公开(公告)号：US10536321B2

公开(公告)日：2020-01-14

申请号：US15674969

申请日：2017-08-11

Applicant: Huawei Technologies Co., Ltd.

Inventor： Jinming Li ,  Chengchen Hu ,  Huanzhao Wang

IPC: H04L29/06 ,  H04L12/54 ,  H04W24/10 ,  G06F9/48 ,  H04L12/70

Abstract: The present disclosure discloses a message attack defense method and apparatus. The method includes: receiving, by a controller, a report message sent by at least one switch; respectively storing, by the controller in a switch queue corresponding to each switch, the received report message that is sent by each switch; and performing, by the controller, round-robin scheduling on the switch queue corresponding to each switch.

公开(公告)号：US20180167325A1

公开(公告)日：2018-06-14

申请号：US15892417

申请日：2018-02-09

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Chengchen Hu ,  Peng Zhang

IPC: H04L12/803 ,  H04L12/721 ,  H04L12/26

Abstract: The present disclosure relates to the communications field, and specifically, to a flow table processing method and an apparatus. The method includes: monitoring, by a switch, a flow table load of the switch; when the flow table load of the switch exceeds a preset threshold, determining, by the switch, a diffusion target of a target data flow according to a matching rule of a diffusive flow table; and when the determined diffusion target is a neighboring switch of the switch, forwarding, by the switch, the target data flow to the neighboring switch. When the flow table load of the switch exceeds the preset threshold, the switch may have been attacked. A data flow that fails to be matched to a flow entry is forwarded to the neighboring switch according to a diffusion probability, for processing by the neighboring switch.

公开(公告)号：US20170359350A1

公开(公告)日：2017-12-14

申请号：US15667635

申请日：2017-08-03

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Yan Chen ,  Chengchen Hu

IPC: H04L29/06

Abstract: The application relates to controlling access in a software-defined network (SDN). A controller in the SDN receives an access request from an application program. The controller determines whether an operation on a resource as specified in the access request belongs to a permission list corresponding to the application program. The permission list includes a list of permitted operations on the resource by the application program. When the operation as specified in the access request belongs to the permission list, the controller sends a reply message allowing access by the application program. In this way, accesses by the application program are restricted according to the permission list, and malicious attacks from the application program can be prevented to ensure network security.

公开(公告)号：US20170338998A1

公开(公告)日：2017-11-23

申请号：US15674969

申请日：2017-08-11

Applicant: Huawei Technologies Co, Ltd.

Inventor： Jinming Li ,  Chengchen Hu ,  Huanzhao Wang

IPC: H04L29/06 ,  H04L12/54 ,  H04W24/10 ,  G06F9/48 ,  H04L12/70

CPC classification number: H04L29/06911 ,  G06F9/4881 ,  H04L12/56 ,  H04L29/06 ,  H04L63/1458 ,  H04L2012/5682 ,  H04W24/10

Abstract: The present disclosure discloses a message attack defense method and apparatus. The method includes: receiving, by a controller, a report message sent by at least one switch; respectively storing, by the controller in a switch queue corresponding to each switch, the received report message that is sent by each switch; and performing, by the controller, round-robin scheduling on the switch queue corresponding to each switch.

公开(公告)号：US10785226B2

公开(公告)日：2020-09-22

申请号：US15667635

申请日：2017-08-03

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Yan Chen ,  Chengchen Hu

IPC: H04L29/06 ,  G06F21/62

Abstract: The application relates to controlling access in a software-defined network (SDN). A controller in the SDN receives an access request from an application program. The controller determines whether an operation on a resource as specified in the access request belongs to a permission list corresponding to the application program. The permission list includes a list of permitted operations on the resource by the application program. When the operation as specified in the access request belongs to the permission list, the controller sends a reply message allowing access by the application program. In this way, accesses by the application program are restricted according to the permission list, and malicious attacks from the application program can be prevented to ensure network security.

公开(公告)号：US10728154B2

公开(公告)日：2020-07-28

申请号：US15892417

申请日：2018-02-09

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Chengchen Hu ,  Peng Zhang

IPC: H04L12/803 ,  H04L12/721 ,  H04L12/26 ,  H04L12/751 ,  H04L12/715 ,  H04L12/759 ,  H04L12/743

Abstract: The present disclosure relates to the communications field, and specifically, to a flow table processing method and an apparatus. The method includes: monitoring, by a switch, a flow table load of the switch; when the flow table load of the switch exceeds a preset threshold, determining, by the switch, a diffusion target of a target data flow according to a matching rule of a diffusive flow table; and when the determined diffusion target is a neighboring switch of the switch, forwarding, by the switch, the target data flow to the neighboring switch. When the flow table load of the switch exceeds the preset threshold, the switch may have been attacked. A data flow that fails to be matched to a flow entry is forwarded to the neighboring switch according to a diffusion probability, for processing by the neighboring switch.

公开(公告)号：US10652262B2

公开(公告)日：2020-05-12

申请号：US16130719

申请日：2018-09-13

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Donghui Wang ,  Yadong Zhou ,  Chengchen Hu

IPC: H04L29/06 ,  H04L12/755 ,  H04L12/26 ,  H04L12/721 ,  H04L12/741 ,  H04L12/891

Abstract: The present disclosure relates to a data flow forwarding abnormality detection method. In one example method, a switching device through which a to-be-detected data flow passes is determined by a controller. At least one flow entry in the switching device that matches the to-be-detected data flow is obtained. The at least one flow entry comprises actual traffic and a match field. The actual traffic is a value of a counter corresponding to the match field. An overdetermined equation set is established based on the actual traffic and theoretical traffic of a data flow in the switching device that matches the match field. Based on the overdetermined equation set, a determination is made on whether the at least one flow entry is abnormal.