Link flooding attack protection method and device

文档序号：1116116 发布日期：2020-09-29 浏览：8次中文

阅读说明：本技术 一种链路洪泛攻击防护方法及装置 (Link flooding attack protection method and device ) 是由李勇俊郭云川李凤华房梁于 2020-05-19 设计创作，主要内容包括：本发明实施例提供一种链路洪泛攻击防护方法及装置,其中方法包括：获取卫星网络的各个流量传输需求、所述卫星网络中各个卫星之间的星间可视性关系以及各个卫星的波束数目；基于所述各个卫星之间的星间可视性关系以及各个卫星的波束数目,确定各个流量传输需求分别对应的若干个候选传输路径；基于所述各个流量传输需求及其分别对应的若干个候选传输路径,确定所述各个流量传输需求分别对应的最终传输路径并进行流量分配。本发明实施例提供的方法及装置,实现了网络流量在卫星网络中的均衡分配,确保目标区域与外部网络能够进行正常通信。(The embodiment of the invention provides a link flooding attack protection method and a device, wherein the method comprises the following steps: acquiring each flow transmission requirement of a satellite network, an inter-satellite visibility relation among satellites in the satellite network and the number of beams of each satellite; determining a plurality of candidate transmission paths corresponding to each flow transmission demand respectively based on the inter-satellite visibility relationship among the satellites and the number of beams of each satellite; and determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand. The method and the device provided by the embodiment of the invention realize the balanced distribution of the network flow in the satellite network and ensure that the target area can normally communicate with the external network.)

1. A method for protecting link flooding attack is characterized by comprising the following steps:

acquiring each flow transmission requirement of a satellite network, an inter-satellite visibility relation among satellites in the satellite network and the number of beams of each satellite;

determining a plurality of candidate transmission paths corresponding to each flow transmission demand respectively based on the inter-satellite visibility relationship among the satellites and the number of beams of each satellite;

and determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand.

2. The method according to claim 1, wherein the determining, based on the inter-satellite visibility relationship between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission requirement includes:

and determining a plurality of candidate transmission paths corresponding to each traffic transmission requirement in any time slice based on a traffic transmission path selection strategy, the number of wave beams of each satellite and the inter-satellite visibility relation between the satellites in any time slice.

3. The method according to claim 2, wherein the determining, based on the traffic transmission path selection policy, the number of beams of each satellite, and the inter-satellite visibility relationship between satellites in any time slice, a plurality of candidate transmission paths corresponding to each traffic transmission requirement in any time slice specifically includes:

determining the shortest transmission path between a source satellite and a target satellite of any flow transmission requirement except for the existing candidate transmission path based on the inter-satellite visibility relationship among the satellites in any time slice, the number of beams of each satellite and a flow transmission path selection strategy;

determining an effective judgment result of the shortest transmission path based on the inter-satellite visibility relationship among the satellites in the shortest transmission path;

if the effective judgment result is effective, taking the shortest transmission path as a candidate transmission path corresponding to any flow transmission requirement, and updating the inter-satellite visibility relationship among the satellites;

and if the candidate transmission path corresponding to any flow transmission requirement is judged and obtained to not meet the preset condition, determining the shortest transmission path between the source satellite and the target satellite of any flow transmission requirement except the existing candidate transmission path based on the inter-satellite visibility relationship among the satellites in any time slice, the beam number of each satellite and the flow transmission path selection strategy, and otherwise, returning to a candidate transmission path set consisting of a plurality of candidate transmission paths corresponding to any flow transmission requirement.

4. The method according to claim 2 or 3, wherein the traffic transmission path selection policy includes at least one of node disjointness, edge disjointness, and node edge disjointness.

5. The method for protecting against link flooding attack according to claim 2 or 3, characterized in that the traffic transmission path selection policy is from a user-defined setting and/or a security service capability orchestration system.

6. The method according to claim 3, wherein the preset condition is that the number of candidate transmission paths corresponding to any transmission requirement reaches an upper limit of the number of beams of the corresponding source satellite and/or destination satellite, or that the source satellite and/or destination satellite corresponding to any transmission requirement has no usable beam.

7. The method according to claim 1, wherein the determining a final transmission path corresponding to each traffic transmission requirement and performing traffic distribution based on each traffic transmission requirement and a plurality of candidate transmission paths corresponding to each traffic transmission requirement respectively comprises:

and establishing a final transmission path corresponding to each flow transmission demand of the current time slice respectively and performing flow distribution based on a plurality of candidate transmission paths corresponding to each flow transmission demand of the current time slice respectively or a plurality of candidate transmission paths corresponding to each flow transmission demand of the current time slice and a plurality of subsequent time slices respectively.

