【摘要】：在路由器的可信和安全越來越受到重視的環(huán)境下，為了保證路由器和OSPF路由協(xié)議能夠安全、可信、穩(wěn)定的提供服務，本文提出了一種基于可信路由器的OSPF攻擊和異常檢測系統(tǒng)，具體研究工作如下： 首先，對可信網(wǎng)絡、動態(tài)完整性度量和OSPF協(xié)議安全性的研究進行了綜述，并介紹了當前主流的完整性度量方法和OSPF協(xié)議中防止攻擊和異常的方法，給出了各類方法的優(yōu)缺點分析。在學習前人的研究后，結(jié)合課題背景，提出了基于可信路由器的OSPF攻擊和異常檢測系統(tǒng)。 其次，本文提出了一個基于DIMA模型的可信路由器動態(tài)完整性度量模型。該模型利用路由器上的TPM模塊將可信鏈傳遞到整個路由器系統(tǒng)和本文提出的各功能模塊，保證了路由器自身的可信，并且在運行過程中提供動態(tài)度量。 然后，本文提出了OSPF攻擊檢測和異常監(jiān)控模塊。攻擊檢測模塊通過較少的存儲開銷來存儲可疑的攻擊報文，并結(jié)合攻擊檢測流程判斷路由器是否遭受攻擊，以此大大降低了采用數(shù)字簽名來保證協(xié)議報文完整性所需的計算開銷，并解決了數(shù)字簽名方式無法將age字段納入簽名的不足和其他方法在實時性上的不足。異常監(jiān)控模塊可以在監(jiān)控到協(xié)議內(nèi)部出現(xiàn)異常情況時（如異常狀態(tài)轉(zhuǎn)換），在日志中進行記錄并向動態(tài)完整性度量模塊發(fā)起度量申請，進行路由器動態(tài)完整性度量，來檢測路由器是否遭到惡意篡改。 最后，本文借助XORP開源軟件路由器系統(tǒng)，對本文提出的各個模塊進行了實現(xiàn)和實驗。經(jīng)過實驗驗證，本文提出的攻擊檢測模塊可以在占用極低計算開銷的情況下攔截持續(xù)的攻擊；異常監(jiān)控模塊可以有效的監(jiān)控到OSPF內(nèi)部發(fā)生的異常狀態(tài)轉(zhuǎn)換和異常泛洪行為，，并在日志中做出記錄和發(fā)出警告。
[Abstract]:In order to ensure that the router and OSPF routing protocol can provide services safely, reliably and stably, a OSPF attack and anomaly detection system based on trusted router is proposed in this paper. The specific research work is as follows: firstly, the research on trusted network, dynamic integrity metric and OSPF protocol security is reviewed, and the current mainstream integrity measurement methods and the methods to prevent attacks and exceptions in OSPF protocol are introduced. The advantages and disadvantages of various methods are analyzed. After studying the previous research and combining with the background of the project, a OSPF attack and anomaly detection system based on trusted router is proposed. Secondly, this paper presents a dynamic integrity measurement model of trusted routers based on DIMA model. The model uses the TPM module on the router to transfer the trusted chain to the whole router system and the function modules proposed in this paper, which ensures the router's own trustworthiness and provides the dynamic measurement in the running process. Then, this paper proposes OSPF attack detection and exception monitoring module. The attack detection module stores suspicious attack packets through less storage overhead, and combines the attack detection process to determine whether the router is attacked or not. In this way, the computational cost of using digital signature to ensure the integrity of protocol packets is greatly reduced, and the deficiency of digital signature which can not incorporate age field into signature and the deficiency of other methods in real-time performance are solved. The exception monitoring module can record the abnormal condition inside the protocol (such as abnormal state transition), record it in the log and apply to the dynamic integrity measurement module to measure the dynamic integrity of the router. To detect malicious tampering with the router. Finally, with the help of XORP open source software router system, the modules proposed in this paper are implemented and experimented. After experimental verification, the attack detection module proposed in this paper can intercept the continuous attack in the case of very low computational overhead. Exception monitoring module can effectively monitor the abnormal state transition and abnormal flood behavior in OSPF, and record and issue warnings in the log.
【學位授予單位】：北京工業(yè)大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前2條

1 劉毅;毛軍捷;;一種可信計算平臺及信任鏈傳遞驗證方法[J];信息安全與通信保密;2012年02期

2 高麗;秦晰;常朝穩(wěn);陳新;;基于嵌入式可信系統(tǒng)的可容忍非信任組件的計算平臺[J];武漢大學學報(信息科學版);2010年05期

本文編號：2380574