【摘要】：在路由器的可信和安全越來(lái)越受到重視的環(huán)境下，為了保證路由器和OSPF路由協(xié)議能夠安全、可信、穩(wěn)定的提供服務(wù)，本文提出了一種基于可信路由器的OSPF攻擊和異常檢測(cè)系統(tǒng)，具體研究工作如下： 首先，對(duì)可信網(wǎng)絡(luò)、動(dòng)態(tài)完整性度量和OSPF協(xié)議安全性的研究進(jìn)行了綜述，并介紹了當(dāng)前主流的完整性度量方法和OSPF協(xié)議中防止攻擊和異常的方法，給出了各類(lèi)方法的優(yōu)缺點(diǎn)分析。在學(xué)習(xí)前人的研究后，結(jié)合課題背景，提出了基于可信路由器的OSPF攻擊和異常檢測(cè)系統(tǒng)。 其次，本文提出了一個(gè)基于DIMA模型的可信路由器動(dòng)態(tài)完整性度量模型。該模型利用路由器上的TPM模塊將可信鏈傳遞到整個(gè)路由器系統(tǒng)和本文提出的各功能模塊，保證了路由器自身的可信，并且在運(yùn)行過(guò)程中提供動(dòng)態(tài)度量。 然后，本文提出了OSPF攻擊檢測(cè)和異常監(jiān)控模塊。攻擊檢測(cè)模塊通過(guò)較少的存儲(chǔ)開(kāi)銷(xiāo)來(lái)存儲(chǔ)可疑的攻擊報(bào)文，并結(jié)合攻擊檢測(cè)流程判斷路由器是否遭受攻擊，以此大大降低了采用數(shù)字簽名來(lái)保證協(xié)議報(bào)文完整性所需的計(jì)算開(kāi)銷(xiāo)，并解決了數(shù)字簽名方式無(wú)法將age字段納入簽名的不足和其他方法在實(shí)時(shí)性上的不足。異常監(jiān)控模塊可以在監(jiān)控到協(xié)議內(nèi)部出現(xiàn)異常情況時(shí)（如異常狀態(tài)轉(zhuǎn)換），在日志中進(jìn)行記錄并向動(dòng)態(tài)完整性度量模塊發(fā)起度量申請(qǐng)，進(jìn)行路由器動(dòng)態(tài)完整性度量，來(lái)檢測(cè)路由器是否遭到惡意篡改。 最后，本文借助XORP開(kāi)源軟件路由器系統(tǒng)，對(duì)本文提出的各個(gè)模塊進(jìn)行了實(shí)現(xiàn)和實(shí)驗(yàn)。經(jīng)過(guò)實(shí)驗(yàn)驗(yàn)證，本文提出的攻擊檢測(cè)模塊可以在占用極低計(jì)算開(kāi)銷(xiāo)的情況下攔截持續(xù)的攻擊；異常監(jiān)控模塊可以有效的監(jiān)控到OSPF內(nèi)部發(fā)生的異常狀態(tài)轉(zhuǎn)換和異常泛洪行為，，并在日志中做出記錄和發(fā)出警告。
[Abstract]:In order to ensure that the router and OSPF routing protocol can provide services safely, reliably and stably, a OSPF attack and anomaly detection system based on trusted router is proposed in this paper. The specific research work is as follows: firstly, the research on trusted network, dynamic integrity metric and OSPF protocol security is reviewed, and the current mainstream integrity measurement methods and the methods to prevent attacks and exceptions in OSPF protocol are introduced. The advantages and disadvantages of various methods are analyzed. After studying the previous research and combining with the background of the project, a OSPF attack and anomaly detection system based on trusted router is proposed. Secondly, this paper presents a dynamic integrity measurement model of trusted routers based on DIMA model. The model uses the TPM module on the router to transfer the trusted chain to the whole router system and the function modules proposed in this paper, which ensures the router's own trustworthiness and provides the dynamic measurement in the running process. Then, this paper proposes OSPF attack detection and exception monitoring module. The attack detection module stores suspicious attack packets through less storage overhead, and combines the attack detection process to determine whether the router is attacked or not. In this way, the computational cost of using digital signature to ensure the integrity of protocol packets is greatly reduced, and the deficiency of digital signature which can not incorporate age field into signature and the deficiency of other methods in real-time performance are solved. The exception monitoring module can record the abnormal condition inside the protocol (such as abnormal state transition), record it in the log and apply to the dynamic integrity measurement module to measure the dynamic integrity of the router. To detect malicious tampering with the router. Finally, with the help of XORP open source software router system, the modules proposed in this paper are implemented and experimented. After experimental verification, the attack detection module proposed in this paper can intercept the continuous attack in the case of very low computational overhead. Exception monitoring module can effectively monitor the abnormal state transition and abnormal flood behavior in OSPF, and record and issue warnings in the log.
【學(xué)位授予單位】：北京工業(yè)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 劉毅;毛軍捷;;一種可信計(jì)算平臺(tái)及信任鏈傳遞驗(yàn)證方法[J];信息安全與通信保密;2012年02期

2 高麗;秦晰;常朝穩(wěn);陳新;;基于嵌入式可信系統(tǒng)的可容忍非信任組件的計(jì)算平臺(tái)[J];武漢大學(xué)學(xué)報(bào)(信息科學(xué)版);2010年05期

本文編號(hào)：2380574