Policy conflict detection method and system for SDN (Software Defined Network) application

A conflict detection and strategy technology, applied in the field of network information security, can solve problems such as unresolved, inability to adopt, and poor strategy scalability, and achieve the effect of easy expansion and implementation.

Inactive Publication Date: 2014-12-10
HUAZHONG UNIV OF SCI & TECH
View PDF3 Cites 44 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] However, there are certain defects in the above methods
FLOVER mainly detects whether there is a policy conflict between the flow rules of the application and the network security policy, and does not involve the policy conflict detection between general applications; neither FlowChecker nor VeriFlow solves the situation when the flow rules include Set and other intermediate behaviors; NICE The strategy adopted based on code path discovery does not scale well and cannot be adopted on large applications
Moreover, the above methods do not consider the policy conflict detection generated when the flow rules of different applications are combined, therefore, they cannot completely solve the security threats brought by the network

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Policy conflict detection method and system for SDN (Software Defined Network) application
  • Policy conflict detection method and system for SDN (Software Defined Network) application
  • Policy conflict detection method and system for SDN (Software Defined Network) application

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0048] In the embodiment of the present invention, a policy conflict detection system for SDN applications is proposed, which is mainly aimed at SDN applications. It authenticates and authorizes applications that want to access the network, assigns priority, and sends streams to them according to the conflict analysis algorithm. The rule requests conflict detection, if there is a conflict, it will be mediated according to the conflict decision algorithm, and the network status will be fed back to the network management personnel in real time. In particular, the conflict detection algorithm can realize the policy conflict detection when there is an intermediate behavior such as Set in the flow rule and the policy conflict detection after the flow rules of different applications are combined. In addition, the policy conflict detection system is extended on the basis of the Java-based SDN controller (OpenDaylight), implements corresponding modules according to the design requireme...

Embodiment 2

[0105] The policy conflict detection method for SDN applications proposed by the present invention is applied in a policy conflict detection system for SDN applications. Mainly for SDN applications. The method is extended on the basis of the Java-based controller (OpenDaylight), and the corresponding system implements corresponding modules according to the design requirements, and adds functional modules in the configuration file of the controller, so as to realize automatic loading when the controller starts. The system corresponding to the method adopts a module loader (ModuleLoader) to manage each module.

[0106] In the policy conflict detection system architecture, the main implementation process is:

[0107] The control detection layer 2 receives the access authorization requests of the applications that want to access the network from the application access layer 1, assigns corresponding priorities to each application that wants to access the network according to the a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a policy conflict detection method and system for an SDN (Software Defined Network) application. The method comprises the following steps: authenticating and authorizing an application waiting to access a network; giving a priority; performing conflict detection and reconciliation; feeding back a network state to network management personnel in real time; and establishing a comprehensive policy conflict detection framework specific to the SDN application in order to eliminate network security threats caused by an SDN. A set intersection-based flow rule policy conflict analysis algorithm adopted in the method is simple and stable, and is easy to extend, and policy conflict detection of intermediate behaviors such as Set in flow rules and policy conflict detection after the combination of the flow rules of different applications are realized. A flow rule policy conflict decision algorithm based on application priority comparison adopted in the method is simple and effective, and is easy to implement.

Description

technical field [0001] The present application relates to the field of network information security, in particular to a policy conflict detection method and system for SDN applications. Background technique [0002] SDN (Software Defined Network, Software Defined Network) is an open network architecture, the main features are centralized control and network programmability, allowing network managers to manage and operate the entire network in the form of software programming. SDN separates the logic control function from the data forwarding function, and the logic control function of the network is realized by the software-based network controller, while the underlying network device is only responsible for realizing the simple data forwarding function, and communicates with the network controller through the OpenFlow protocol. interact. [0003] SDN network architecture such as figure 1 As shown, it is mainly divided into application layer, control layer and data forwardi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L12/24
Inventor 戴彬胡炜烨王航远
Owner HUAZHONG UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap