[go: up one dir, main page]

CN108600167A - A kind of communication device and method of the network watermark based on OpenFlow - Google Patents

A kind of communication device and method of the network watermark based on OpenFlow Download PDF

Info

Publication number
CN108600167A
CN108600167A CN201810222792.5A CN201810222792A CN108600167A CN 108600167 A CN108600167 A CN 108600167A CN 201810222792 A CN201810222792 A CN 201810222792A CN 108600167 A CN108600167 A CN 108600167A
Authority
CN
China
Prior art keywords
watermark
embedded
openflow
data
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810222792.5A
Other languages
Chinese (zh)
Inventor
陈周国
孙恩博
郭宇斌
凌振
吴文甲
杨明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN201810222792.5A priority Critical patent/CN108600167A/en
Publication of CN108600167A publication Critical patent/CN108600167A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/608Watermarking

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及网络流水印技术,尤其是一种基于OpenFlow的网络水印的通信装置及方法。本发明中设置于发送端的水印嵌入端,用于给发送端的通信数据包添加流表项,选取需要嵌入水印的相关数据;然后嵌入水印后,将嵌入水印的相关数据通过网络发送到接收端;设置于接收端的水印检测端,用于接收所述嵌入水印的相关数据,进行水印检测,确定发送端与接收端的数据关系。所述嵌入端交换机根据OpenFlow流表项中关键字段提取匹配的相关数据然后发送给嵌入式控制器进行水印嵌入;然后嵌入水印后,将嵌入水印的相关数据回发给嵌入式控制器后,然后通过网络发送到接收端;其中嵌入端控制器下发OpenFlow流表项给嵌入端交换机。

The invention relates to network flow watermarking technology, in particular to a communication device and method for network watermarking based on OpenFlow. In the present invention, the watermark embedding end arranged at the sending end is used to add a flow table item to the communication data packet of the sending end, and select relevant data that needs to be embedded with the watermark; then, after embedding the watermark, send the relevant data embedded with the watermark to the receiving end through the network; The watermark detecting end arranged at the receiving end is used for receiving the relevant data embedded with the watermark, performing watermark detection, and determining the data relationship between the sending end and the receiving end. Described embedding end switch extracts the related data of matching according to the key field in the OpenFlow flow entry and then sends to embedded controller to carry out watermark embedding; After embedding watermark then, after sending back the relevant data of embedding watermark to embedded controller, Then it is sent to the receiving end through the network; wherein the embedded end controller sends the OpenFlow flow entry to the embedded end switch.

Description

一种基于OpenFlow的网络水印的通信装置及方法A communication device and method for network watermarking based on OpenFlow

技术领域technical field

本发明涉及网络流水印技术,尤其是一种基于OpenFlow的网络水印的通信装置及方法。The invention relates to network flow watermarking technology, in particular to a communication device and method for network watermarking based on OpenFlow.

背景技术Background technique

首先对本发明中用到的缩写进行定义:First the abbreviations used in the present invention are defined:

SDN(Software Defined Network):软件定义网络;SDN (Software Defined Network): software defined network;

匿名网络的出现,为网络攻击者隐藏身份、躲避检测和监管提供了有效的手段。大多数网络攻击者会选择登录中间跳板或使用匿名网络来隐藏自己的身份,这使网络监测和管理变得更加困难。主动网络流水印技术将主动网络流量分析与数字水印思想结合起来,具有准确率高、监测时间短、实时性强等优点,引起了学者们的广泛关注。The emergence of anonymous networks provides an effective means for network attackers to hide their identities and avoid detection and supervision. Most cyber attackers will choose to log in to intermediate springboards or use anonymous networks to hide their identities, which makes network monitoring and management more difficult. Active network flow watermarking technology combines active network traffic analysis with digital watermarking ideas. It has the advantages of high accuracy, short monitoring time, and strong real-time performance, which has attracted widespread attention from scholars.

主动网络流水印技术是一种主动网络流量调制与分析技术。它的主要思想借鉴于数字水印,通过在可疑发送端主动地调制某些流的特征来嵌入水印,例如数据包的时间间隔、流量速率、数据包的有效包载荷等。在经过复杂的通信网络的传输后,若从接收端探测到的数据流中能够检测出对应的水印,则认为两端的流量存在关联,从而可以进一步认定两端存在通信关系。Active network watermarking technology is an active network traffic modulation and analysis technology. Its main idea is borrowed from digital watermarking, which embeds watermarks by actively modulating certain flow characteristics at the suspicious sender, such as the time interval of data packets, traffic rate, and payload of data packets. After transmission through a complex communication network, if the corresponding watermark can be detected from the data stream detected by the receiving end, it is considered that the traffic at both ends is related, so that it can be further determined that there is a communication relationship between the two ends.

