Method for controlling transmission security of industrial communications flow based on SDN architecture

US 10,447,655 B2
Filed: 12/25/2015
Issued: 10/15/2019
Est. Priority Date: 07/29/2015
Status: Active Grant

First Claim

Patent Images

1. A method for controlling transmission security of an industrial communication data flow based on a software defined network (SDN) architecture, which comprises the following steps:

Step 1;

after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet, checks for a matching data packet in a flow table stored therein entry by entry, and;

when the data packet is matched with a certain entry of the flow table, proceeds to step 2; and

when the data packet is not matched with any entry of the flow table, proceeds to step 3;

Step 2;

the SDN switch checks a security control identifier of the corresponding matched entry of the flow table, and;

when the security control identifier is a first identifier, sends a request to detect communication content, with a flow ID, an industrial communication protocol type, and application layer information in the data packet, to a management controller and proceeds to step 4; and

when the security control identifier is a Second identifier, the SDN switch executes corresponding operations according to actions in the flow table;

Step 3;

the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information, allocates a flow ID for the data packet using an internal basic service function, and judges whether the industrial communication data flow needs security control through a flow security control module, and;

when it is determined that security control is needed, sets the security control identifier in the flow table information to the first identifier; and

when it is determined that security control is not needed, sets the security control identifier to the second identifier, and the management controller then sends the flow table information to all SDN switches on the flow transmission path;

Step 4;

the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, and;

when matching is successful, sends a detection result to the SDN switch, and proceeds to step 5; and

when matching is not successful, informs the SDN switch to drop the overall industrial communication data flow; and

Step 5;

the SDN switch further processes the industrial communication data flow according to the detection result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a method for controlling transmission security of an industrial communication flow based on an SDN architecture. The method comprises: designing a flow security control module in a management controller, performing in-depth parsing on industrial communication flow data, matching the parsing result with each preset industrial rule policy, and executing a control processing operation of the industrial rule policy, to implement transmission control of an industrial communication flow. The management controller comprises an industrial rule policy database used for storing all industrial rule policies set by a user. An SDN switch maintains a structure of a flow table, and an industrial communication flow is forwarded according to the flow table. The flow table comprises a security control identifier used for indicating whether security transmission of this communication flow needs to be controlled. The present invention can detect the legality of an industrial communication data flow, to control access of industrial communication that does not conform to an industrial rule policy, so that the security and reliability of industrial control systems based on an SDN architecture are guaranteed.

8 Citations

20 Claims

1. A method for controlling transmission security of an industrial communication data flow based on a software defined network (SDN) architecture, which comprises the following steps:
- Step 1;
  
  after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet, checks for a matching data packet in a flow table stored therein entry by entry, and;
  
  when the data packet is matched with a certain entry of the flow table, proceeds to step 2; and
  
  when the data packet is not matched with any entry of the flow table, proceeds to step 3;
  
  Step 2;
  
  the SDN switch checks a security control identifier of the corresponding matched entry of the flow table, and;
  
  when the security control identifier is a first identifier, sends a request to detect communication content, with a flow ID, an industrial communication protocol type, and application layer information in the data packet, to a management controller and proceeds to step 4; and
  
  when the security control identifier is a Second identifier, the SDN switch executes corresponding operations according to actions in the flow table;
  
  Step 3;
  
  the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information, allocates a flow ID for the data packet using an internal basic service function, and judges whether the industrial communication data flow needs security control through a flow security control module, and;
  
  when it is determined that security control is needed, sets the security control identifier in the flow table information to the first identifier; and
  
  when it is determined that security control is not needed, sets the security control identifier to the second identifier, and the management controller then sends the flow table information to all SDN switches on the flow transmission path;
  
  Step 4;
  
  the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, and;
  
  when matching is successful, sends a detection result to the SDN switch, and proceeds to step 5; and
  
  when matching is not successful, informs the SDN switch to drop the overall industrial communication data flow; and
  
  Step 5;
  
  the SDN switch further processes the industrial communication data flow according to the detection result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the flow table has a table entry structure comprising:
    - a packet header field, a count field, a security control identifier field, and an action field, whereinthe packet header field is used for matching data packets;
      
      the count field is used for counting the number of matched data packets;
      
      the security control identifier field is used for judging whether to perform flow security control; and
      
      the action field is used for displaying a manner of processing matched data packets.
  - 3. The method of claim 2, wherein the flow table accepts “
    - Forward”
      
      , “
      
      Drop”
      
      ,“
      
      Enqueue” and
      
      /or “
      
      Modify-Field”
      
      in the action field.
  - 4. The method of claim 1, wherein the management controller:
    - has the basic service function for basic network management, including network topology management, network device registration, route computation, and Qos guarantee;
      
      can maintain basic information about the entire network by maintaining the view of the entire network;
      
      can compute route path information, establish forwarded flow table information, and allocate a flow ID for each communication data flow; and
      
      can send the flow table information to each SDN switch on the flow transmission path.
  - 5. The method of claim 1, wherein the flow table information is sent to all SDN switches on the flow transmission path, only the security control identifier in the flow table information of a first SDN switch on the flow transmission path is set to the first identifier, and security control identifiers in the flow table information of other SDN switches on the flow transmission path are all set to the second identifier.
  - 6. The method of claim 1, wherein the flow security control module operates such that:
    - (1) for a data packet of an industrial communication data flow received for the first time, judging whether security transmission of the industrial communication data flow needs security control according to the industrial rule policy database, and setting a corresponding security control identifier, when establishing flow table information for forwarding; and
      