8. The method according to claim 7, wherein the establishing of the final transmission path corresponding to each traffic transmission requirement of the current time slice and the traffic distribution specifically include:

and determining final transmission paths corresponding to the traffic transmission demands of the current time slice respectively based on a traffic transmission allocation strategy, and performing traffic allocation on the final transmission paths corresponding to the traffic transmission demands of the current time slice respectively.

9. The method of claim 8, wherein the traffic transmission allocation policy includes at least one of minimizing a maximum bandwidth utilization of a full-network single-hop path, minimizing a transmission delay of full-network traffic, minimizing a transmission distance of full-network traffic, and minimizing a transmission hop count of full-network traffic.

10. The method according to claim 8 or 9, wherein the traffic transmission distribution policy is from a user-defined setting and/or a security service capability orchestration system.

11. The method according to claim 1, wherein the acquiring traffic transmission requirements of a satellite network, inter-satellite visibility relationships among satellites in the satellite network, and the number of beams of each satellite specifically includes:

and if the satellite network is attacked by link flooding, acquiring each flow transmission requirement of the satellite network, the inter-satellite visibility relationship among the satellites in the satellite network and the number of beams of each satellite.

12. The method according to claim 1 or 11, wherein the inter-satellite visibility relationship between the satellites in the satellite network is determined based on the position information and beam scannable elevation information of each satellite.

13. A link flooding attack prevention apparatus, comprising:

the system comprises an information acquisition unit, a data transmission unit and a data transmission unit, wherein the information acquisition unit is used for acquiring each flow transmission requirement of a satellite network, the inter-satellite visibility relation among satellites in the satellite network and the number of beams of each satellite;

a path candidate unit, configured to determine, based on inter-satellite visibility relationships between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission demand;

and the selecting and distributing unit is used for determining a final transmission path corresponding to each flow transmission demand respectively and distributing the flow based on each flow transmission demand and a plurality of candidate transmission paths corresponding to each flow transmission demand respectively.

14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the link flooding attack protection method according to any one of claims 1 to 12 are implemented when the processor executes the program.

15. A non-transitory computer readable storage medium, having stored thereon a computer program, which, when being executed by a processor, carries out the steps of the method for link flooding attack protection according to any one of claims 1 to 12.

Technical Field

The invention relates to the technical field of network protection, in particular to a method and a device for protecting link flooding attacks.

Background

With the increasing demands of frequent cross-domain interaction, long-time long-distance data transmission and the like of services, large-scale complex interconnected networks such as the Internet, a world-wide integrated network, the Internet of things and the like are continuously formed, various nodes in the network are widely distributed across regions and space-time, and are interconnected and intercommunicated and mutually dependent. The large-scale complex internet is easily attacked by link flooding, so that a plurality of nodes in a large-area range of the network cannot normally communicate with an external network.

The existing network attack protection scheme only protects the ground network, namely only protects the network with unchanged physical connection relation between routing nodes. When a network attack target is converted from a ground network to a satellite network, because a transmission path between satellites is dynamically established, the existing network attack protection scheme cannot be directly used, and the protection against link flooding attack is difficult to realize.

Disclosure of Invention

The embodiment of the invention provides a link flooding attack protection method and a link flooding attack protection device, which are used for solving the problems that the conventional link flooding attack protection method cannot be directly used in a satellite network and cannot realize protection against link flooding attack.

In a first aspect, an embodiment of the present invention provides a method for protecting a link flooding attack, including:

acquiring each flow transmission requirement of a satellite network, an inter-satellite visibility relation among satellites in the satellite network and the number of beams of each satellite;

Optionally, the determining, based on the inter-satellite visibility relationship between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission requirement includes:

determining a plurality of candidate transmission paths corresponding to each traffic transmission requirement in any time slice based on a traffic transmission path selection strategy, the number of wave beams of each satellite and the inter-satellite visibility relationship between the satellites in any time slice; and any time slice is the current time slice or the subsequent time slice.

Optionally, the determining, based on the traffic transmission path selection policy, the number of beams of each satellite, and the inter-satellite visibility relationship between the satellites in any time slice, a plurality of candidate transmission paths corresponding to each traffic transmission requirement in any time slice specifically includes:

determining an effective judgment result of the shortest transmission path based on the inter-satellite visibility relationship among the satellites in the shortest transmission path;

Optionally, the traffic transmission path selection policy includes at least one of node disjointness, edge disjointness, and node edge disjointness.

Optionally, the flow transmission path selection policy is from a user-defined setting and/or a security service capability arranging system.