虽然网络流水印技术正在不断的发展和完善,但是并没有与整个网络安全系统整合,嵌入点和检测点部署方式尚不灵活。Although network flow watermarking technology is constantly developing and improving, it has not been integrated with the entire network security system, and the deployment methods of embedding points and detection points are not yet flexible.

发明内容Contents of the invention

本发明所要解决的技术问题是:针对现有技术存在的问题,提供一种基于OpenFlow的网络水印的通信装置及方法。本发明公开了一种基于OpenFlow的网络流水印装置及方法,目的在于提高网络流水印系统的灵活性,提出网络流水印技术在SDN网络框架下一种新的实现方法。The technical problem to be solved by the present invention is to provide an OpenFlow-based network watermark communication device and method for the problems existing in the prior art. The invention discloses an OpenFlow-based network flow watermarking device and method, aiming at improving the flexibility of the network flow watermarking system, and proposing a new implementation method of the network flow watermarking technology under the SDN network framework.

本发明采用的技术方案如下:The technical scheme that the present invention adopts is as follows:

一种基于OpenFlow的网络水印的通信装置包括:A communication device based on OpenFlow network watermarking comprises:

设置于发送端的水印嵌入端,用于给发送端的通信数据包添加流表项,选取需要嵌入水印的相关数据;然后嵌入水印后,将嵌入水印的相关数据通过网络发送到接收端;The watermark embedding end set at the sending end is used to add flow entries to the communication data packets at the sending end, and select the relevant data to be embedded with the watermark; after embedding the watermark, send the relevant data embedded with the watermark to the receiving end through the network;

设置于接收端的水印检测端,用于接收所述嵌入水印的相关数据,进行水印检测,确定发送端与接收端的数据关系。The watermark detecting end arranged at the receiving end is used for receiving the relevant data embedded with the watermark, performing watermark detection, and determining the data relationship between the sending end and the receiving end.

进一步的,所述嵌入端交换机根据OpenFlow流表项中关键字段提取匹配的相关数据然后发送给嵌入式控制器进行水印嵌入;然后嵌入水印后,将嵌入水印的相关数据回发给嵌入式控制器后,然后通过网络发送到接收端;其中嵌入端控制器下发OpenFlow流表项给嵌入端交换机;嵌入式交换机是商用 OpenFlow交换机。Further, the embedded-end switch extracts matching related data according to the key fields in the OpenFlow flow entry and then sends it to the embedded controller for watermark embedding; then after embedding the watermark, sends back the relevant data embedded in the watermark to the embedded controller After the controller, it is sent to the receiving end through the network; the embedded end controller sends the OpenFlow flow entry to the embedded end switch; the embedded switch is a commercial OpenFlow switch.

进一步的,所述根据OpenFlow流表项中关键字段提取匹配的相关数据具体过程是:嵌入式交换机将接收到的数据通过OpenFlow流表项的数据包匹配域进行匹配,提取能进行水印嵌入的数据;然后在当该数据的匹配数据处理命令为输出至控制器时,则该数据通过嵌入式交换机发送至嵌入式控制器进行水印嵌入。Further, the specific process of extracting and matching related data according to the key fields in the OpenFlow flow entry is: the embedded switch matches the received data through the packet matching field of the OpenFlow flow entry, and extracts the data that can be embedded in the watermark. data; then when the matching data processing command of the data is output to the controller, the data is sent to the embedded controller through the embedded switch for watermark embedding.

进一步的,所述检测端交换机根据OpenFlow流表项中关键字段提取匹配的水印嵌入的相关数据,然后发送给检测端控制器进行水印解调;然后检测端控制器将水印解调后的相关数据进行水印检测,确定发送端与接收端的数据关系;检测端交换机是商用OpenFlow交换机。Further, the switch at the detection end extracts the relevant data embedded in the matched watermark according to the key field in the OpenFlow flow entry, and then sends it to the controller at the detection end for watermark demodulation; Watermark detection is performed on the data to determine the data relationship between the sending end and the receiving end; the detection end switch is a commercial OpenFlow switch.

