标识网络攻击防御与安全移动性管理技术研究

发布时间：2018-05-12 09:02

本文选题：标识网络 + 身份与位置分离　；参考：《北京交通大学》2014年博士论文

【摘要】：为克服传统互联网络在路由可扩展性、安全性、移动性以及满足用户需求变化等方面的不足,研究学者已开始探索新的互联网络体系。采用身份与位置分离、资源与位置分离机制设计未来互联网络体系是近年来的主要研究热点之一。标识网络采用独立的接入标识和路由标识分离IP地址的身份和位置双重属性,采用位置无关的内容名称或标识实现资源与位置分离。本文围绕标识网络安全技术,重点研究了标识网络攻击防御与安全移动性管理方法。论文主要工作和创新点如下： 1.提出了一种身份与位置分离环境中基于映射机制的DDoS攻击防御方法,包括基于网络的轻量级权限令牌机制和基于映射过滤的DDoS攻击主动防御机制。该方法利用接入标识与路由标识的对应关系分发权限令牌,使受害者可以主动请求网络阻断DDoS攻击数据流。通过数值分析和实验,验证了该方法预防DDoS攻击、防御DDoS攻击数据流的可行性和有效性。 2.给出了一种身份与位置分离环境中基于网络的终端安全移动性管理方法。该方法基于AAA模型,详细设计了移动终端初始安全接入、区域内和区域间安全移动切换过程。给出切换时延分析模型并进行了对比,结果表明该方法可以防止中间人攻击、重放攻击和消息篡改攻击等,且具有较小的认证时延、切换时延和切换阻塞率。 3.提出了一种资源与位置分离环境中基于前缀识别的兴趣包泛洪攻击协同反馈防御方法。该方法根据等待兴趣包列表使用率和兴趣包满足率检测兴趣包泛洪攻击,从等待兴趣包列表的过期列表中识别异常内容名称前缀,通过反馈来限制异常兴趣包的转发。通过仿真实验和对比,分析了不同兴趣包泛洪攻击防御方法的性能,结果表明该方法可以准确识别出异常内容名称前缀,并根据前缀快速地限制恶意兴趣包的传输,降低合法用户受攻击的影响。 4.给出了一种资源与位置分离环境中基于身份的内容源安全移动性管理方法。将身份与位置分离、控制与数据分离和基于身份的密码体制应用于内容源安全移动性管理。详细设计了内容源的安全移动切换过程和汇聚点选择方法。进行了数值分析和对比,结果表明该方法具有较小的切换时延和代价,且可以完成密钥协商,防止虚假位置更新,支持双向身份认证和快速重认证。
[Abstract]:In order to overcome the shortcomings of traditional Internet in routing scalability, security, mobility and meet the needs of users, researchers have begun to explore a new Internet architecture. It is one of the main research focuses in recent years to design the future Internet system using identity and location separation mechanism and resource and location separation mechanism. Identity network uses independent access identification and routing identity to separate the identity and location of IP address, and uses location-independent content name or identity to separate resources from location. This paper focuses on the identification network security technology, and focuses on the identification network attack defense and security mobility management methods. The main work and innovation of the thesis are as follows: 1. This paper proposes a mapping mechanism based DDoS attack defense method in the environment of identity and location separation, including the lightweight privilege token mechanism based on the network and the DDoS attack active defense mechanism based on mapping filtering. The method distributes privilege tokens using the corresponding relationship between access identification and routing identification, which enables the victim to request the network actively to block the DDoS attack data flow. The feasibility and effectiveness of this method in preventing DDoS attacks and defending against DDoS attack data streams are verified by numerical analysis and experiments. 2. This paper presents a secure mobility management method based on network in the environment of identity and location separation. Based on the AAA model, the process of initial secure access, intra-and inter-regional secure mobile handover for mobile terminals is designed in detail. The analysis model of handoff delay is given and compared. The results show that this method can prevent man-in-the-middle attack, replay attack and message tampering attack, and has smaller authentication delay, handoff delay and handoff blocking rate. 3. In this paper, a cooperative feedback defense method based on prefix recognition for flooding attack of packet of interest in the environment of separating resources from location is proposed. The method detects the flooding attack of interest packets according to the usage of waiting interest packet list and the rate of interest packet satisfaction, recognizes the prefix of exception content name from the overdue list of waiting interest packets, and restricts the forwarding of abnormal interest packets by feedback. Through simulation experiments and comparison, the performance of different interest packet flooding attack defense methods is analyzed. The results show that the method can accurately identify the abnormal content name prefix, and quickly limit the transmission of malicious interest packets according to the prefix. Reduces the impact of attacks on legitimate users. 4. This paper presents an identity-based secure mobility management method for content sources in resource and location separation environments. Identity and location separation, control and data separation and identity-based cryptography are applied to content source security mobility management. The secure mobile handoff process of content source and the method of selecting convergent point are designed in detail. Numerical analysis and comparison show that the proposed method has lower handoff delay and cost, can complete key agreement, prevent false location updates, and support bidirectional identity authentication and fast re-authentication.
【学位授予单位】：北京交通大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】