公开(公告)号：US10298600B2

公开(公告)日：2019-05-21

申请号：US14985807

申请日：2015-12-31

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Donghui Wang

IPC: G06F17/00 ,  H04L29/06 ,  H04L12/64

Abstract: The present disclosure provides a method, an apparatus, and a system for cooperative defense on a network. Alarm information sent by a security device of a first subnet that is being attacked is received by a controller; the controller generates flow table information according to the alarm information, and forwards the flow table information to a switching device of the first subnet and a switching device of at least one second subnet, which is equivalent to that, after detecting an attack, a security device of a subnet generates alarm information, and shares, by using the controller, the alarm information with a switching device of the subnet and a switching device of another subnet that is not being attacked, to form networkwide cooperative defense, thereby enhancing network security.

公开(公告)号：US11637755B2

公开(公告)日：2023-04-25

申请号：US17205357

申请日：2021-03-18

Applicant: Huawei Technologies Co., Ltd.

Inventor： Donghui Wang ,  Jinming Li

IPC: H04L41/12 ,  H04L41/044 ,  H04L12/46

Abstract: A software defined network (SDN) system, controller, and controlling method, where the SDN system includes at least one Nth level controller and at least two (N+1)th level controllers belonging to the Nth level controller, where the (N+1)th level controller is configured to receive a first message sent by a node belonging to the (N+1)th level controller, and when the first message is a cross-domain message according to status information of each node that is managed by the (N+1)th level controller, forward the first message to the Nth level controller to which the (N+1)th level controller belongs, and the Nth level controller receives the first message, and perform decision processing according to status information of the (N+1)th level controller that is managed by and belongs to the Nth level controller and status information of boundary nodes of the (N+1)th level controller belonging to the Nth level controller.

公开(公告)号：US10917437B2

公开(公告)日：2021-02-09

申请号：US16015208

申请日：2018-06-22

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Donghui Wang

IPC: H04L29/06 ,  H04L12/751

Abstract: Conflict detection and resolution methods and apparatuses relate to the field of communications technologies. The conflict detection method includes: acquiring, by a controller, a flow path of a data flow on a network, where the flow path is used to indicate a path along which the data flow reaches an address in a destination address range from an address in a source address range through at least two intermediate nodes on the network, a first flow table rule is added to or deleted from flow tables of the at least two intermediate nodes, and the first flow table rule is any flow table rule; and determining, by the controller, whether a conflict exists according to an address range of the flow path and an address range of a security policy.

公开(公告)号：US20200059412A1

公开(公告)日：2020-02-20

申请号：US16665773

申请日：2019-10-28

Applicant: Huawei Technologies Co., Ltd.

Inventor： Donghui Wang ,  Jinming Li

IPC: H04L12/24 ,  H04L12/46

Abstract: A software defined network (SDN) system, controller, and controlling method, where the SDN system includes at least one Nth level controller and at least two (N+1)th level controllers belonging to the Nth level controller, where the (N+1)th level controller is configured to receive a first message sent by a node belonging to the (N+1)th level controller, and when the first message is a cross-domain message according to status information of each node that is managed by the (N+1)th level controller, forward the first message to the Nth level controller to which the (N+1)th level controller belongs, and the Nth level controller receives the first message, and perform decision processing according to status information of the (N+1)th level controller that is managed by and belongs to the Nth level controller and status information of boundary nodes of the (N+1)th level controller belonging to the Nth level controller.

公开(公告)号：US10476897B2

公开(公告)日：2019-11-12

申请号：US15641841

申请日：2017-07-05

Applicant: Huawei Technologies Co., Ltd.

Inventor： Xiaoxin Wu ,  Jinming Li

IPC: H04L29/00 ,  H04L29/06 ,  G06F21/55

Abstract: A method and an apparatus for improving network security. The method includes obtaining, by a control node, alarm information, where the alarm information includes address information of an attack source that attacks a subnet of at least two subnets and identification information of the attacked subnet of the at least two subnets, using, by the control node, the alarm information to sort the attack sources in descending order of threat levels, and using a sorting result as a blacklist, and sending, by the control node, the obtained blacklist to at least one subnet that is not attacked yet in the network system. The method and apparatus are applicable to collaborative defense among multiple subnets.

公开(公告)号：US09401928B2

公开(公告)日：2016-07-26

申请号：US14564963

申请日：2014-12-09

Applicant: Huawei Technologies Co., Ltd.