进一步的,所述确定发送端与接收端的数据关系指的是,能检测出嵌入式控制器嵌入的水印时,则认为发送端和接收端通信流量存在关,确定发送端和接收端段存在通信关系。Further, the determination of the data relationship between the sending end and the receiving end means that when the watermark embedded in the embedded controller can be detected, it is considered that there is a relationship between the communication flow between the sending end and the receiving end, and it is determined that there is a communication between the sending end and the receiving end. relation.

进一步的,所述商用OpenFlow交换机需要重新编译OpenWRT,添加 OpenFlow源码;修改network配置文件完成商用OpenFlow交换机外围端口配置;修改OpenFlow文件完成商用OpenFlow交换机数据通道配置;修改firewall 文件配置商用OpenFlow交换机端口转发功能。Further, the commercial OpenFlow switch needs to recompile OpenWRT, add OpenFlow source code; modify the network configuration file to complete the peripheral port configuration of the commercial OpenFlow switch; modify the OpenFlow file to complete the data channel configuration of the commercial OpenFlow switch; modify the firewall file to configure the port forwarding function of the commercial OpenFlow switch .

进一步的,所述嵌入式交换机与检测端交换机是专用OpenFlow交换机,其中专用OpenFlow交换机允许在OVS模式,创建网桥并配置端口,然后通过命令连接对应的嵌入式控制器以及检测端控制器。Further, the embedded switch and the detection-end switch are dedicated OpenFlow switches, wherein the dedicated OpenFlow switch allows creating a network bridge and configuring ports in the OVS mode, and then connects the corresponding embedded controller and the detection-end controller through commands.

基于所述通信装置的通信方法包括:The communication method based on the communication device includes:

设置于发送端的水印嵌入端给发送端的通信数据包添加流表项,选取需要嵌入水印的相关数据;然后嵌入水印后,将嵌入水印的相关数据通过网络发送到接收端;The watermark embedding end set at the sending end adds a flow entry to the communication data packet of the sending end, selects the relevant data to be embedded with the watermark; then after embedding the watermark, sends the relevant data embedded with the watermark to the receiving end through the network;

设置于接收端的水印检测端接收所述嵌入水印的相关数据,进行水印检测,确定发送端与接收端的数据关系。The watermark detecting end arranged at the receiving end receives the relevant data embedded with the watermark, performs watermark detection, and determines the data relationship between the sending end and the receiving end.

进一步的,所述嵌入端交换机根据OpenFlow流表项中关键字段提取匹配的相关数据然后发送给嵌入式控制器进行水印嵌入;然后嵌入水印后,将嵌入水印的相关数据回发给嵌入式控制器后,然后通过网络发送到接收端;其中嵌入端控制器下发OpenFlow流表项给嵌入端交换机。Further, the embedded-end switch extracts matching related data according to the key fields in the OpenFlow flow entry and then sends it to the embedded controller for watermark embedding; then after embedding the watermark, sends back the relevant data embedded in the watermark to the embedded controller After the controller, it is sent to the receiving end through the network; the embedded end controller sends the OpenFlow flow entry to the embedded end switch.

进一步的,所述检测端交换机根据OpenFlow流表项中关键字段提取匹配的水印日嵌入的相关数据,然后发送给检测端控制器进行水印解调;然后检测端控制器将水印解调后的相关数据进行水印检测,确定发送端与接收端的数据关系。Further, the switch at the detection end extracts the relevant data embedded in the matched watermark according to the key field in the OpenFlow flow entry, and then sends it to the controller at the detection end for watermark demodulation; then the controller at the detection end demodulates the watermark Watermark detection is performed on relevant data to determine the data relationship between the sending end and the receiving end.

综上所述,由于采用了上述技术方案,本发明的有益效果是:In summary, owing to adopting above-mentioned technical scheme, the beneficial effect of the present invention is:

在网络节点中可以部署OpenFlow交换机和控制器,控制器通过下发规则控制OpenFlow交换机,这样就可以对途经该网络节点的数据流进行统一地处理。这为流水印技术提供了更为灵活的实现方式。An OpenFlow switch and a controller can be deployed in a network node, and the controller controls the OpenFlow switch by issuing rules, so that the data flow passing through the network node can be uniformly processed. This provides a more flexible implementation for the watermarking technology.

