【摘要】：命名數(shù)據(jù)網(wǎng)絡(luò)是下一代互聯(lián)網(wǎng)中一種新型的網(wǎng)絡(luò)架構(gòu),隨著以內(nèi)容為導(dǎo)向的數(shù)據(jù)驅(qū)動模型成為未來互聯(lián)網(wǎng)發(fā)展的趨勢,命名數(shù)據(jù)網(wǎng)絡(luò)或許將取代目前基于TCP/IP的網(wǎng)絡(luò)架構(gòu)。作為下一代互聯(lián)網(wǎng)架構(gòu)的一種實現(xiàn),命名數(shù)據(jù)網(wǎng)絡(luò)的安全性受到廣泛關(guān)注。盡管命名數(shù)據(jù)網(wǎng)絡(luò)能夠抵御目前存在的大多數(shù)網(wǎng)絡(luò)攻擊形式,但其不能有效地抵御一種類似DDoS的網(wǎng)絡(luò)攻擊——興趣包泛洪攻擊。這種興趣包泛洪攻擊利用了命名數(shù)據(jù)網(wǎng)絡(luò)轉(zhuǎn)發(fā)機(jī)制本身的安全邏輯漏洞,以很高的速率泛洪大量的惡意攻擊包,耗盡網(wǎng)絡(luò)資源,導(dǎo)致網(wǎng)絡(luò)癱瘓。 考慮到該種攻擊的危害的嚴(yán)重性,本文做了如下工作： (1)闡述了命名數(shù)據(jù)網(wǎng)絡(luò)環(huán)境下興趣包泛洪攻擊的攻擊模式,分析了其攻擊原理,介紹了該攻擊可能對網(wǎng)絡(luò)環(huán)境造成的影響,通過歸納分析,提出了興趣包泛洪攻擊的三大特征。結(jié)合這三大特征,分析了目前已有的幾種興趣包泛洪攻擊防御方案的檢測原理,總結(jié)了各個方案的監(jiān)測量化指標(biāo)的實質(zhì),將各個監(jiān)測量化指標(biāo)與三大攻擊特征相互對應(yīng)。同時,對各個防御方案進(jìn)行了比較,分析了每種方案的優(yōu)缺點。 (2)提出分布式監(jiān)測機(jī)制,使數(shù)據(jù)包在NDN網(wǎng)絡(luò)節(jié)點之間進(jìn)行傳輸時,能夠帶有最初網(wǎng)絡(luò)節(jié)點的標(biāo)識,以方便對興趣包泛洪攻擊的分布式特性進(jìn)行監(jiān)測。 (3)使用三個量化指標(biāo)分別對興趣包泛洪攻擊的三大特征進(jìn)行表征,將三個指標(biāo)歸一化并對應(yīng)到空間向量模型的三個維度上。通過空間向量距離來描述興趣包是攻擊包的可能性。建立時變馬爾科夫模型,對興趣數(shù)據(jù)包在網(wǎng)絡(luò)節(jié)點中傳輸時的狀態(tài)轉(zhuǎn)移進(jìn)行描述。提出基于空間向量模型與時變馬爾科夫模型的數(shù)據(jù)包轉(zhuǎn)發(fā)邏輯,并實現(xiàn)了網(wǎng)絡(luò)節(jié)點之間的合作防御機(jī)制。 (4)提出重傳轉(zhuǎn)發(fā)機(jī)制,在防御方案中,可能會有正常的興趣包因誤判被丟棄。重傳轉(zhuǎn)發(fā)機(jī)制使用戶重傳的興趣包能夠被網(wǎng)絡(luò)節(jié)點標(biāo)記為“正常”包,從而保證正常包的傳輸。 (5)分別使用小型樹形網(wǎng)絡(luò)拓?fù)浜痛笮途W(wǎng)絡(luò)拓?fù)鋵Ρ疚乃岬呐d趣包泛洪攻擊防御方案進(jìn)行了仿真,使用PIT占用率和興趣包響應(yīng)率作為仿真的評價指標(biāo),驗證了該方案的有效性和可行性。
[Abstract]:Naming data network is a new network architecture in the next generation Internet. With the content oriented data-driven model becoming the trend of the future Internet, named data network may replace the current network architecture based on TCP/IP. As an implementation of next-generation Internet architecture, the security of named data network has been paid more and more attention. Although the named data network can resist most of the existing network attacks, it can not effectively resist a network attack like DDoS, which is called interest packet flooding attack. This interest packet flooding attack exploits the security logic vulnerabilities of the named data network forwarding mechanism, flooding a large number of malicious attack packets at a high rate, exhausts network resources and results in network paralysis. Considering the severity of this attack, the following works are done: (1) the attack mode of interest packet flooding attack under named data network environment is expounded, and its attack principle is analyzed. This paper introduces the possible impact of this attack on the network environment, and puts forward three characteristics of the flooding attack based on interest packet through induction and analysis. Combined with these three characteristics, this paper analyzes the detection principle of several kinds of interest packet flooding attack defense schemes, summarizes the essence of the monitoring quantification index of each scheme, and corresponds each monitoring quantitative index with the three attack characteristics. At the same time, the advantages and disadvantages of each defense scheme are analyzed. (2) A distributed monitoring mechanism is proposed to enable data packets to carry the initial identification of network nodes when they are transmitted between NDN network nodes, so as to facilitate the monitoring of the distributed characteristics of flooding attacks of interest packets. (3) three quantitative indexes are used to represent the three characteristics of the flooding attack of interest packets, and the three indexes are normalized and corresponding to the three dimensions of the spatial vector model. The possibility that interest packets are attack packets is described by space vector distance. A time-varying Markov model is established to describe the state transition of interest packets when they are transmitted through network nodes. The packet forwarding logic based on spatial vector model and time-varying Markov model is proposed, and the cooperative defense mechanism between network nodes is realized. (4) the retransmission and forwarding mechanism is proposed. In the defense scheme, some normal interest packets may be discarded due to misjudgment. The retransmission forwarding mechanism enables users to mark the retransmitted interest packets as "normal" packets, thus ensuring the transmission of normal packets. (5) small tree network topology and large network topology are used to simulate the flood attack defense scheme of interest packet proposed in this paper. The PIT occupancy rate and interest packet response rate are used as the evaluation index of the simulation. The effectiveness and feasibility of the scheme are verified.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2015
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 LIU Ying;WU JianPing;ZHANG Zhou;XU Ke;;Research achievements on the new generation Internet architecture and protocols[J];Science China(Information Sciences);2013年11期

，

本文編號：2294761