Optionally, the preset condition is that the number of candidate transmission paths corresponding to any transmission requirement reaches an upper limit of the number of beams of the corresponding source satellite and/or destination satellite, or the source satellite and/or destination satellite corresponding to any transmission requirement has no available beam.

Optionally, the determining, based on each traffic transmission demand and the plurality of candidate transmission paths corresponding to the traffic transmission demand respectively, a final transmission path corresponding to each traffic transmission demand respectively and performing traffic distribution specifically includes:

Optionally, the establishing a final transmission path corresponding to each traffic transmission requirement of the current time slice and performing traffic distribution specifically includes:

Optionally, the traffic transmission allocation policy includes at least one of minimizing a maximum bandwidth utilization of a full-network single-hop path, minimizing a transmission delay of full-network traffic, minimizing a transmission distance of the full-network traffic, and minimizing a transmission hop count of the full-network traffic.

Optionally, the traffic transmission allocation policy is from a user-defined setting and/or a security service capability orchestration system.

Optionally, the acquiring of the traffic transmission requirements of the satellite network, the inter-satellite visibility relationship between the satellites in the satellite network, and the number of beams of each satellite specifically includes:

Optionally, the inter-satellite visibility relationship between the satellites in the satellite network is determined based on the position information and beam scannable elevation information of the satellites.

In a second aspect, an embodiment of the present invention provides a link flooding attack protection device, including:

In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for protecting against a link flooding attack as described in the first aspect when executing the program.

In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the link flooding attack protecting method as described in the first aspect.

According to the link flooding attack protection method and device provided by the embodiment of the invention, the inter-satellite visibility relationship and the number of beams among satellites in the satellite network are obtained, so that the balanced distribution of network flow in the satellite network is realized, the network flow load can be redistributed as much as possible when the satellite network faces the link flooding attack, the crowding degree of an attacked single-hop path is reduced, and the normal communication between a target area and an external network is ensured.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic flow chart of a link flooding attack protection method according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a link flooding attack protection apparatus according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The link flooding attack refers to that an attacker initiates a flooding attack on a plurality of key single-hop paths reaching a target area through cooperation among attack agents (such as zombie hosts) distributed on different physical positions by utilizing mutual communication among the zombie hosts or access of the zombie hosts to open services inside/outside the target area, so that the single-hop paths are blocked, and the area cannot provide network services to the outside or the inside, namely, an attack idea of jointly cutting off a large chip is realized by using a ' cooperative attack few ' lines ', and effective attack on the target area is realized. Due to the extremely limited space-based network resources, once the attack is applied to the space-ground integrated network, the loss caused by the attack is necessarily huge, for example, when the attack target area is a ground gateway station with a limited number, the serious consequences of ' attack on a parcel ', and paralysis in the whole network ' are very likely to occur.

The single-hop path refers to a direct communication path between two nodes without passing through other nodes, and the nodes comprise satellites, satellite loads, access security gateways, protocol gateways, interconnection security gateways, password equipment, routers, satellite terminals, computer terminals, application servers, storage equipment, service systems, control systems, hardware modules, software components, dynamic libraries and the like.

Because malicious traffic of an attacker cannot reach the target area, traditional detection and protection equipment deployed at the boundary or inside the target area is difficult to play a role. The existing attack protection scheme is based on the idea of traffic engineering to respond to the attack, and through linkage between routing nodes on a data transmission path, network traffic load is redistributed on a network routing layer as uniformly as possible, so that the congestion degree of an attacked single-hop path is reduced, and the attack response is realized.

The existing attack protection scheme only protects the ground network, namely only protects the network in which the physical connection relationship among the routing nodes is kept unchanged. When a network attack target is converted from a ground network to a satellite network, because a transmission path between satellites is dynamically established, the existing network attack protection scheme cannot be directly used, and the protection against link flooding attack is difficult to realize.

Fig. 1 is a schematic flow chart of a link flooding attack protection method provided in an embodiment of the present invention, and as shown in fig. 1, the method includes:

step 101, acquiring each flow transmission requirement of a satellite network, an inter-satellite visibility relation among satellites in the satellite network and the number of beams of each satellite;

in particular, network traffic in a satellite network is transmitted through different satellites in the network, each of which is a node. The satellite corresponding to the transmitting end of each flow transmission is a source satellite, and the satellite corresponding to the corresponding receiving end is a target satellite. Each traffic transmission requirement of the satellite network refers to information such as network transmission data volume from each source satellite to a destination satellite in the satellite network. The traffic transmission demand may be obtained by a satellite network control system such as a satellite operation and control system, or may be obtained based on a traffic prediction algorithm, which is not specifically limited in the embodiment of the present invention.