(1)本发明使用SDN这一新型网络框架,将水印嵌入点和检测点部署在SDN架构(1) The present invention uses the new network framework of SDN to deploy watermark embedding points and detection points in the SDN architecture

下的网络节点中,使得系统对水印嵌入和检测的控制更加灵活。In the network nodes below, the control of the system on watermark embedding and detection is more flexible.

(2)本发明使用OpenFlow协议,SDN网络下的交换机大多支持该协议,具有很好(2) The present invention uses the OpenFlow protocol, and most switches under the SDN network support this protocol, which has a good

的适用性。applicability.

(3)本发明在Floodlight控制器实现水印嵌入和检测的功能,无需对OpenFlow(3) The present invention realizes the function of watermark embedding and detection in the Floodlight controller, without the need for OpenFlow

交换机的软硬件进行修改,使得系统易于扩展和管理。The software and hardware of the switch are modified to make the system easy to expand and manage.

附图说明Description of drawings

本发明将通过例子并参照附图的方式说明,其中:The invention will be illustrated by way of example with reference to the accompanying drawings, in which:

图1是本发明装置部署图。Fig. 1 is the arrangement diagram of the device of the present invention.

图2是普通商用交换机与控制主机连接结构示意图。Fig. 2 is a schematic diagram of a connection structure between a common commercial switch and a control host.

图3是专用OpenFlow交换机与控制器连接结构示意图。Fig. 3 is a schematic diagram of a connection structure between a dedicated OpenFlow switch and a controller.

图4是本发明装置流程设计图。Fig. 4 is a flow chart of the device of the present invention.

图5是OpenFlow流表项示意图。Fig. 5 is a schematic diagram of OpenFlow flow entries.

具体实施方式Detailed ways

本说明书中公开的所有特征,或公开的所有方法或过程中的步骤,除了互相排斥的特征和/或步骤以外,均可以以任何方式组合。All features disclosed in this specification, or steps in all methods or processes disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.

本说明书中公开的任一特征,除非特别叙述,均可被其他等效或具有类似目的的替代特征加以替换。即,除非特别叙述,每个特征只是一系列等效或类似特征中的一个例子而已。Any feature disclosed in this specification, unless specifically stated, can be replaced by other alternative features that are equivalent or have similar purposes. That is, unless expressly stated otherwise, each feature is one example only of a series of equivalent or similar features.

本发明相关说明:Relevant description of the present invention:

1、嵌入式交换机与检测端交换机都是专用OpenFlow交换机1. Both the embedded switch and the detection switch are dedicated OpenFlow switches

2、OpenFlow流表项中关键字段至少包括数据包匹配域以及匹配数据处理命令。2. The key fields in the OpenFlow flow entry include at least a data packet matching field and a matching data processing command.

3、SDN是一种新型的基于软件可编程思想的网络架构,它有一个集中地控制平面和分布式的转发平面,两个平面相互分离,因此SDN在实现上不需要依赖交换机等底层网络设备。同时该框架提高了用户对网络的管理权限,所以开发者可以自定义任何所需的传输规则和网络路由策略,这使得网络控制变得更为灵活和智能。在网络节点中可以部署OpenFlow交换机和控制器,控制器通过下发规则控制OpenFlow交换机,这样就可以对途经该网络节点的数据流进行统一地处理。这为流水印技术提供了更为灵活的实现方式。3. SDN is a new type of network architecture based on software programmable ideas. It has a centralized control plane and a distributed forwarding plane. The two planes are separated from each other, so the implementation of SDN does not need to rely on switches and other underlying network devices. . At the same time, the framework improves the user's management rights to the network, so developers can customize any required transmission rules and network routing policies, which makes network control more flexible and intelligent. An OpenFlow switch and a controller can be deployed in a network node, and the controller controls the OpenFlow switch by issuing rules, so that the data flow passing through the network node can be uniformly processed. This provides a more flexible implementation for the watermarking technology.

二、该发明的具体实现流程如下:Two, the concrete realization process of this invention is as follows:

1)在实际网络节点中部署OpenFlow交换机和控制器,搭建水印嵌入端和检测端网络环境。本系统的实验部署需要OpenFlow交换机两台、PC4台,系统部署如图1所示。1) Deploy OpenFlow switches and controllers in actual network nodes, and build network environments for watermark embedding and detection. The experimental deployment of this system requires two OpenFlow switches and four PCs. The system deployment is shown in Figure 1.

