METHOD FOR CONTROLLING TRANSMISSION SECURITY OF INDUSTRIAL COMMUNICATIONS FLOW BASED ON SDN ARCHITECTURE
First Claim
1. A method for controlling transmission security of an industrial communication flow based on an SDN architecture, which comprises the following steps:
- Step 1;
after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet first, matches with a flow table stored therein entry by entry, and if the data packet is matched with a certain entry, go to step 2; and
if the data packet is matched with none of the entries of the flow table, go to step 3;
Step 2;
the SDN switch checks whether a security control identifier of a corresponding matched entry of the flow table is 1, sends a flow ID, an industrial communication protocol type and application layer information in the data packet to a management controller if the security control identifier is 1, to request to detect communication content, go to step 4; and
the SDN switch executes corresponding operations according to actions in the flow table if the security control identifier is 0;
Step 3;
the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information and allocates a flow ID for the data packet using an internal basic service function, then judges whether this data flow needs to be managed and controlled through a flow security control module, and if so, sets the security control identifier in the flow table information to be 1;
otherwise, sets the security control identifier to be 0, and then sends the flow table information to all the SDN switches on the path;
Step 4;
the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, matches the parsing result with each industrial rule policy in the industrial rule policy database, and sends the detection result to the SDN switch if matching is successful, go to step 5; and
informs the SDN switch to drop the overall industrial communication data flow if matching is not successful; and
Step 5;
the SDN switch further processes the industrial communication data flow according to the detection result.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention discloses a method for controlling transmission security of an industrial communication flow based on an SDN architecture. The method comprises: designing a flow security control module in a management controller, performing in-depth parsing on industrial communication flow data, matching the parsing result with each preset industrial rule policy, and executing a control processing operation of the industrial rule policy, to implement transmission control of an industrial communication flow. The management controller comprises an industrial rule policy database used for storing all industrial rule policies set by a user. An SDN switch maintains a structure of a flow table, and an industrial communication flow is forwarded according to the flow table. The flow table comprises a security control identifier used for indicating whether security transmission of this communication flow needs to be controlled. The present invention can detect the legality of an industrial communication data flow, to control access of industrial communication that does not conform to an industrial rule policy, so that the security and reliability of industrial control systems based on an SDN architecture are guaranteed.
27 Citations
10 Claims
-
1. A method for controlling transmission security of an industrial communication flow based on an SDN architecture, which comprises the following steps:
-
Step 1;
after receiving an industrial communication data flow sent by an industrial control terminal, an SDN switch parses a data packet first, matches with a flow table stored therein entry by entry, and if the data packet is matched with a certain entry, go to step 2; and
if the data packet is matched with none of the entries of the flow table, go to step 3;Step 2;
the SDN switch checks whether a security control identifier of a corresponding matched entry of the flow table is 1, sends a flow ID, an industrial communication protocol type and application layer information in the data packet to a management controller if the security control identifier is 1, to request to detect communication content, go to step 4; and
the SDN switch executes corresponding operations according to actions in the flow table if the security control identifier is 0;Step 3;
the SDN switch sends the data packet to the management controller, the management controller parses the data packet, establishes a flow transmission path, computes forwarded flow table information and allocates a flow ID for the data packet using an internal basic service function, then judges whether this data flow needs to be managed and controlled through a flow security control module, and if so, sets the security control identifier in the flow table information to be 1;
otherwise, sets the security control identifier to be 0, and then sends the flow table information to all the SDN switches on the path;Step 4;
the flow security control module performs in-depth parsing on the application layer information in the data packet according to different industrial communication protocols, matches the parsing result with each industrial rule policy in the industrial rule policy database, and sends the detection result to the SDN switch if matching is successful, go to step 5; and
informs the SDN switch to drop the overall industrial communication data flow if matching is not successful; andStep 5;
the SDN switch further processes the industrial communication data flow according to the detection result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification
-
- Resources
-
Current AssigneeShenyang Institute Of Automation ,Chinese Academy Of Sciences
-
Original AssigneeShenyang Institute Of Automation ,Chinese Academy Of Sciences
-
InventorsZENG, Peng, SHANG, Wenli, LI, DONG, WAN, Ming, ZHAO, Jianming, LIU, Jindi, YANG, Ming
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current
-
CPC Class CodesG05B 19/418 Total factory control, i.e....G05B 19/41855 by local area network [LAN]...G05B 2219/45103 Security, surveillance appl...H04L 45/745 Address table lookup; Addre...H04L 47/2441 relying on flow classificat...H04L 49/253 using establishment or rele...H04L 49/70 Virtual switchesH04L 63/0263 Rule managementH04L 63/166 at the transport layerH04L 63/20 for managing network securi...H04L 69/326 in the transport layer [OSI...H04L 9/40 Network security protocols