Inventor： Donghui Wang ,  Jinming Li

IPC: H04L9/32 ,  H04L29/06 ,  H04L12/715 ,  H04L12/721

CPC classification number: H04L63/16 ,  H04L45/12 ,  H04L45/123 ,  H04L45/64 ,  H04L63/105 ,  H04L63/164 ,  H04L65/60

Abstract: Embodiments of the present invention provide a data stream security processing method and apparatus. In the embodiments of the present invention, security levels of data streams are determined according to different feature information of the data streams, and forwarding paths corresponding to the data streams are determined according to the security levels, where a forwarding path may go through a security device to implement a corresponding security function of the forwarding path, thereby improving data stream forwarding security and lightening load of a central controller.

Abstract translation: 本发明的实施例提供了一种数据流安全处理方法和装置。 在本发明的实施例中，根据数据流的不同特征信息来确定数据流的安全级别，并且根据安全级别来确定与数据流相对应的转发路径，其中转发路径可以经过安全性 实现转发路径的相应安全功能，从而提高中央控制器的数据流转发安全性和减轻负载。

公开(公告)号：US20210211359A1

公开(公告)日：2021-07-08

申请号：US17205357

申请日：2021-03-18

Applicant: Huawei Technologies Co., Ltd.

Inventor： Donghui Wang ,  Jinming Li

IPC: H04L12/24 ,  H04L12/46

Abstract: A software defined network (SDN) system, controller, and controlling method, where the SDN system includes at least one Nth level controller and at least two (N+1)th level controllers belonging to the Nth level controller, where the (N+1)th level controller is configured to receive a first message sent by a node belonging to the (N+1)th level controller, and when the first message is a cross-domain message according to status information of each node that is managed by the (N+1)th level controller, forward the first message to the Nth level controller to which the (N+1)th level controller belongs, and the Nth level controller receives the first message, and perform decision processing according to status information of the (N+1)th level controller that is managed by and belongs to the Nth level controller and status information of boundary nodes of the (N+1)th level controller belonging to the Nth level controller.

公开(公告)号：US20180167325A1

公开(公告)日：2018-06-14

申请号：US15892417

申请日：2018-02-09

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Chengchen Hu ,  Peng Zhang

IPC: H04L12/803 ,  H04L12/721 ,  H04L12/26

Abstract: The present disclosure relates to the communications field, and specifically, to a flow table processing method and an apparatus. The method includes: monitoring, by a switch, a flow table load of the switch; when the flow table load of the switch exceeds a preset threshold, determining, by the switch, a diffusion target of a target data flow according to a matching rule of a diffusive flow table; and when the determined diffusion target is a neighboring switch of the switch, forwarding, by the switch, the target data flow to the neighboring switch. When the flow table load of the switch exceeds the preset threshold, the switch may have been attacked. A data flow that fails to be matched to a flow entry is forwarded to the neighboring switch according to a diffusion probability, for processing by the neighboring switch.

公开(公告)号：US20170359350A1

公开(公告)日：2017-12-14

申请号：US15667635

申请日：2017-08-03

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Jinming Li ,  Yan Chen ,  Chengchen Hu

IPC: H04L29/06

Abstract: The application relates to controlling access in a software-defined network (SDN). A controller in the SDN receives an access request from an application program. The controller determines whether an operation on a resource as specified in the access request belongs to a permission list corresponding to the application program. The permission list includes a list of permitted operations on the resource by the application program. When the operation as specified in the access request belongs to the permission list, the controller sends a reply message allowing access by the application program. In this way, accesses by the application program are restricted according to the permission list, and malicious attacks from the application program can be prevented to ensure network security.

公开(公告)号：US20170338998A1

公开(公告)日：2017-11-23

申请号：US15674969

申请日：2017-08-11

Applicant: Huawei Technologies Co, Ltd.

Inventor： Jinming Li ,  Chengchen Hu ,  Huanzhao Wang

IPC: H04L29/06 ,  H04L12/54 ,  H04W24/10 ,  G06F9/48 ,  H04L12/70

CPC classification number: H04L29/06911 ,  G06F9/4881 ,  H04L12/56 ,  H04L29/06 ,  H04L63/1458 ,  H04L2012/5682 ,  H04W24/10

Abstract: The present disclosure discloses a message attack defense method and apparatus. The method includes: receiving, by a controller, a report message sent by at least one switch; respectively storing, by the controller in a switch queue corresponding to each switch, the received report message that is sent by each switch; and performing, by the controller, round-robin scheduling on the switch queue corresponding to each switch.