The inter-satellite visibility relationship between the satellites in the satellite network includes a geometric visibility relationship and a beam visibility relationship. The geometric visibility relation indicates whether the inter-satellite connection is blocked by the earth and an ionized layer; the beam visibility relationship refers to whether two satellites are within the beam scanning range of each other. Two satellites are said to be in view of each other only if they satisfy both the geometric visibility relationship and the beam visibility relationship. Only if two satellites are visible, the inter-satellite single-hop path, that is, the inter-satellite transmission path, can be established mutually. The inter-satellite visibility relationship between the satellites can be obtained through a satellite operation and control system, and also can be obtained through calculation of real-time state parameters of the satellites, which is not specifically limited in the embodiment of the present invention.

The satellite link includes a microwave link and/or a laser link, the microwave link including but not limited to: at least one of an L frequency band, an S frequency band, a C frequency band, an X frequency band, a Ku frequency band, a K frequency band, a Ka frequency band and a Q/V frequency band. One microwave link is comprised of one or more beams and one laser link is comprised of one or more laser beams. For ease of understanding, the beams, whether they comprise microwave links or laser beams which comprise laser links, are collectively described with reference to the beams.

102, determining a plurality of candidate transmission paths corresponding to each flow transmission requirement based on the inter-satellite visibility relationship among the satellites and the number of beams of each satellite;

specifically, there is no fixed physical connection relationship between satellites in the satellite network, and the transmission path of the network traffic is dynamically established. Multiple possible transmission paths may be selected per traffic transmission requirement. Each possible transmission path is affected by the inter-satellite visibility relationship, and there may be a case where the geometric visibility relationship and/or the beam visibility relationship are not satisfied, and the network transmission traffic cannot be transmitted from the source satellite to the destination satellite. Therefore, a plurality of candidate transmission paths corresponding to each traffic transmission requirement need to be selected from a plurality of possible transmission paths, so as to ensure that the network transmission traffic can be transmitted from the source satellite to the destination satellite.

The candidate transmission paths are simultaneously limited by the number of beams for each satellite. For example, assuming that the beam technology system is spot beams, a satellite can only establish an inter-satellite link, i.e., a network traffic transmission path, with one other satellite through one beam. If the number of candidate transmission paths through a satellite exceeds the number of beams of the satellite, the excess transmission paths are invalid transmission paths with no available beams when transmitting on the satellite. In the embodiment of the invention, the candidate transmission paths are all effective transmission paths.

Step 103, determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand.

Specifically, for each traffic transmission demand, one or more transmission paths are selected from the candidate transmission paths corresponding to the traffic transmission demand as final transmission paths, and network traffic is respectively allocated to the selected final transmission paths, so that the sum of the network traffic allocated to the final transmission paths corresponding to the traffic transmission demands is equal to the sum of the traffic transmission demands.

According to the link flooding attack protection method provided by the embodiment of the invention, the inter-satellite visibility relationship and the number of beams among satellites in the satellite network are obtained, so that the balanced distribution of network flow in the satellite network is realized, the satellite network can redistribute network flow load as much as possible when facing the link flooding attack, the crowding degree of an attacked single-hop path is reduced, and the target area and an external network can be ensured to be in normal communication.

Based on the above embodiment, determining, based on inter-satellite visibility relationships between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission demand respectively includes:

determining a plurality of candidate transmission paths corresponding to each flow transmission requirement in any time slice based on a flow transmission path selection strategy, the number of wave beams of each satellite and the inter-satellite visibility relation between the satellites in the time slice; any time slice is the current time slice or the subsequent time slice.

Specifically, the traffic transmission path selection policy is a selection principle of nodes and edges in the traffic transmission path. In order to avoid that a certain node fails or a certain link fails, so that a plurality of traffic transmission paths are affected, whether nodes and/or edges in the plurality of traffic transmission paths intersect or not can be determined through a traffic transmission path selection strategy.

The time slice is obtained by dividing time according to a satellite operation rule, duration of different time slices may be the same or different, the time slices may be divided according to time intervals and other intervals, or may be divided according to a visibility relationship between satellites, which is not specifically limited in the embodiment of the present invention. Any time slice can be the current time slice or one of a plurality of subsequent time slices.

According to a certain flow transmission path selection strategy, the number of wave beams of each satellite and the inter-satellite visibility relation among the satellites in any time slice, a plurality of effective candidate transmission paths can be selected for each flow transmission requirement in any time slice.

Before the step of determining a plurality of candidate transmission paths corresponding to each traffic transmission requirement, forward or reverse sequencing is performed on each traffic transmission requirement according to the traffic size. Before sequencing each flow transmission requirement, zero elements in a flow requirement matrix formed by each flow transmission requirement can be removed, and then non-zero elements in the flow requirement matrix are sequenced from large to small according to a rapid sequencing algorithm.

