Method for controlling transmission security of industrial communications flow based on SDN architecture
First Claim
1. A method for controlling transmission security of an industrial communication data flow based on a software defined network (SDN) architecture, which comprises the following steps:
- Step 1;
after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet, checks for a matching data packet in a flow table stored therein entry by entry, and;
when the data packet is matched with a certain entry of the flow table, proceeds to step 2; and
when the data packet is not matched with any entry of the flow table, proceeds to step 3;
Step 2;
the SDN switch checks a security control identifier of the corresponding matched entry of the flow table, and;
when the security control identifier is a first identifier, sends a request to detect communication content, with a flow ID, an industrial communication protocol type, and application layer information in the data packet, to a management controller and proceeds to step 4; and
when the security control identifier is a Second identifier, the SDN switch executes corresponding operations according to actions in the flow table;
Step 3;
the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information, allocates a flow ID for the data packet using an internal basic service function, and judges whether the industrial communication data flow needs security control through a flow security control module, and;
when it is determined that security control is needed, sets the security control identifier in the flow table information to the first identifier; and
when it is determined that security control is not needed, sets the security control identifier to the second identifier, and the management controller then sends the flow table information to all SDN switches on the flow transmission path;
Step 4;
the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, and;
when matching is successful, sends a detection result to the SDN switch, and proceeds to step 5; and
when matching is not successful, informs the SDN switch to drop the overall industrial communication data flow; and
Step 5;
the SDN switch further processes the industrial communication data flow according to the detection result.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention discloses a method for controlling transmission security of an industrial communication flow based on an SDN architecture. The method comprises: designing a flow security control module in a management controller, performing in-depth parsing on industrial communication flow data, matching the parsing result with each preset industrial rule policy, and executing a control processing operation of the industrial rule policy, to implement transmission control of an industrial communication flow. The management controller comprises an industrial rule policy database used for storing all industrial rule policies set by a user. An SDN switch maintains a structure of a flow table, and an industrial communication flow is forwarded according to the flow table. The flow table comprises a security control identifier used for indicating whether security transmission of this communication flow needs to be controlled. The present invention can detect the legality of an industrial communication data flow, to control access of industrial communication that does not conform to an industrial rule policy, so that the security and reliability of industrial control systems based on an SDN architecture are guaranteed.
-
Citations
20 Claims
-
1. A method for controlling transmission security of an industrial communication data flow based on a software defined network (SDN) architecture, which comprises the following steps:
-
Step 1;
after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet, checks for a matching data packet in a flow table stored therein entry by entry, and;
when the data packet is matched with a certain entry of the flow table, proceeds to step 2; and
when the data packet is not matched with any entry of the flow table, proceeds to step 3;Step 2;
the SDN switch checks a security control identifier of the corresponding matched entry of the flow table, and;
when the security control identifier is a first identifier, sends a request to detect communication content, with a flow ID, an industrial communication protocol type, and application layer information in the data packet, to a management controller and proceeds to step 4; and
when the security control identifier is a Second identifier, the SDN switch executes corresponding operations according to actions in the flow table;Step 3;
the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information, allocates a flow ID for the data packet using an internal basic service function, and judges whether the industrial communication data flow needs security control through a flow security control module, and;
when it is determined that security control is needed, sets the security control identifier in the flow table information to the first identifier; and
when it is determined that security control is not needed, sets the security control identifier to the second identifier, and the management controller then sends the flow table information to all SDN switches on the flow transmission path;Step 4;
the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, and;
when matching is successful, sends a detection result to the SDN switch, and proceeds to step 5; and
when matching is not successful, informs the SDN switch to drop the overall industrial communication data flow; andStep 5;
the SDN switch further processes the industrial communication data flow according to the detection result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for controlling transmission security of a data flow based on a software defined network (SDN) architecture, comprising:
-
an SDN switch receiving a data flow, parsing a data packet of the data flow, and checking for a matching data packet in a flow table stored at the SDN switch, wherein when the data packet is not matched with any entry in the flow table; the SDN switch sends the data packet to a management controller; the management controller judges whether the data flow needs security control and establishes flow table information that includes a security control identifier, wherein;
when it is determined security control is needed, the management controller sets the security control identifier to a first identifier; and
when it is determined security control is not needed, the management controller sets the security control identifier to a second identifier; andthe management controller sends the flow table information to all SDN switches on a transmission path; when the data packet is matched with an entry in the flow table; the SDN switch checks a security control identifier of the matched entry in the flow table, wherein;
when the security control identifier is the first identifier, the SDN switch sends a request to the management controller to detect data flow content; and
when the security control identifier is the second identifier, the SDN switch executes one or more corresponding operations according to actions in the flow table;when the management controller receives a request to detect data flow content; a flow security control module of the management controller performs in-depth parsing on application layer information in the data packet, and checks for matches of the parsing result with each industrial rule policy in an industrial rule policy database, wherein;
when a match is found, the management controller sends a detection result to the SDN switch; and
when a match is not found, the management controller instructs the SDN switch to drop the data flow; andwhen the SDN switch receives a detection result from the management controller, the SDN switch processes the data flow according to the detection result. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification