本文選題：標(biāo)識(shí)網(wǎng)絡(luò) + 身份與位置分離��； 參考：《北京交通大學(xué)》2014年博士論文

【摘要】：為克服傳統(tǒng)互聯(lián)網(wǎng)絡(luò)在路由可擴(kuò)展性、安全性、移動(dòng)性以及滿足用戶需求變化等方面的不足,研究學(xué)者已開始探索新的互聯(lián)網(wǎng)絡(luò)體系。采用身份與位置分離、資源與位置分離機(jī)制設(shè)計(jì)未來互聯(lián)網(wǎng)絡(luò)體系是近年來的主要研究熱點(diǎn)之一。標(biāo)識(shí)網(wǎng)絡(luò)采用獨(dú)立的接入標(biāo)識(shí)和路由標(biāo)識(shí)分離IP地址的身份和位置雙重屬性,采用位置無關(guān)的內(nèi)容名稱或標(biāo)識(shí)實(shí)現(xiàn)資源與位置分離。本文圍繞標(biāo)識(shí)網(wǎng)絡(luò)安全技術(shù),重點(diǎn)研究了標(biāo)識(shí)網(wǎng)絡(luò)攻擊防御與安全移動(dòng)性管理方法。論文主要工作和創(chuàng)新點(diǎn)如下： 1.提出了一種身份與位置分離環(huán)境中基于映射機(jī)制的DDoS攻擊防御方法,包括基于網(wǎng)絡(luò)的輕量級(jí)權(quán)限令牌機(jī)制和基于映射過濾的DDoS攻擊主動(dòng)防御機(jī)制。該方法利用接入標(biāo)識(shí)與路由標(biāo)識(shí)的對(duì)應(yīng)關(guān)系分發(fā)權(quán)限令牌,使受害者可以主動(dòng)請(qǐng)求網(wǎng)絡(luò)阻斷DDoS攻擊數(shù)據(jù)流。通過數(shù)值分析和實(shí)驗(yàn),驗(yàn)證了該方法預(yù)防DDoS攻擊、防御DDoS攻擊數(shù)據(jù)流的可行性和有效性。 2.給出了一種身份與位置分離環(huán)境中基于網(wǎng)絡(luò)的終端安全移動(dòng)性管理方法。該方法基于AAA模型,詳細(xì)設(shè)計(jì)了移動(dòng)終端初始安全接入、區(qū)域內(nèi)和區(qū)域間安全移動(dòng)切換過程。給出切換時(shí)延分析模型并進(jìn)行了對(duì)比,結(jié)果表明該方法可以防止中間人攻擊、重放攻擊和消息篡改攻擊等,且具有較小的認(rèn)證時(shí)延、切換時(shí)延和切換阻塞率。 3.提出了一種資源與位置分離環(huán)境中基于前綴識(shí)別的興趣包泛洪攻擊協(xié)同反饋防御方法。該方法根據(jù)等待興趣包列表使用率和興趣包滿足率檢測(cè)興趣包泛洪攻擊,從等待興趣包列表的過期列表中識(shí)別異常內(nèi)容名稱前綴,通過反饋來限制異常興趣包的轉(zhuǎn)發(fā)。通過仿真實(shí)驗(yàn)和對(duì)比,分析了不同興趣包泛洪攻擊防御方法的性能,結(jié)果表明該方法可以準(zhǔn)確識(shí)別出異常內(nèi)容名稱前綴,并根據(jù)前綴快速地限制惡意興趣包的傳輸,降低合法用戶受攻擊的影響。 4.給出了一種資源與位置分離環(huán)境中基于身份的內(nèi)容源安全移動(dòng)性管理方法。將身份與位置分離、控制與數(shù)據(jù)分離和基于身份的密碼體制應(yīng)用于內(nèi)容源安全移動(dòng)性管理。詳細(xì)設(shè)計(jì)了內(nèi)容源的安全移動(dòng)切換過程和匯聚點(diǎn)選擇方法。進(jìn)行了數(shù)值分析和對(duì)比,結(jié)果表明該方法具有較小的切換時(shí)延和代價(jià),且可以完成密鑰協(xié)商,防止虛假位置更新,支持雙向身份認(rèn)證和快速重認(rèn)證。
[Abstract]:In order to overcome the shortcomings of traditional Internet in routing scalability, security, mobility and meet the needs of users, researchers have begun to explore a new Internet architecture. It is one of the main research focuses in recent years to design the future Internet system using identity and location separation mechanism and resource and location separation mechanism. Identity network uses independent access identification and routing identity to separate the identity and location of IP address, and uses location-independent content name or identity to separate resources from location. This paper focuses on the identification network security technology, and focuses on the identification network attack defense and security mobility management methods. The main work and innovation of the thesis are as follows: 1. This paper proposes a mapping mechanism based DDoS attack defense method in the environment of identity and location separation, including the lightweight privilege token mechanism based on the network and the DDoS attack active defense mechanism based on mapping filtering. The method distributes privilege tokens using the corresponding relationship between access identification and routing identification, which enables the victim to request the network actively to block the DDoS attack data flow. The feasibility and effectiveness of this method in preventing DDoS attacks and defending against DDoS attack data streams are verified by numerical analysis and experiments. 2. This paper presents a secure mobility management method based on network in the environment of identity and location separation. Based on the AAA model, the process of initial secure access, intra-and inter-regional secure mobile handover for mobile terminals is designed in detail. The analysis model of handoff delay is given and compared. The results show that this method can prevent man-in-the-middle attack, replay attack and message tampering attack, and has smaller authentication delay, handoff delay and handoff blocking rate. 3. In this paper, a cooperative feedback defense method based on prefix recognition for flooding attack of packet of interest in the environment of separating resources from location is proposed. The method detects the flooding attack of interest packets according to the usage of waiting interest packet list and the rate of interest packet satisfaction, recognizes the prefix of exception content name from the overdue list of waiting interest packets, and restricts the forwarding of abnormal interest packets by feedback. Through simulation experiments and comparison, the performance of different interest packet flooding attack defense methods is analyzed. The results show that the method can accurately identify the abnormal content name prefix, and quickly limit the transmission of malicious interest packets according to the prefix. Reduces the impact of attacks on legitimate users. 4. This paper presents an identity-based secure mobility management method for content sources in resource and location separation environments. Identity and location separation, control and data separation and identity-based cryptography are applied to content source security mobility management. The secure mobile handoff process of content source and the method of selecting convergent point are designed in detail. Numerical analysis and comparison show that the proposed method has lower handoff delay and cost, can complete key agreement, prevent false location updates, and support bidirectional identity authentication and fast re-authentication.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 張宏科;蘇偉;;新網(wǎng)絡(luò)體系基礎(chǔ)研究——一體化網(wǎng)絡(luò)與普適服務(wù)[J];電子學(xué)報(bào);2007年04期