Based on any of the embodiments, determining a plurality of candidate transmission paths corresponding to each traffic transmission requirement in any time slice based on a traffic transmission path selection strategy, the number of beams of each satellite, and an inter-satellite visibility relationship between each satellite in any time slice specifically includes:

determining an effective judgment result of the shortest transmission path based on the inter-satellite visibility relationship among the satellites in the shortest transmission path;

if the effective judgment result is effective, the shortest transmission path is taken as a candidate transmission path corresponding to any flow transmission requirement, and the inter-satellite visibility relationship among the satellites is updated;

and if the candidate transmission path corresponding to any flow transmission requirement is judged to be not satisfied with the preset condition, determining the shortest transmission path between the source satellite and the target satellite of any flow transmission requirement except the existing candidate transmission path based on the inter-satellite visibility relationship between the satellites in any time slice, the beam number of each satellite and the flow transmission path selection strategy, or returning to a candidate transmission path set consisting of a plurality of candidate transmission paths corresponding to any flow transmission requirement.

Specifically, the shortest transmission path between the source satellite and the destination satellite in any traffic transmission requirement may be one or more of a path with the shortest transmission distance, a path with the shortest hop count, a path with the shortest transmission delay, and a path with the shortest processing delay, which is not specifically limited in this embodiment of the present invention.

By way of example, one beam of one satellite establishes only one inter-satellite single hop path with another satellite. The shortest transmission path in the example is selected as the path having the shortest transmission distance between satellites. It is assumed that an inter-satellite visibility relationship between satellites in a current time slice may be represented by an inter-satellite visibility matrix M, where a matrix element value represents an inter-satellite visibility relationship between two corresponding satellites, and if the matrix element value is zero, it represents that two satellites are not visible, and if the matrix element value is non-zero, it represents that two satellites are visible. Correspondingly, the inter-satellite distance between the satellites can be represented by an inter-satellite distance matrix D, where when two satellites are visible, the corresponding matrix element value is the inter-satellite distance between the two satellites, and when two satellites are invisible, the corresponding matrix element value is infinite. The single-hop path allocation in the satellite network may be represented by a single-hop path allocation matrix L.

The current flow transmission path selection strategy is edge disjointness, and all candidate paths do not share any single-hop path, so that the transmission of a plurality of transmission paths is prevented from being influenced when a certain link fails or the available bandwidth is insufficient.

According to the inter-satellite visibility matrix M and the inter-satellite distance matrix D, the shortest transmission path between the source satellite and the target satellite of any flow transmission demand can be obtained according to a path solving algorithm_kWhere k is the index of the shortest transmission path. The path solving algorithm can adopt Dijkstra (Dijkstra), Floyed (Floyd) and Bellman-Ford (Bellman-Ford) algorithms, and the embodiment of the invention does not specifically limit the selection of the solving algorithm.

Shortest transmission path_kIt does not belong to the existing candidate transmission path and needs to be effectively judged.

The shortest transmission path only when the inter-satellite visibility relationship between the satellites in the shortest transmission path is inter-satellite visible_kIs the product ofThe effective judgment result of the effective transmission path, namely the shortest transmission path, is effective, otherwise, the effective transmission path is invalid.

If the shortest transmission path_kIf the result of the effective judgment is effective, the shortest transmission path is determined_kAs a candidate transmission path corresponding to any traffic transmission demand, and updating the inter-satellite visibility relationship between the satellites, the updating operation specifically includes: if the shortest transmission path_kIn the effective judgment process of the method, if the wave beams on the source satellite and/or the target satellite of each single-hop path are used, the inter-satellite distance matrix D between the satellites is updated, the distances between the source satellite and/or the target satellite which have all used the wave beams and other satellites for establishing connection are modified to be infinite, namely, the single-hop path cannot be established even if the satellites and other satellites are visible because the number of the wave beams of the satellite is used up.

Will shortest transmission path_kAnd the candidate transmission PATH is added to the candidate transmission PATH set PATH as a candidate transmission PATH corresponding to any traffic transmission requirement.

Continuously solving the shortest transmission path except the existing candidate transmission path according to the steps_k+1And ending the process of solving the candidate transmission PATHs until the candidate transmission PATHs corresponding to any transmission requirement meet the preset condition, and returning a candidate transmission PATH set PATH consisting of a plurality of candidate transmission PATHs.

Based on any of the above embodiments, the traffic transmission path selection policy includes at least one of node disjointness, edge disjointness, and node edge disjointness.

