本文選題：標識網(wǎng)絡 + 身份與位置分離��； 參考：《北京交通大學》2014年博士論文

【摘要】：為克服傳統(tǒng)互聯(lián)網(wǎng)絡在路由可擴展性、安全性、移動性以及滿足用戶需求變化等方面的不足,研究學者已開始探索新的互聯(lián)網(wǎng)絡體系。采用身份與位置分離、資源與位置分離機制設計未來互聯(lián)網(wǎng)絡體系是近年來的主要研究熱點之一。標識網(wǎng)絡采用獨立的接入標識和路由標識分離IP地址的身份和位置雙重屬性,采用位置無關的內(nèi)容名稱或標識實現(xiàn)資源與位置分離。本文圍繞標識網(wǎng)絡安全技術,重點研究了標識網(wǎng)絡攻擊防御與安全移動性管理方法。論文主要工作和創(chuàng)新點如下： 1.提出了一種身份與位置分離環(huán)境中基于映射機制的DDoS攻擊防御方法,包括基于網(wǎng)絡的輕量級權限令牌機制和基于映射過濾的DDoS攻擊主動防御機制。該方法利用接入標識與路由標識的對應關系分發(fā)權限令牌,使受害者可以主動請求網(wǎng)絡阻斷DDoS攻擊數(shù)據(jù)流。通過數(shù)值分析和實驗,驗證了該方法預防DDoS攻擊、防御DDoS攻擊數(shù)據(jù)流的可行性和有效性。 2.給出了一種身份與位置分離環(huán)境中基于網(wǎng)絡的終端安全移動性管理方法。該方法基于AAA模型,詳細設計了移動終端初始安全接入、區(qū)域內(nèi)和區(qū)域間安全移動切換過程。給出切換時延分析模型并進行了對比,結(jié)果表明該方法可以防止中間人攻擊、重放攻擊和消息篡改攻擊等,且具有較小的認證時延、切換時延和切換阻塞率。 3.提出了一種資源與位置分離環(huán)境中基于前綴識別的興趣包泛洪攻擊協(xié)同反饋防御方法。該方法根據(jù)等待興趣包列表使用率和興趣包滿足率檢測興趣包泛洪攻擊,從等待興趣包列表的過期列表中識別異常內(nèi)容名稱前綴,通過反饋來限制異常興趣包的轉(zhuǎn)發(fā)。通過仿真實驗和對比,分析了不同興趣包泛洪攻擊防御方法的性能,結(jié)果表明該方法可以準確識別出異常內(nèi)容名稱前綴,并根據(jù)前綴快速地限制惡意興趣包的傳輸,降低合法用戶受攻擊的影響。 4.給出了一種資源與位置分離環(huán)境中基于身份的內(nèi)容源安全移動性管理方法。將身份與位置分離、控制與數(shù)據(jù)分離和基于身份的密碼體制應用于內(nèi)容源安全移動性管理。詳細設計了內(nèi)容源的安全移動切換過程和匯聚點選擇方法。進行了數(shù)值分析和對比,結(jié)果表明該方法具有較小的切換時延和代價,且可以完成密鑰協(xié)商,防止虛假位置更新,支持雙向身份認證和快速重認證。
[Abstract]:In order to overcome the shortcomings of traditional Internet in routing scalability, security, mobility and meet the needs of users, researchers have begun to explore a new Internet architecture. It is one of the main research focuses in recent years to design the future Internet system using identity and location separation mechanism and resource and location separation mechanism. Identity network uses independent access identification and routing identity to separate the identity and location of IP address, and uses location-independent content name or identity to separate resources from location. This paper focuses on the identification network security technology, and focuses on the identification network attack defense and security mobility management methods. The main work and innovation of the thesis are as follows: 1. This paper proposes a mapping mechanism based DDoS attack defense method in the environment of identity and location separation, including the lightweight privilege token mechanism based on the network and the DDoS attack active defense mechanism based on mapping filtering. The method distributes privilege tokens using the corresponding relationship between access identification and routing identification, which enables the victim to request the network actively to block the DDoS attack data flow. The feasibility and effectiveness of this method in preventing DDoS attacks and defending against DDoS attack data streams are verified by numerical analysis and experiments. 2. This paper presents a secure mobility management method based on network in the environment of identity and location separation. Based on the AAA model, the process of initial secure access, intra-and inter-regional secure mobile handover for mobile terminals is designed in detail. The analysis model of handoff delay is given and compared. The results show that this method can prevent man-in-the-middle attack, replay attack and message tampering attack, and has smaller authentication delay, handoff delay and handoff blocking rate. 3. In this paper, a cooperative feedback defense method based on prefix recognition for flooding attack of packet of interest in the environment of separating resources from location is proposed. The method detects the flooding attack of interest packets according to the usage of waiting interest packet list and the rate of interest packet satisfaction, recognizes the prefix of exception content name from the overdue list of waiting interest packets, and restricts the forwarding of abnormal interest packets by feedback. Through simulation experiments and comparison, the performance of different interest packet flooding attack defense methods is analyzed. The results show that the method can accurately identify the abnormal content name prefix, and quickly limit the transmission of malicious interest packets according to the prefix. Reduces the impact of attacks on legitimate users. 4. This paper presents an identity-based secure mobility management method for content sources in resource and location separation environments. Identity and location separation, control and data separation and identity-based cryptography are applied to content source security mobility management. The secure mobile handoff process of content source and the method of selecting convergent point are designed in detail. Numerical analysis and comparison show that the proposed method has lower handoff delay and cost, can complete key agreement, prevent false location updates, and support bidirectional identity authentication and fast re-authentication.
【學位授予單位】：北京交通大學
【學位級別】：博士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前9條

1 張宏科;蘇偉;;新網(wǎng)絡體系基礎研究——一體化網(wǎng)絡與普適服務[J];電子學報;2007年04期

2 董平;秦雅娟;張宏科;;支持普適服務的一體化網(wǎng)絡研究[J];電子學報;2007年04期

3 楊冬;周華春;張宏科;;基于一體化網(wǎng)絡的普適服務研究[J];電子學報;2007年04期

4 唐建強;劉穎;周華春;張宏科;;一種身份與位置分離環(huán)境下基于網(wǎng)絡的安全移動性管理協(xié)議[J];電子與信息學報;2013年01期

5 張宏科;羅洪斌;;智慧協(xié)同網(wǎng)絡體系基礎研究[J];電子學報;2013年07期

6 蘇偉;陳佳;周華春;張宏科;;智慧協(xié)同網(wǎng)絡中的服務機理研究[J];電子學報;2013年07期

7 郜帥;王洪超;王凱;張宏科;;智慧網(wǎng)絡組件協(xié)同機制研究[J];電子學報;2013年07期

8 唐建強;周華春;劉穎;張宏科;;內(nèi)容中心網(wǎng)絡下基于前綴識別的興趣包泛洪攻擊防御方法[J];電子與信息學報;2014年07期

9 萬明;劉穎;張宏科;;位置與身份分離協(xié)議下一種基于信任度模型的新型映射機制[J];通信學報;2011年07期

，

本文編號：1877989