OpenFlow交换机分为两种:一种是专用OpenFlow交换机,该类交换机用硬件实现OpenFlow交换机的三个基本组成部分。另一种是商用交换机,在生产时并没有OpenFlow交换机的三个基本成分,用户需要通过软件自定义流表、安全通道和协议规范,实现OpenFlow交换机的功能。在完成系统环境部署时使用不同的OpenFlow交换机需要不同的步骤。There are two types of OpenFlow switches: one is a dedicated OpenFlow switch, which uses hardware to implement the three basic components of an OpenFlow switch. The other is a commercial switch, which does not have the three basic components of an OpenFlow switch at the time of production. Users need to implement the functions of an OpenFlow switch through software-defined flow tables, secure channels, and protocol specifications. Using different OpenFlow switches requires different steps to complete system environment deployment.

对于专用OpenFlow交换机,可以直接连接控制器,检测两端通信情况完成环境配置。实验中使用Pica8交换机完成环境部署,该交换机支持OpenFlow 交换机的OVS模式。当进入OVS模式后就与OpenVSwitch没有任何功能上的区别。令交换机运行在OVS模式下,创建网桥并配置端口,然后通过命令连接控制器。连接结构如图2所示。For a dedicated OpenFlow switch, it can be directly connected to the controller to detect the communication status at both ends to complete the environment configuration. In the experiment, the Pica8 switch is used to complete the environment deployment, which supports the OVS mode of the OpenFlow switch. When entering OVS mode, there is no functional difference from OpenVSwitch. Let the switch run in OVS mode, create a bridge and configure the port, and then connect to the controller through commands. The connection structure is shown in Figure 2.

对于商用交换机,在环境部署之前要在其系统中安装软件使其支持 OpenFlow,配置完成后连接控制器,检测两端通信情况,连接结构如图3所示。实验中使用TP-LINK交换机完成环境部署,该路由器操作系统为OpenWRT,在PC上重新编译Openwork,修改配置文件,将生成的系统镜像上传至交换机完成操作系统的升级。For commercial switches, software must be installed in the system to support OpenFlow before the environment is deployed. After the configuration is completed, connect the controller to detect the communication between the two ends. The connection structure is shown in Figure 3. In the experiment, a TP-LINK switch is used to complete the environment deployment. The operating system of the router is OpenWRT. Openwork is recompiled on the PC, the configuration file is modified, and the generated system image is uploaded to the switch to complete the upgrade of the operating system.

具体操作为:The specific operation is:

1.重编译OpenWRT,添加OpenFlow源码。1. Recompile OpenWRT and add OpenFlow source code.

2.修改network配置文件完成端口配置:根据OpenFlow协议的要求为不同的端口划分不同的vlan。预留一个普通端口用于连接控制器,将余下的端口分别划分到不同的vlan用做标准OpenFlow端口。2. Modify the network configuration file to complete the port configuration: divide different VLANs for different ports according to the requirements of the OpenFlow protocol. Reserve a common port for connecting to the controller, and divide the remaining ports into different vlans as standard OpenFlow ports.

3.修改openflow文件完成数据通道配置:设置数据通路id,将配置好的端口设为OpenFlow标准端口,设置控制器ip和端口。3. Modify the openflow file to complete the data channel configuration: set the data channel id, set the configured port as the OpenFlow standard port, and set the controller ip and port.

4.修改firewall文件配置端口转发功能。4. Modify the firewall file to configure the port forwarding function.

2)在两端下发相应的规则2) Issue corresponding rules at both ends

OpenFlow交换机按照流表决定数据包的处理方式,流表项结构如图5所示。其中Match Fields字段表示数据包匹配域,匹配域包括数据包头、进入端口信息、元数据等。Instructions用于设置数据包操作集或流水线处理。数据包到达交换机后,就与流水线中的流表进行交互,通过Match fields字段与流表项匹配,数据包匹配字段从到达的数据包中提取,然后根据匹配数据处理命令Instructions字段内容对匹配到的数据包进行相应的处理。当匹配数据处理命令Instructions字段定义为“output=controller”时,交换机就将匹配到的数据包封装到Packet-in消息中发送至Floodlight控制器。The OpenFlow switch determines the processing mode of the data packet according to the flow table, and the structure of the flow table item is shown in Figure 5. Among them, the Match Fields field represents a data packet matching field, and the matching field includes a data packet header, ingress port information, metadata, and the like. Instructions are used to set up packet operation sets or pipeline processing. After the data packet arrives at the switch, it interacts with the flow table in the pipeline, matches the flow table item through the Match fields field, the data packet matching field is extracted from the arriving data packet, and then matches the content of the Instructions field according to the matching data processing command. The data packets are processed accordingly. When the Instructions field of the matching data processing command is defined as "output=controller", the switch encapsulates the matched data packet into a Packet-in message and sends it to the Floodlight controller.