Specifically, node disjointness means that the same intermediate satellite node does not exist among a plurality of candidate transmission paths corresponding to traffic transmission requirements from the same source satellite to the same destination satellite; edge disjointness means that the same single-hop path does not exist among a plurality of candidate traffic transmission paths corresponding to traffic transmission requirements from the same source satellite to the same destination satellite; the node edges can be intersected, that is, the same single-hop path and/or the same node are allowed to exist among a plurality of candidate traffic transmission paths corresponding to traffic transmission requirements from the same source satellite to the same destination satellite.

Based on any of the above embodiments, the preset condition is that the number of candidate transmission paths corresponding to any transmission requirement reaches the upper limit of the number of beams of the corresponding source satellite and/or destination satellite; or no beams are available to the source satellite and/or the destination satellite for any transmission requirement.

Specifically, if the candidate transmission path corresponding to any transmission requirement meets the preset condition, it indicates that the candidate transmission path corresponding to any transmission requirement has been completely solved.

The preset condition is that when the number of candidate transmission paths corresponding to any transmission requirement reaches the upper limit of the number of beams of the corresponding source satellite and/or target satellite, an effective transmission path from the source satellite to the target satellite cannot be established.

When the preset condition is that the source satellite and/or the destination satellite corresponding to any transmission requirement have no available beam, even if an available transmission path still exists between the source satellite and the destination satellite, the source satellite cannot transmit the network traffic or the destination satellite cannot receive the network traffic.

Based on any of the embodiments, determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand, specifically including:

Specifically, the establishment of the final transmission path may be determined and traffic distribution may be performed according to each traffic transmission requirement of the current time slice, or according to each traffic transmission requirement of the current time slice and a plurality of subsequent time slices.

According to the link flooding attack protection method provided by the embodiment of the invention, the establishment of the inter-satellite single-hop path and the flow distribution are optimized and solved according to the flow transmission requirements of a plurality of time slices, so that the flow distribution in the satellite network is more balanced, the satellite network can protect against the link flooding attack, and the target area and the external network can be ensured to be in normal communication.

Based on any of the above embodiments, establishing a final transmission path corresponding to each traffic transmission requirement of the current time slice and performing traffic distribution, specifically including:

and determining final transmission paths corresponding to the traffic transmission demands of the current time slice respectively based on the traffic transmission allocation strategy, and performing traffic allocation on the final transmission paths corresponding to the traffic transmission demands of the current time slice respectively.

Specifically, a traffic transmission allocation strategy is adopted, in the current time slice, for each traffic transmission demand, a plurality of candidate transmission paths corresponding to the traffic transmission demand are respectively selected as final transmission paths, the final transmission paths corresponding to each traffic transmission demand of the current time slice are established, and traffic is allocated, so that the sum of the allocated traffic of the final transmission paths is equal to the sum of the traffic transmission demands.

And establishing a final transmission path corresponding to each traffic transmission requirement of the current time slice by adopting a strategy of minimizing the maximum bandwidth utilization rate of the whole-network single-hop path and distributing the traffic. For example, the path with the minimum maximum bandwidth utilization rate is first subjected to traffic allocation, so that the maximum bandwidth utilization rate of the path after traffic allocation is equal to the path with the second smallest maximum bandwidth utilization rate. If the maximum bandwidth utilization rate of the next small path is not reached after all the flows to be distributed are distributed to the minimum path, the distribution is finished; if the path with the minimum maximum bandwidth utilization rate is equal to the path with the minimum maximum bandwidth utilization rate after the flow is distributed, and the flow is remained, the iterative distribution is continued, so that the maximum bandwidth utilization rate of the path with the minimum maximum bandwidth utilization rate and the path with the minimum maximum bandwidth utilization rate are equal to the path with the minimum maximum bandwidth utilization rate after the flow is distributed, and the iterative distribution is carried out until the maximum bandwidth utilization rates of all the paths are equal to the path with the maximum bandwidth utilization rate value in the original paths. The maximum bandwidth utilization rate of the path under the allocation strategy can be calculated after the traffic allocation is finished.

Based on any of the above embodiments, the traffic transmission allocation policy includes at least one of minimizing a maximum bandwidth utilization of a full-network single-hop path, minimizing a transmission delay of the full-network traffic, minimizing a transmission distance of the full-network traffic, and minimizing a transmission hop count of the full-network traffic.

Optionally, the traffic transmission allocation policy includes at least one of minimizing a maximum bandwidth utilization of a single hop path of the entire network, minimizing a transmission delay of the traffic of the entire network, minimizing a transmission distance of the traffic of the entire network, and minimizing a transmission hop count of the traffic of the entire network.

