互聯(lián)網(wǎng)域間源地址驗證的可部署性評價模型與方法設(shè)計
發(fā)布時間:2018-08-21 19:56
【摘要】:在當前互聯(lián)網(wǎng)上,IP源地址偽造被廣泛應(yīng)用在網(wǎng)絡(luò)攻擊中來隱藏攻擊源頭或?qū)崿F(xiàn)特殊的攻擊效果,這極大地危害了網(wǎng)絡(luò)安全、破壞網(wǎng)絡(luò)可信基礎(chǔ)、擾亂網(wǎng)絡(luò)管理、阻礙了網(wǎng)絡(luò)創(chuàng)新和發(fā)展。域間源地址驗證方法通過加強自治域級別的源地址真實性來抑制網(wǎng)絡(luò)中的偽造流量。十余年來,盡管許多域間源地址驗證方法被提出,其中一些還被實現(xiàn)在路由器中,,但是這些方法的部署應(yīng)用仍不充分,其部署率已經(jīng)多年沒有改善,導(dǎo)致偽造攻擊愈演愈烈。為促進其部署應(yīng)用,本文研究域間源地址驗證方法的可部署性問題。我們從部署者的利益訴求出發(fā),提出可部署性的評價指標、建立評價模型、對現(xiàn)有驗證方法進行評價、總結(jié)驗證方法的設(shè)計原則、設(shè)計高可部署的驗證方法并予以實現(xiàn)和現(xiàn)網(wǎng)部署。主要內(nèi)容如下: 1.提出了域間源地址驗證方法的可部署性評價指標和評價模型。從部署者的角度出發(fā),定義部署收益、部署開銷和運維風(fēng)險作為可部署性的三項指標,通過經(jīng)濟學(xué)理論證明了評價指標的合理性。建立了三項指標的量化評價模型,并對其正確性予以驗證。 2.完成了對現(xiàn)有域間源地址驗證方法的可部署性評價。基于所提出的評價模型,利用互聯(lián)網(wǎng)真實數(shù)據(jù),對現(xiàn)有主要驗證方法的部署收益、部署開銷和運維風(fēng)險予以評價。結(jié)合對驗證方法的創(chuàng)新性分類,總結(jié)出各類方法的可部署性特征。 3.提出了域間源地址驗證方法的設(shè)計目標、可行解空間與設(shè)計原則。通過理論分析,將多目標優(yōu)化中的帕累托最優(yōu)驗證方法作為設(shè)計目標。結(jié)合實際需求,鎖定運維風(fēng)險最低,將解空間降維,指出可行解空間,描述出帕累托最優(yōu)解的位置和特征。總結(jié)了驗證方法的設(shè)計原則,指導(dǎo)后文帕累托最優(yōu)驗證方法的設(shè)計。 4.設(shè)計了低風(fēng)險、低開銷的互助式端過濾方法MIEF。MIEF基于路由器中已經(jīng)實現(xiàn)的端過濾技術(shù),實現(xiàn)了低風(fēng)險和低開銷,并通過部署者之間的互助式防御提高部署收益。設(shè)計了MIEF的控制系統(tǒng)、審計系統(tǒng)和數(shù)據(jù)平面優(yōu)化算法,評價了可部署性。 5.設(shè)計了低風(fēng)險、高收益的域間協(xié)作防御系統(tǒng)ICS。ICS采用基于端和端到端的保護函數(shù),建立域間協(xié)作聯(lián)盟,實現(xiàn)了低風(fēng)險和高收益,并通過按需防御降低開銷。設(shè)計了ICS的保護函數(shù)、控制系統(tǒng)和數(shù)據(jù)平面協(xié)議,評價了可部署性,實現(xiàn)了該系統(tǒng)并完成現(xiàn)網(wǎng)大規(guī)模部署。
[Abstract]:Nowadays, IP source address forgery is widely used in network attacks to hide the source of attack or achieve special attack effects, which greatly endangers network security, destroys network trustworthiness, disrupts network management and hinders network innovation and development. For more than ten years, although many inter-domain source address verification methods have been proposed and some of them have been implemented in routers, the deployment and application of these methods are still insufficient, and their deployment rate has not been improved for many years, resulting in the increasing forgery attacks. Deployability of inter-source address verification methods is a problem of deployability. Starting from the interests of deployers, we propose deployability evaluation indicators, establish evaluation models, evaluate existing verification methods, summarize the design principles of verification methods, design highly deployable verification methods and implement them and deploy them on the network.
1. The deployability evaluation index and evaluation model of inter-domain source address verification method are proposed. Deployment revenue, deployment cost and operational risk are defined as three deployability indexes from the point of view of deployer. The rationality of evaluation index is proved by economic theory. Verify the accuracy.
