces of the management switch and the service switches. The management plane includes: a management switch, a management plane server, and an end-to-end component management unit. The management server is used to configure devices with the end-to-end layout management unit in the inherently secure elastic network. To ensure security, each transmission network element performs bidirectional authentication with the management server to communicate in the management plane. The forwarding service plane includes: a host terminal service unit, an application server and a data resource service unit, and the forwarding module. The forwarding module is used as the security forwarding policy execution point. The forwarding module includes: a message forwarding component, an ACL component, a statistics component, a sampling component, and a log tracing component to perform forwarding control, log auditing, threat analysis, log tracing and accountability, and data statistics sampling for threat response. The control plane includes: a security network controller, a policy server, an identity management authorization server, a log sampling and analysis server, and a control module of the transmission network element; the control plane is used to perform bidirectional authentication on the intercommunication request device to communicate on the control plane, wherein the identity management authorization server authenticates and authorizes the business data flow to form a corresponding blacklist, whitelist and graylist, and the identity management authorization server authenticates and authorizes the business data flow; the policy server is used to perform policy auditing; the transmission network element is distributedly deployed, and anti-loop operations are performed using preset protocols. The network topology is discovered according to the preset routing protocol, and distributed path calculation is performed; the security network controller is used to perform centralized path calculation to find the transmission network element related to the optimal path, and the control unit and policy execution unit in the transmission network element are used to generate and send forwarding table entries to the forwarding unit to forward the normal business data flow. A computer storage medium, characterized in that the computer storage medium stores multiple instructions, and the instructions are suitable for being loaded by a processor and executing the intrinsic security network method according to any one of claims 1 to 6. An electronic device, characterized in that it includes: a processor and a memory; wherein the memory stores a computer program, and the computer program is suitable for being loaded by the processor and executing the intrinsic security network method according to any one of claims 1 to 6.