The method comprises the steps that the transmission delay of the whole network flow is minimized, wherein the transmission delay of the whole network flow is minimized and comprises at least one of the maximum transmission delay of the whole network flow, the minimum transmission delay of the whole network flow and the average transmission delay of the whole network flow; minimizing the transmission distance of the whole network traffic comprises at least one of minimizing the maximum transmission distance of the whole network traffic, minimizing the minimum transmission distance of the whole network traffic, and minimizing the average transmission distance of the whole network traffic; minimizing the transmission hop count of the full network traffic includes minimizing at least one of a maximum transmission hop count of the full network traffic, minimizing a minimum transmission hop count of the full network traffic, and minimizing an average transmission hop count of the full network traffic.

Based on any of the above embodiments, the traffic transmission path selection policy and the traffic transmission allocation policy come from a user-defined setting and/or a security service capability arrangement system.

Specifically, when the link flooding attack protection method in the embodiment of the present invention is used alone, the traffic transmission path selection policy and the traffic transmission allocation policy may be set by a user in a customized manner. When the link flooding attack protection method in the embodiment of the present invention is used in combination with other methods, a policy determined by other methods may be received. For example, when the link flooding attack protection method in the embodiment of the present invention is used in a network security protection system, a security service capability orchestration system may be used to formulate a corresponding traffic transmission path selection policy and a traffic transmission allocation policy.

Based on any of the above embodiments, acquiring each traffic transmission requirement of the satellite network, inter-satellite visibility relationships between satellites in the satellite network, and the number of beams of each satellite specifically includes:

Specifically, the satellite network is attacked by link flooding, and the attack serves as a trigger condition for acquiring each traffic transmission requirement of the satellite network, an inter-satellite visibility relationship among satellites in the satellite network, and the number of beams of each satellite.

And the intrusion detection system with the congestion monitoring capability of the inter-satellite single-hop path or the satellite sends out an alarm signal of the trigger condition, and the alarm signal indicates that the satellite network is attacked by link flooding.

According to any of the above embodiments, the inter-satellite visibility relationship between the respective satellites in the satellite network is determined based on the position information and the beam scannable elevation information of the respective satellites.

Specifically, the position information of the satellite is information that can uniquely determine the position of a certain satellite within a certain time slice, including at least one of longitude, latitude, and altitude of the satellite. The position information of the satellite can be obtained by inquiring a satellite operation and control system or can be obtained by calculating according to the satellite orbit parameters. The satellite orbit parameters comprise at least one of orbit semi-major axis, orbit eccentricity, orbit inclination, ascension of ascending intersection point, argument of near place and time of passing near place. The satellite beam scannable elevation information is the scanning range of the beam of the satellite.

According to the position information and the beam scannable elevation information of each satellite in any time slice, the inter-satellite visibility relation between each satellite in the satellite network in the corresponding time slice can be determined.

For example, the position information and satellite beam scannable elevation information for each satellite for the current time slice and the 3 subsequent time slices are known. Wherein the satellite's location information includes the satellite's longitude, latitude, and altitude, and the satellite beam scannable elevation information includes the beam azimuth. According to the longitude, latitude, altitude and beam azimuth of the satellite, the inter-satellite visibility relationship of each satellite of the current time slice and the subsequent 3 time slices can be calculated.

Based on any of the above embodiments, fig. 2 is a schematic structural diagram of a link flooding attack protection device provided by an embodiment of the present invention, and as shown in fig. 2, the device includes:

an information obtaining unit 201, configured to obtain each traffic transmission requirement of a satellite network, an inter-satellite visibility relationship between satellites in the satellite network, and a beam number of each satellite;

a path candidate unit 202, configured to determine, based on inter-satellite visibility relationships between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission demand;

the selecting and allocating unit 203 is configured to determine a final transmission path corresponding to each traffic transmission requirement and perform traffic allocation based on each traffic transmission requirement and the plurality of candidate transmission paths corresponding to each traffic transmission requirement.

Specifically, the information acquiring unit 201 is configured to acquire each traffic transmission requirement of the satellite network, an inter-satellite visibility relationship between each satellite in the satellite network, and a beam number of each satellite.

Each traffic transmission requirement of the satellite network refers to information such as network transmission data volume from each source satellite to a destination satellite in the satellite network. The traffic transmission demand may be obtained by a satellite operation and control system, or may be obtained based on a traffic prediction algorithm, which is not specifically limited in the embodiment of the present invention.

The number of beams of each satellite in the satellite network can be the same or different; the technical system of the beam may be a spot beam or a wide beam. The embodiment of the invention does not specifically limit the number of satellite beams and the technical system.

