命名数据网络中兴趣包泛洪攻击与防御对策的研究
发布时间:2018-10-25 20:30
【摘要】:命名数据网络是下一代互联网中一种新型的网络架构,随着以内容为导向的数据驱动模型成为未来互联网发展的趋势,命名数据网络或许将取代目前基于TCP/IP的网络架构。作为下一代互联网架构的一种实现,命名数据网络的安全性受到广泛关注。尽管命名数据网络能够抵御目前存在的大多数网络攻击形式,但其不能有效地抵御一种类似DDoS的网络攻击——兴趣包泛洪攻击。这种兴趣包泛洪攻击利用了命名数据网络转发机制本身的安全逻辑漏洞,以很高的速率泛洪大量的恶意攻击包,耗尽网络资源,导致网络瘫痪。 考虑到该种攻击的危害的严重性,本文做了如下工作: (1)阐述了命名数据网络环境下兴趣包泛洪攻击的攻击模式,分析了其攻击原理,介绍了该攻击可能对网络环境造成的影响,通过归纳分析,提出了兴趣包泛洪攻击的三大特征。结合这三大特征,分析了目前已有的几种兴趣包泛洪攻击防御方案的检测原理,总结了各个方案的监测量化指标的实质,将各个监测量化指标与三大攻击特征相互对应。同时,对各个防御方案进行了比较,分析了每种方案的优缺点。 (2)提出分布式监测机制,使数据包在NDN网络节点之间进行传输时,能够带有最初网络节点的标识,以方便对兴趣包泛洪攻击的分布式特性进行监测。 (3)使用三个量化指标分别对兴趣包泛洪攻击的三大特征进行表征,将三个指标归一化并对应到空间向量模型的三个维度上。通过空间向量距离来描述兴趣包是攻击包的可能性。建立时变马尔科夫模型,对兴趣数据包在网络节点中传输时的状态转移进行描述。提出基于空间向量模型与时变马尔科夫模型的数据包转发逻辑,并实现了网络节点之间的合作防御机制。 (4)提出重传转发机制,在防御方案中,可能会有正常的兴趣包因误判被丢弃。重传转发机制使用户重传的兴趣包能够被网络节点标记为“正常”包,从而保证正常包的传输。 (5)分别使用小型树形网络拓扑和大型网络拓扑对本文所提的兴趣包泛洪攻击防御方案进行了仿真,使用PIT占用率和兴趣包响应率作为仿真的评价指标,验证了该方案的有效性和可行性。
[Abstract]:Naming data network is a new network architecture in the next generation Internet. With the content oriented data-driven model becoming the trend of the future Internet, named data network may replace the current network architecture based on TCP/IP. As an implementation of next-generation Internet architecture, the security of named data network has been paid more and more attention. Although the named data network can resist most of the existing network attacks, it can not effectively resist a network attack like DDoS, which is called interest packet flooding attack. This interest packet flooding attack exploits the security logic vulnerabilities of the named data network forwarding mechanism, flooding a large number of malicious attack packets at a high rate, exhausts network resources and results in network paralysis. Considering the severity of this attack, the following works are done: (1) the attack mode of interest packet flooding attack under named data network environment is expounded, and its attack principle is analyzed. This paper introduces the possible impact of this attack on the network environment, and puts forward three characteristics of the flooding attack based on interest packet through induction and analysis. Combined with these three characteristics, this paper analyzes the detection principle of several kinds of interest packet flooding attack defense schemes, summarizes the essence of the monitoring quantification index of each scheme, and corresponds each monitoring quantitative index with the three attack characteristics. At the same time, the advantages and disadvantages of each defense scheme are analyzed. (2) A distributed monitoring mechanism is proposed to enable data packets to carry the initial identification of network nodes when they are transmitted between NDN network nodes, so as to facilitate the monitoring of the distributed characteristics of flooding attacks of interest packets. (3) three quantitative indexes are used to represent the three characteristics of the flooding attack of interest packets, and the three indexes are normalized and corresponding to the three dimensions of the spatial vector model. The possibility that interest packets are attack packets is described by space vector distance. A time-varying Markov model is established to describe the state transition of interest packets when they are transmitted through network nodes. The packet forwarding logic based on spatial vector model and time-varying Markov model is proposed, and the cooperative defense mechanism between network nodes is realized. (4) the retransmission and forwarding mechanism is proposed. In the defense scheme, some normal interest packets may be discarded due to misjudgment. The retransmission forwarding mechanism enables users to mark the retransmitted interest packets as "normal" packets, thus ensuring the transmission of normal packets. (5) small tree network topology and large network topology are used to simulate the flood attack defense scheme of interest packet proposed in this paper. The PIT occupancy rate and interest packet response rate are used as the evaluation index of the simulation. The effectiveness and feasibility of the scheme are verified.
【学位授予单位】:北京交通大学
【学位级别】:硕士
【学位授予年份】:2015
【分类号】:TP393.08
本文编号:2294761
[Abstract]:Naming data network is a new network architecture in the next generation Internet. With the content oriented data-driven model becoming the trend of the future Internet, named data network may replace the current network architecture based on TCP/IP. As an implementation of next-generation Internet architecture, the security of named data network has been paid more and more attention. Although the named data network can resist most of the existing network attacks, it can not effectively resist a network attack like DDoS, which is called interest packet flooding attack. This interest packet flooding attack exploits the security logic vulnerabilities of the named data network forwarding mechanism, flooding a large number of malicious attack packets at a high rate, exhausts network resources and results in network paralysis. Considering the severity of this attack, the following works are done: (1) the attack mode of interest packet flooding attack under named data network environment is expounded, and its attack principle is analyzed. This paper introduces the possible impact of this attack on the network environment, and puts forward three characteristics of the flooding attack based on interest packet through induction and analysis. Combined with these three characteristics, this paper analyzes the detection principle of several kinds of interest packet flooding attack defense schemes, summarizes the essence of the monitoring quantification index of each scheme, and corresponds each monitoring quantitative index with the three attack characteristics. At the same time, the advantages and disadvantages of each defense scheme are analyzed. (2) A distributed monitoring mechanism is proposed to enable data packets to carry the initial identification of network nodes when they are transmitted between NDN network nodes, so as to facilitate the monitoring of the distributed characteristics of flooding attacks of interest packets. (3) three quantitative indexes are used to represent the three characteristics of the flooding attack of interest packets, and the three indexes are normalized and corresponding to the three dimensions of the spatial vector model. The possibility that interest packets are attack packets is described by space vector distance. A time-varying Markov model is established to describe the state transition of interest packets when they are transmitted through network nodes. The packet forwarding logic based on spatial vector model and time-varying Markov model is proposed, and the cooperative defense mechanism between network nodes is realized. (4) the retransmission and forwarding mechanism is proposed. In the defense scheme, some normal interest packets may be discarded due to misjudgment. The retransmission forwarding mechanism enables users to mark the retransmitted interest packets as "normal" packets, thus ensuring the transmission of normal packets. (5) small tree network topology and large network topology are used to simulate the flood attack defense scheme of interest packet proposed in this paper. The PIT occupancy rate and interest packet response rate are used as the evaluation index of the simulation. The effectiveness and feasibility of the scheme are verified.
【学位授予单位】:北京交通大学
【学位级别】:硕士
【学位授予年份】:2015
【分类号】:TP393.08
【参考文献】
相关期刊论文 前1条
1 LIU Ying;WU JianPing;ZHANG Zhou;XU Ke;;Research achievements on the new generation Internet architecture and protocols[J];Science China(Information Sciences);2013年11期
,本文编号:2294761
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2294761.html