2 董平;秦雅娟;張宏科;;支持普適服務(wù)的一體化網(wǎng)絡(luò)研究[J];電子學(xué)報(bào);2007年04期

3 楊冬;周華春;張宏科;;基于一體化網(wǎng)絡(luò)的普適服務(wù)研究[J];電子學(xué)報(bào);2007年04期

4 唐建強(qiáng);劉穎;周華春;張宏科;;一種身份與位置分離環(huán)境下基于網(wǎng)絡(luò)的安全移動(dòng)性管理協(xié)議[J];電子與信息學(xué)報(bào);2013年01期

5 張宏科;羅洪斌;;智慧協(xié)同網(wǎng)絡(luò)體系基礎(chǔ)研究[J];電子學(xué)報(bào);2013年07期

6 蘇偉;陳佳;周華春;張宏科;;智慧協(xié)同網(wǎng)絡(luò)中的服務(wù)機(jī)理研究[J];電子學(xué)報(bào);2013年07期

7 郜帥;王洪超;王凱;張宏科;;智慧網(wǎng)絡(luò)組件協(xié)同機(jī)制研究[J];電子學(xué)報(bào);2013年07期

8 唐建強(qiáng);周華春;劉穎;張宏科;;內(nèi)容中心網(wǎng)絡(luò)下基于前綴識(shí)別的興趣包泛洪攻擊防御方法[J];電子與信息學(xué)報(bào);2014年07期

9 萬明;劉穎;張宏科;;位置與身份分離協(xié)議下一種基于信任度模型的新型映射機(jī)制[J];通信學(xué)報(bào);2011年07期

，

本文編號(hào)：1877989