系统通过两端的Floodlight控制器(该控制器指的是嵌入式控制器或检测端控制器)定义流表项中不同字段,向OpenFlow交换机下发流表项,生成规则,两端的OpenFlow交换机(该交换机指的是嵌入式交换机或检测端交换机) 通过执行控制器规则,将符合特征的数据包发送至控制器进行下一步处理。The system defines different fields in the flow entry through the Floodlight controllers at both ends (the controller refers to the embedded controller or the detection end controller), sends the flow entry to the OpenFlow switch, and generates rules. The OpenFlow switch at both ends (the The switch refers to the embedded switch or the detection switch) by executing the rules of the controller, and sending the data packets conforming to the characteristics to the controller for further processing.

3)实现网络流水印嵌入、检测功能,在发送端嵌入水印,接收端检测水印数字水印技术包括水印载体的确定和水印嵌入、水印解调方式的设计两个方面。水印嵌入是将水印载体的某些属性进行适当修改完成水印的嵌入,水印解调是从水印载体中检测提取水印信号位。本系统将数据包间隔时间作为网络流水印技术的水印载体。水印嵌入检测功能均在Floodlight控制器端实现。以数据包间隔时间作为水印载体的基本思想是在发送端数据流中选取一定数量的数据包,通过调整所选数据包的发送时间间隔嵌入水印信息。该方法的关键是要保证加水印的网络流中有足够多的数据包,并且仅在选定的数据包间嵌入水印,这样接收端就能通过提取对应位置的数据包接收时间间隔检测水印信息。该网络流水印装置处理流程设计图如图4。3) Realize network flow watermark embedding and detection functions, embed watermark at the sending end, and detect watermark at the receiving end Digital watermarking technology includes two aspects: the determination of the watermark carrier, the watermark embedding, and the design of the watermark demodulation method. Watermark embedding is to modify some attributes of the watermark carrier appropriately to complete the watermark embedding, and watermark demodulation is to detect and extract the watermark signal bits from the watermark carrier. This system regards the data packet interval time as the watermark carrier of network stream watermarking technology. Watermark embedded detection functions are implemented on the Floodlight controller side. The basic idea of using data packet interval time as watermark carrier is to select a certain number of data packets in the data stream at the sending end, and embed watermark information by adjusting the sending time interval of the selected data packets. The key of this method is to ensure that there are enough data packets in the watermarked network stream, and only embed the watermark between the selected data packets, so that the receiver can detect the watermark information by extracting the receiving time interval of the corresponding data packets. The design diagram of the processing flow of the network flow watermarking device is shown in Fig. 4 .

本发明并不局限于前述的具体实施方式。本发明扩展到任何在本说明书中披露的新特征或任何新的组合,以及披露的任一新的方法或过程的步骤或任何新的组合。The present invention is not limited to the foregoing specific embodiments. The present invention extends to any new feature or any new combination disclosed in this specification, and any new method or process step or any new combination disclosed.

Claims (10)