A path candidate unit 202, configured to determine, based on inter-satellite visibility relationships between the satellites and the number of beams of each satellite, a plurality of candidate transmission paths corresponding to each traffic transmission requirement. Multiple possible transmission paths may be selected per traffic transmission requirement. However, each possible transmission path is affected by the inter-satellite visibility relationship, and there may be a case where the geometric visibility relationship and/or the beam visibility relationship are not satisfied, and the network transmission traffic cannot be transmitted from the source satellite to the destination satellite. Therefore, a plurality of candidate transmission paths corresponding to each traffic transmission requirement need to be selected from a plurality of possible transmission paths, so as to ensure that the network transmission traffic can be transmitted from the source satellite to the destination satellite.

The candidate transmission paths are simultaneously limited by the number of beams for each satellite. For example, assuming that the beam technology system is spot beams, a satellite can only establish an inter-satellite single-hop path, that is, a network traffic transmission path, with one other satellite through one beam. If the number of candidate transmission paths through a satellite exceeds the number of beams of the satellite, the excess candidate transmission paths are invalid transmission paths with no available beams when transmitting on the satellite.

The selecting and allocating unit 203 is configured to determine a final transmission path corresponding to each traffic transmission requirement and perform traffic allocation based on each traffic transmission requirement and the plurality of candidate transmission paths corresponding to each traffic transmission requirement. And aiming at each flow transmission demand, selecting one or more transmission paths from a plurality of candidate transmission paths corresponding to each flow transmission demand as a final transmission path, and respectively distributing network flow to the selected final transmission path, so that the sum of the network flow distributed by the final transmission path corresponding to each flow transmission demand is equal to the sum of each flow transmission demand.

The link flooding attack protection device provided by the embodiment of the invention realizes the balanced distribution of network flow in the satellite network by acquiring the inter-satellite visibility relationship and the number of beams among satellites in the satellite network, so that the satellite network can redistribute network flow load as much as possible when facing link flooding attack, the crowding degree of an attacked single-hop path is reduced, and the target area and an external network can be ensured to be in normal communication.

Based on any of the above embodiments, the path candidate unit 202 is specifically configured to:

determining a plurality of candidate transmission paths corresponding to each flow transmission requirement in any time slice based on a flow transmission path selection strategy, the number of wave beams of each satellite and the inter-satellite visibility relation between the satellites in any time slice; any time slice is the current time slice or the subsequent time slice.

Based on any of the above embodiments, the path candidate unit 202 is specifically configured to:

determining an effective judgment result of the shortest transmission path based on the inter-satellite visibility relationship among the satellites in the shortest transmission path;

Based on any of the above embodiments, the traffic transmission path selection policy includes at least one of node disjointness, edge disjointness, and node edge disjointness.

Based on any of the above embodiments, the traffic transmission path selection policy comes from a user-defined setting and/or a security service capability orchestration system.

Based on any of the above embodiments, the selecting and allocating unit 203 is specifically configured to:

determining a final transmission path corresponding to each flow transmission requirement of the current time slice;

and based on the flow transmission distribution strategy, carrying out flow distribution on the final transmission paths corresponding to the flow transmission requirements of the current time slice.

Based on any of the above embodiments, the traffic transmission allocation policy is from a user-defined setting and/or a security service capability orchestration system.

Based on any of the above embodiments, the information obtaining unit 201 is specifically configured to:

Based on any of the above embodiments, fig. 3 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor)301, a communication interface (communication interface)304, a memory (memory)302 and a communication bus 303, wherein the processor 301, the communication interface 304 and the memory 302 complete communication with each other through the communication bus 303. The processor 301 may call logic instructions in the memory 302 to perform the following method: acquiring each flow transmission requirement of a satellite network, the inter-satellite visibility relationship among satellites in the satellite network and the number of beams of each satellite; determining a plurality of candidate transmission paths corresponding to each flow transmission demand respectively based on the inter-satellite visibility relationship among the satellites and the number of beams of each satellite; and determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand.

Furthermore, the logic instructions in the memory 302 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

A non-transitory computer-readable storage medium provided by an embodiment of the present invention has a computer program stored thereon, where the computer program is executed by a processor, and the method provided by the foregoing embodiments includes, for example: acquiring each flow transmission requirement of a satellite network, the inter-satellite visibility relationship among satellites in the satellite network and the number of beams of each satellite; determining a plurality of candidate transmission paths corresponding to each flow transmission demand respectively based on the inter-satellite visibility relationship among the satellites and the number of beams of each satellite; and determining a final transmission path corresponding to each traffic transmission demand and performing traffic distribution based on each traffic transmission demand and a plurality of candidate transmission paths corresponding to each traffic transmission demand.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

16页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：一种直播流快速截图系统

Link flooding attack protection method and device

相关技术

网友询问留言