本文選題：內(nèi)容中心網(wǎng)絡(luò)　切入點(diǎn)：興趣包泛洪攻擊　出處：《北京交通大學(xué)》2014年博士論文

【摘要】：摘要：隨著信息技術(shù)的飛速發(fā)展和新型網(wǎng)絡(luò)應(yīng)用的不斷涌現(xiàn),互聯(lián)網(wǎng)的通信模式已經(jīng)由以主機(jī)網(wǎng)絡(luò)地址為中心的互聯(lián)互通,逐漸演變?yōu)橐詢?nèi)容為中心的信息共享,這催生了內(nèi)容中心網(wǎng)絡(luò)架構(gòu)的興起。內(nèi)容中心網(wǎng)絡(luò)直接依據(jù)內(nèi)容的名字完成信息的分發(fā)和獲取,網(wǎng)絡(luò)中傳輸?shù)呐d趣包/數(shù)據(jù)包不攜帶用戶的位置或身份信息,具有一定的安全優(yōu)勢(shì)。然而,內(nèi)容中心網(wǎng)絡(luò)仍難免遭受某些網(wǎng)絡(luò)攻擊的侵害,例如,以易于發(fā)動(dòng)且危害巨大而著稱的興趣包泛洪攻擊。本文圍繞興趣包泛洪攻擊的兩種不同類型——主流的虛假興趣包泛洪攻擊(Interest Flooding Attack with Fake Interests,IFA-F)和非主流的真實(shí)興趣包泛洪攻擊(Interest Flooding Attack with Real Interests,IFA-R),研究相應(yīng)的對(duì)抗策略。論文主要工作和創(chuàng)新點(diǎn)如下： 1)提出了IFA-F攻擊危害分析理論模型。本文采用興趣包拒絕概率表征IFA-F攻擊導(dǎo)致的網(wǎng)絡(luò)危害程度,推導(dǎo)了IFA-F攻擊時(shí)單路由器和小型網(wǎng)絡(luò)拓?fù)涞呐d趣包拒絕概率�；诖四Ｐ�,本文從理論上分析了內(nèi)容中心網(wǎng)絡(luò)內(nèi)容流行度分布、路由器緩存空間大小、路由器待定興趣表大小及其條目生存時(shí)間等關(guān)鍵參數(shù)對(duì)IFA-F攻擊所造成興趣包拒絕概率的影響,并進(jìn)行了相應(yīng)的仿真驗(yàn)證。模型分析和仿真結(jié)果表明,IFA-F攻擊導(dǎo)致網(wǎng)絡(luò)興趣包拒絕概率顯著增大,降低了網(wǎng)絡(luò)性能；網(wǎng)絡(luò)中訪問高流行度內(nèi)容的興趣包拒絕概率較低；增大路由器緩存空間或待定興趣表容量,降低待定興趣表?xiàng)l目的生存時(shí)間,均可降低IFA-F攻擊時(shí)網(wǎng)絡(luò)的興趣包拒絕概率。 2)本文首次提出了一種可行的IFA-F攻擊探測(cè)和抑制實(shí)現(xiàn)方法——基于限速機(jī)制的惡意興趣包路由器對(duì)抗策略。該對(duì)策充分利用內(nèi)容中心網(wǎng)絡(luò)路由器待定興趣表記錄興趣包狀態(tài)的特征,基于路由器待定興趣表?xiàng)l目的超時(shí)情況統(tǒng)計(jì)IFA-F惡意興趣包名字前綴,并通過動(dòng)態(tài)調(diào)整惡意名字前綴對(duì)應(yīng)的興趣包準(zhǔn)入速率,減輕IFA-F攻擊對(duì)路由器內(nèi)存資源的惡意消耗程度。性能評(píng)估結(jié)果表明,惡意興趣包路由器對(duì)抗策略可以通過探測(cè)IFA-F惡意興趣包的名字前綴信息,有效抑制惡意興趣包的準(zhǔn)入速率,從而使得路由器在遭受IFA-F攻擊時(shí)仍保持基本的興趣包轉(zhuǎn)發(fā)能力。 3)為實(shí)現(xiàn)細(xì)粒度的IFA-F攻擊探測(cè)和抑制方案,本文提出了基于模糊邏輯和路由器協(xié)作的惡意興趣包協(xié)同對(duì)抗策略。該對(duì)策在路由器上監(jiān)測(cè)待定興趣表使用率以及條目超時(shí)比率,并基于模糊邏輯綜合判別IFA-F攻擊的存在性,以實(shí)現(xiàn)對(duì)IFA-F攻擊的探測(cè)功能；同時(shí),通過路由器協(xié)作機(jī)制,將預(yù)警消息從探測(cè)到IFA-F攻擊的路由器反饋至網(wǎng)絡(luò)的接入路由器,最終在接入路由器處阻斷惡意興趣包,達(dá)到抑制IFA-F攻擊危害的效果。基于真實(shí)網(wǎng)絡(luò)拓?fù)浜陀脩粜袨槟Ｐ偷姆抡姹砻?惡意興趣包協(xié)同對(duì)抗策略減輕了IFA-F攻擊對(duì)路由器內(nèi)存資源的惡意消耗,提高了合法興趣包的內(nèi)容獲取成功率,并降低了興趣包的內(nèi)容獲取時(shí)延。 4)在分析內(nèi)容中心網(wǎng)絡(luò)現(xiàn)有典型興趣包轉(zhuǎn)發(fā)策略安全性的基礎(chǔ)上,本文首次提出了一種對(duì)抗IFA-F攻擊的興趣包／數(shù)據(jù)包安全轉(zhuǎn)發(fā)策略。該策略引入一種新的基于包標(biāo)記技術(shù)、不依賴于待定興趣表的興趣包/數(shù)據(jù)包轉(zhuǎn)發(fā)機(jī)制,將IFA-F惡意興趣包從路由器待定興趣表中徹底解耦合,并以較小的網(wǎng)絡(luò)帶寬消耗,從本質(zhì)上切斷了IFA-F惡意興趣包對(duì)路由器待定興趣表內(nèi)存資源的消耗。仿真結(jié)果表明,相比基于限速機(jī)制的IFA-F攻擊對(duì)抗方法,本文提出的興趣包／數(shù)據(jù)包安全轉(zhuǎn)發(fā)策略可以明顯減小路由器內(nèi)存資源消耗量,提高內(nèi)容中心網(wǎng)絡(luò)的IFA-F攻擊對(duì)抗能力。 5)針對(duì)非主流類型的真實(shí)興趣包泛洪攻擊——IFA-R攻擊,本文提出了一種雙閾值]IFA-R攻擊探測(cè)方法。該方法基于探測(cè)周期內(nèi)的路由器待定興趣表超時(shí)條目數(shù)量閾值以及網(wǎng)絡(luò)接口數(shù)據(jù)流量閾值,推斷可能存在的網(wǎng)絡(luò)流量異常,以探測(cè)IFA-R攻擊的存在。仿真結(jié)果表明,雙閾值IFA-R攻擊探測(cè)方法在短時(shí)間內(nèi)即可探測(cè)到IFA-R攻擊,并成功識(shí)別出惡意興趣包流經(jīng)的路由器接口或?qū)?yīng)網(wǎng)絡(luò)鏈路。
[Abstract]:Abstract : With the rapid development of information technology and the continuous emergence of new network applications , the communication mode of the Internet has evolved into information sharing based on the network address of hosts , which has resulted in the rise of the content center network architecture .