1. a kind of communication device of the network watermark based on OpenFlow, it is characterised in that including:
It is set to the watermark built-in end of transmitting terminal, for adding flow table item to the communication data packet of transmitting terminal, selection needs to be embedded in The related data of watermark;After being then inserted into watermark, the related data of embedded watermark is sent to receiving terminal by network;
It is set to the watermark detection end of receiving terminal, the related data for receiving the embedded watermark carries out watermark detection, determines The data communications context of transmitting terminal and receiving terminal.
2. communication device according to claim 1, it is characterised in that the embedded end switch is according to OpenFlow flow table Critical field extracts matched related data and is then sent to embedded controller progress watermark insertion in;It is then inserted into watermark Afterwards, after by the related data of embedded watermark back to embedded controller, receiving terminal is then sent to by network;It is wherein embedded Side controller issues OpenFlow flow list item to embedded end switch;Embedded interchanger is commercial OpenFlow interchangers.
3. communication device according to claim 2, it is characterised in that critical field in the list item according to OpenFlow flow Extracting matched related data detailed process is:The data received are passed through the number of OpenFlow flow list item by embedded interchanger It is matched according to packet matching domain, extraction can carry out the data of watermark insertion;Then order is handled in the matched data when the data When to export to controller, then the data are sent to embedded controller by embedded interchanger and carry out watermark insertion.
4. communication device according to claim 1, it is characterised in that the detection end switch is according to OpenFlow flow table Critical field extracts the related data of matched watermark day insertion in, is then sent to detection side controller and carries out watermark solution It adjusts;Then the related data after watermarking demodulation is carried out watermark detection by detection side controller, determines the number of transmitting terminal and receiving terminal According to relationship;It is commercial OpenFlow interchangers to detect end switch.
5. communication device according to claim 5, it is characterised in that the determining transmitting terminal is communicated with the data of receiving terminal When relationship refers to the watermark that can detect embedded controller insertion, then it is assumed that transmitting terminal and receiving terminal communication flows exist Correlation determines that there are correspondences for transmitting terminal and receiving terminal section.
6. the communication device according to one of claim 1 to 5, it is characterised in that the commercialization OpenFlow interchangers need OpenWRT is recompilated, OpenFlow source codes are added;Network configuration files are changed to complete outside commercialization OpenFlow interchangers Enclose port configuration;It changes OpenFlow files and completes the configuration of commercialization OpenFlow exchange datas channel;Change firewall texts Part configures commercialization OpenFlow switch port forwarding capabilities.
7. the communication device according to one of claim 1 to 5, it is characterised in that the embedded interchanger is handed over test side It is special OpenFlow interchangers to change planes, wherein special OpenFlow interchangers allow, in OVS patterns, to create bridge and configure end Mouthful, then corresponding embedded controller and detection side controller are connected by ordering.
8. the communication means based on the communication device of claim 1,2,3,4 or 5, it is characterised in that including:
The watermark built-in end for being set to transmitting terminal adds flow table item to the communication data packet of transmitting terminal, chooses and needs embedded watermark Related data;After being then inserted into watermark, the related data of embedded watermark is sent to receiving terminal by network;
The watermark detection end for being set to receiving terminal receives the related data of the embedded watermark, carries out watermark detection, determines and sends The data relationship at end and receiving terminal.
9. communication means according to claim 8, it is characterised in that the embedded end switch is according to OpenFlow flow table Critical field extracts matched related data and is then sent to embedded controller progress watermark insertion in;It is then inserted into watermark Afterwards, after by the related data of embedded watermark back to embedded controller, receiving terminal is then sent to by network;It is wherein embedded Side controller issues OpenFlow flow list item to embedded end switch.
10. communication means according to claim 8, it is characterised in that the detection end switch is according to OpenFlow flow table Critical field extracts the related data of matched watermark day insertion in, is then sent to detection side controller and carries out watermark solution It adjusts;Then the related data after watermarking demodulation is carried out watermark detection by detection side controller, determines the number of transmitting terminal and receiving terminal According to correspondence.
CN201810222792.5A 2018-03-19 2018-03-19 A kind of communication device and method of the network watermark based on OpenFlow Pending CN108600167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810222792.5A CN108600167A (en) 2018-03-19 2018-03-19 A kind of communication device and method of the network watermark based on OpenFlow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810222792.5A CN108600167A (en) 2018-03-19 2018-03-19 A kind of communication device and method of the network watermark based on OpenFlow

Publications (1)

Publication Number Publication Date
CN108600167A true CN108600167A (en) 2018-09-28

Family

ID=63626817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810222792.5A Pending CN108600167A (en) 2018-03-19 2018-03-19 A kind of communication device and method of the network watermark based on OpenFlow

Country Status (1)

Country Link
CN (1) CN108600167A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922066A (en) * 2019-03-11 2019-06-21 江苏大学 Dynamic watermark insertion and detection method in a kind of communication network based on time slot feature
CN116668152A (en) * 2023-06-19 2023-08-29 中国电子科技集团公司第三十研究所 Anonymous network traffic correlation method and device based on obfuscated execution feature recognition