      (2) for a data packet of an industrial communication data flow that was previously judged to need security control, performing in-depth parsing on packet application layer content according to different industrial communication protocol specifications, matching the parsing result with each preset industrial rule policy, and executing a specified control processing operation of the industrial rule policy.
  - 7. The method of claim 1, whereinthe industrial rule policy database stores all industrial rule policies set by a user, and is customizable by the user, so that the user can modify, update, and delete operations for each of the industrial rule policies, andeach industrial rule policy comprises a rule ID, a source IP address, a target IP address, an industrial communication protocol type, key field information content specified by a protocol specification, and a processing operation part.
  - 8. The method of claim 1, wherein the industrial communication protocol type comprises general industrial communication protocols of Modbus/TCP, Modbus/UDP, DNP3, OPC, Profinet, IEC60870-5-104, MMS, and/or GOOSE.
  - 9. The method of claim 1, wherein the flow security control module of the management controller saves a correlation between rule IDs of the industrial rule policies and flow IDs, the correlation being a one-to-one correlation or a one-to-many correlation.
  - 10. The method of claim 1, wherein the detection result of the flow security control module of the management controller reflects control processing operations specified by corresponding industrial rule policies, including dropping and processing according to an action field in the flow table.

11. A method for controlling transmission security of a data flow based on a software defined network (SDN) architecture, comprising:
- an SDN switch receiving a data flow, parsing a data packet of the data flow, and checking for a matching data packet in a flow table stored at the SDN switch, whereinwhen the data packet is not matched with any entry in the flow table;
  
  the SDN switch sends the data packet to a management controller;
  
  the management controller judges whether the data flow needs security control and establishes flow table information that includes a security control identifier, wherein;
  
  when it is determined security control is needed, the management controller sets the security control identifier to a first identifier; and
  
  when it is determined security control is not needed, the management controller sets the security control identifier to a second identifier; and
  
  the management controller sends the flow table information to all SDN switches on a transmission path;
  
  when the data packet is matched with an entry in the flow table;
  
  the SDN switch checks a security control identifier of the matched entry in the flow table, wherein;
  
  when the security control identifier is the first identifier, the SDN switch sends a request to the management controller to detect data flow content; and
  
  when the security control identifier is the second identifier, the SDN switch executes one or more corresponding operations according to actions in the flow table;
  
  when the management controller receives a request to detect data flow content;
  
  a flow security control module of the management controller performs in-depth parsing on application layer information in the data packet, and checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, wherein;
  
  when a match is found, the management controller sends a detection result to the SDN switch; and
  
  when a match is not found, the management controller instructs the SDN switch to drop the data flow; and
  
  when the SDN switch receives a detection result from the management controller, the SDN switch processes the data flow according to the detection result.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the flow table has a table entry structure comprising:
    - a packet header field, a count field, a security control identifier field, and an action field.
  - 13. The method of claim 12, wherein the flow ab e accepts “
    - Forward”
      
      , “
      
      Drop”
      
      , “
      
      Enqueue” and
      
      /or “
      
      Modify-Field”
      
      in the action field.
  - 14. The method of claim 11, Wherein the management controller computes route path. information, establishes flow table information, and allocates a flow ID for each communication data flow.
  - 15. The method of claim 11, whereinin the flow table information sent to a first SDN switch on the transmission path, the security control identifier is set to the first identifier, andin the flow table information sent to the other SDN switches on the transmission path, the security control identifier is set to the second identifier.
  - 16. The method of claim 11, wherein the flow security control module operates such that:
    - (1) for a data packet of a data flow received for the first time, the flow security control module judges whether the data flow needs security control according to the industrial rule policy database and sets a corresponding security control identifier; and
      
      (2) for a data packet of a data flow that was previously judged to need security control, the flow security control module performs in-depth. parsing on packet application layer content according to industrial communication protocol specifications, matches the parsing result with a preset industrial rule policy, and executes a processing operation of a matched industrial rule policy.
  - 17. The method of claim 11, whereinthe industrial rule policy database stores all industrial rule policies set by a user, and is customizable by the user, so that the user can modify, update, and delete operations for each of the industrial rule policies, andeach industrial rule policy comprises a rule ID, a source IP address, a target IP address, an industrial communication protocol type, key field information content specified by a protocol specification, and a processing operation part.
  - 18. The method of claim 11, wherein the industrial communication protocol type comprises general industrial communication protocols of Modbus/TCP, Modbus/UDP, DNP3, OPC, Profinet, IEC60870-5-104, MMS, and/or GOOSE.
  - 19. The method of claim 11, wherein the flow security control module of the management controller saves a correlation between rule IDs of the industrial rule policies and flow IDs, the correlation being a one-to-one correlation or a one-to-many correlation.
  - 20. The method of claim 11, wherein the detection result of the flow security control module of the management controller reflects control processing operations specified by corresponding industrial rule policies, including an operation for dropping and an operation for processing according to an action field in the flow table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shenyang Institute Of Automation ,Chinese Academy Of Sciences (Chinese Academy of Sciences)
Original Assignee
Shenyang Institute Of Automation ,Chinese Academy Of Sciences (Chinese Academy of Sciences)
Inventors
Zeng, Peng, Shang, Wenli, Li, Dong, Wan, Ming, Zhao, Jianming, Liu, Jindi, Yang, Ming
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Lapian, Alexander R

Application Number

US15/525,667
Publication Number

US 20170339109A1
Time in Patent Office

1,390 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/418   Total factory control, i.e....

G05B 19/41855   by local area network [LAN]...

G05B 2219/45103   Security, surveillance appl...

H04L 45/745   Address table lookup; Addre...

H04L 47/2441   relying on flow classificat...

H04L 49/253   using establishment or rele...

H04L 49/70   Virtual switches

H04L 63/0263   Rule management

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/326   in the transport layer [OSI...

H04L 9/40   Network security protocols

Method for controlling transmission security of industrial communications flow based on SDN architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for controlling transmission security of industrial communications flow based on SDN architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links