1 ) The theory model of the damage analysis of IFA - F attack is proposed . The probability of interest packet rejection caused by IFA - F attack is deduced by the rejection probability of interest packet . Based on this model , this paper analyzes the influence of the core network content popularity distribution , router cache space size , router to be determined interest table size and its entry survival time on the rejection probability of the interest packet caused by IFA - F attack . The model analysis and simulation results show that IFA - F attack results in a significant increase in the rejection probability of the network ' s interest packet , and the network performance is reduced .
the interest packet rejection probability of accessing high popularity content in the network is low ;
increasing the buffer space of the router or the capacity of the pending interest table , reducing the survival time of the pending interest table entry , and reducing the probability of the rejection probability of the interest package of the network when the IFA - F attack is reduced .

In this paper , a feasible method for detecting and suppressing malicious interest packet router based on speed limit mechanism is put forward for the first time . The countermeasure makes full use of the characteristic of the active packet state of the content center network router . The method makes full use of the characteristic of the active packet ' s state of the content center network router , and reduces the malicious consumption level of the IFA - F attacks on the router memory resources . The performance evaluation results show that the malicious interest packet router counter policy can effectively suppress the admission rate of the malicious interest packet by detecting the prefix information of the IFA - F malicious interest packet , so that the router can still maintain the basic interest packet forwarding capability when subjected to the IFA - F attack .

3 ) In order to realize the detection and suppression scheme of IFA - F attack with fine granularity , this paper puts forward a malicious interest packet cooperation countermeasure strategy based on fuzzy logic and router cooperation . The countermeasure monitors pending interest table usage rate and entry time - out ratio on the router , and comprehensively discriminates the existence of IFA - F attack based on fuzzy logic , so as to realize the detection function of IFA - F attack ;
At the same time , through the router cooperation mechanism , the router that detects the attack from the IFA - F is fed back to the access router of the network , the malicious interest packet is blocked at the access router , and the effect of inhibiting the IFA - F attack hazard is achieved . Simulation of the real network topology and the user behavior model shows that the malicious interest packet cooperation countermeasure strategy reduces the malicious consumption of the IFA - F attack on the router memory resources , improves the content acquisition success rate of the legitimate interest package , and reduces the content acquisition time delay of the interest package .

This paper proposes a new packet / packet security forwarding strategy against IFA - F attacks . This strategy introduces a new packet - based technique , which does not rely on the interested packet / packet forwarding mechanism of the list of interest . The simulation results show that the packet / packet security forwarding strategy proposed in this paper can significantly reduce the memory resource consumption of the router and improve the IFA - F attack countermeasure capability of the content center network .

5 ) Aiming at the flooding attack _ IFA - R attack of the real interest packet of non - mainstream type , this paper proposes a dual - threshold IFA - R attack detection method . The method is based on the number threshold of the time - out entries of the router to be determined in the probe cycle and the data flow threshold of the network interface . The possible network traffic anomaly is inferred to detect the existence of IFA - R attack . The simulation results show that the dual - threshold IFA - R attack detection method can detect the IFA - R attack in a short time and successfully identify the router interface or the corresponding network link through which the malicious interest packet flows .

【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 張宏科;羅洪斌;;智慧協(xié)同網(wǎng)絡(luò)體系基礎(chǔ)研究[J];電子學(xué)報(bào);2013年07期

2 蘇偉;陳佳;周華春;張宏科;;智慧協(xié)同網(wǎng)絡(luò)中的服務(wù)機(jī)理研究[J];電子學(xué)報(bào);2013年07期

3 郜帥;王洪超;王凱;張宏科;;智慧網(wǎng)絡(luò)組件協(xié)同機(jī)制研究[J];電子學(xué)報(bào);2013年07期

，

本文編號(hào)：1691167