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1846237A (en) * 2003-07-28 2006-10-11 Igt公司 Method and device for remote gaming
US20080235746A1 (en) * 2007-03-20 2008-09-25 Michael James Peters Methods and apparatus for content delivery and replacement in a network
CN102096785A (en) * 2011-02-24 2011-06-15 北京书生国际信息技术有限公司 Authority control method and device
US8438631B1 (en) * 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
CN104639470A (en) * 2013-11-14 2015-05-20 中兴通讯股份有限公司 Flow label encapsulating method and system
CN104967610A (en) * 2015-04-30 2015-10-07 中国人民解放军国防科学技术大学 A Watermark Hopping Communication Method Based on Time Slot
CN105099913A (en) * 2014-04-21 2015-11-25 杭州华三通信技术有限公司 Message forwarding method and device
CN105706399A (en) * 2013-07-08 2016-06-22 瑞典爱立信有限公司 Methods of operating load balancing switches and controllers using matching patterns with unrestricted characters
CN106027527A (en) * 2016-05-23 2016-10-12 华中科技大学 Anonymous communication method based on software defined network (SDN) environment
CN108011865A (en) * 2017-10-28 2018-05-08 中国人民解放军信息工程大学 SDN flow paths method for tracing, apparatus and system based on flowing water print and stochastical sampling

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1846237A (en) * 2003-07-28 2006-10-11 Igt公司 Method and device for remote gaming
US20080235746A1 (en) * 2007-03-20 2008-09-25 Michael James Peters Methods and apparatus for content delivery and replacement in a network
CN102096785A (en) * 2011-02-24 2011-06-15 北京书生国际信息技术有限公司 Authority control method and device
US8438631B1 (en) * 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
CN105706399A (en) * 2013-07-08 2016-06-22 瑞典爱立信有限公司 Methods of operating load balancing switches and controllers using matching patterns with unrestricted characters
CN104639470A (en) * 2013-11-14 2015-05-20 中兴通讯股份有限公司 Flow label encapsulating method and system
CN105099913A (en) * 2014-04-21 2015-11-25 杭州华三通信技术有限公司 Message forwarding method and device
CN104967610A (en) * 2015-04-30 2015-10-07 中国人民解放军国防科学技术大学 A Watermark Hopping Communication Method Based on Time Slot
CN106027527A (en) * 2016-05-23 2016-10-12 华中科技大学 Anonymous communication method based on software defined network (SDN) environment
CN108011865A (en) * 2017-10-28 2018-05-08 中国人民解放军信息工程大学 SDN flow paths method for tracing, apparatus and system based on flowing water print and stochastical sampling

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YOUNGHEE PARK等: "《watermarking for detecting freeloader misbehavior in SDN networks》", 《2016 INTERNATIONAL CONFERENCE ON COMPUTING, NETWORKING AND COMMUNICATIONS》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922066A (en) * 2019-03-11 2019-06-21 江苏大学 Dynamic watermark insertion and detection method in a kind of communication network based on time slot feature
CN116668152A (en) * 2023-06-19 2023-08-29 中国电子科技集团公司第三十研究所 Anonymous network traffic correlation method and device based on obfuscated execution feature recognition

Similar Documents

Publication Publication Date Title
US7385973B1 (en) Method and apparatus for VLAN ID discovery
US9203645B2 (en) Virtual input-output connections for machine virtualization
Hu et al. A survey on software-defined network and openflow: From concept to implementation
CN106789542B (en) A realization method of cloud data center security service chain
CN104079492A (en) Method, device and system of configuring flow table in OpenFlow network
CN103581274B (en) Message forwarding method and device in stacking system
EP3200399B1 (en) Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling
CN105897465A (en) Equipment configuration method and apparatus
CN108512678B (en) Method and system for accessing physical equipment to virtual network based on overlay technology
WO2020010557A1 (en) Implementation of service function chain on basis of software-defined network
DK1593240T3 (en) Method and apparatus for rapidly reconfiguring a network topology
CN115001831A (en) Method and system for dynamically deploying network security service based on malicious behavior knowledge base
CN105207950B (en) A communication data protection method based on SDN technology
Luo et al. SDN/NFV-based security service function tree for cloud
WO2012119372A1 (en) Message processing method, device and system
CN108600167A (en) A kind of communication device and method of the network watermark based on OpenFlow
CN109644159A (en) Data packet forwarding unit in data transmission network
US9553764B2 (en) Migration of guest bridge
CN109936505B (en) Method and apparatus in data-centric software-defined networks
CN105262686B (en) Network connectivity verification method and device
CN107465582B (en) Data transmission method, device, system, physical home gateway and access node
CN105376197B (en) The method and system of implementation level network abstraction
CN104168129A (en) A network element of a software-defined network
CN105959222A (en) Message forwarding method, route nodes, and software defined network
JP5940632B2 (en) Network grouping system and network grouping method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180928