2. The deployability evaluation of the existing inter-domain source address verification methods is completed. Based on the proposed evaluation model, the deployment benefits, deployment costs and operational risks of the existing main verification methods are evaluated by using real data from the Internet.
3. The design objective, feasible solution space and design principle of inter-domain source address verification method are proposed. The Pareto optimal verification method in multi-objective optimization is taken as the design objective through theoretical analysis. Combining with practical requirements, the operation and maintenance risk is minimized, the solution space is reduced, the feasible solution space is pointed out, and the location and sum of Pareto optimal solutions are described. The design principles of the verification method are summarized, and the design of Pareto optimal verification method is guided.
4. A low-risk and low-overhead mutual end-filtering method MIEF.MIEF is designed, which is based on the end-filtering technology already implemented in routers. It achieves low-risk and low-overhead, and improves deployment benefits through mutual defense between deployers. The control system of MIEF, audit system and data plane optimization algorithm are designed to evaluate deployability.
5. A low-risk and high-yield inter-domain cooperative defense system ICS. ICS uses end-to-end protection function to establish inter-domain cooperative alliance, realizes low-risk and high-yield, and reduces overhead through on-demand defense. And complete the large-scale deployment of the existing network.
【學(xué)位授予單位】:清華大學(xué)
【學(xué)位級別】:博士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
[Abstract]:Nowadays, IP source address forgery is widely used in network attacks to hide the source of attack or achieve special attack effects, which greatly endangers network security, destroys network trustworthiness, disrupts network management and hinders network innovation and development. For more than ten years, although many inter-domain source address verification methods have been proposed and some of them have been implemented in routers, the deployment and application of these methods are still insufficient, and their deployment rate has not been improved for many years, resulting in the increasing forgery attacks. Deployability of inter-source address verification methods is a problem of deployability. Starting from the interests of deployers, we propose deployability evaluation indicators, establish evaluation models, evaluate existing verification methods, summarize the design principles of verification methods, design highly deployable verification methods and implement them and deploy them on the network.
1. The deployability evaluation index and evaluation model of inter-domain source address verification method are proposed. Deployment revenue, deployment cost and operational risk are defined as three deployability indexes from the point of view of deployer. The rationality of evaluation index is proved by economic theory. Verify the accuracy.
2. The deployability evaluation of the existing inter-domain source address verification methods is completed. Based on the proposed evaluation model, the deployment benefits, deployment costs and operational risks of the existing main verification methods are evaluated by using real data from the Internet.
3. The design objective, feasible solution space and design principle of inter-domain source address verification method are proposed. The Pareto optimal verification method in multi-objective optimization is taken as the design objective through theoretical analysis. Combining with practical requirements, the operation and maintenance risk is minimized, the solution space is reduced, the feasible solution space is pointed out, and the location and sum of Pareto optimal solutions are described. The design principles of the verification method are summarized, and the design of Pareto optimal verification method is guided.
4. A low-risk and low-overhead mutual end-filtering method MIEF.MIEF is designed, which is based on the end-filtering technology already implemented in routers. It achieves low-risk and low-overhead, and improves deployment benefits through mutual defense between deployers. The control system of MIEF, audit system and data plane optimization algorithm are designed to evaluate deployability.
5. A low-risk and high-yield inter-domain cooperative defense system ICS. ICS uses end-to-end protection function to establish inter-domain cooperative alliance, realizes low-risk and high-yield, and reduces overhead through on-demand defense. And complete the large-scale deployment of the existing network.
【學(xué)位授予單位】:清華大學(xué)
【學(xué)位級別】:博士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
【共引文獻】
相關(guān)期刊論文 前10條
1 石金龍;孫翼;;基于Libnids庫的Internet網(wǎng)絡(luò)協(xié)議還原系統(tǒng)研究[J];電子技術(shù);2014年03期
2 胡曉艷;龔儉;;信息中心網(wǎng)絡(luò)中網(wǎng)絡(luò)緩存的角色探索[J];電信科學(xué);2014年03期
3 石穎;孫瑩;;分布式拒絕服務(wù)攻擊防御技術(shù)綜述[J];計算機安全;2014年07期
4 LIU Ying;WU JianPing;ZHANG Zhou;XU Ke;;Research achievements on the new generation Internet architecture and protocols[J];Science China(Information Sciences);2013年11期
5 張明清;揣迎才;唐俊;孔紅山;;一種DRDoS協(xié)同防御模型研究[J];計算機科學(xué);2013年09期
6 孔令晶;曾華q
本文編號:2196198
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2196198.html
最近更新
教材專著
