互聯(lián)網(wǎng)域間源地址驗證的可部署性評價模型與方法設計
發(fā)布時間:2018-08-21 19:56
【摘要】:在當前互聯(lián)網(wǎng)上,IP源地址偽造被廣泛應用在網(wǎng)絡攻擊中來隱藏攻擊源頭或實現(xiàn)特殊的攻擊效果,這極大地危害了網(wǎng)絡安全、破壞網(wǎng)絡可信基礎、擾亂網(wǎng)絡管理、阻礙了網(wǎng)絡創(chuàng)新和發(fā)展。域間源地址驗證方法通過加強自治域級別的源地址真實性來抑制網(wǎng)絡中的偽造流量。十余年來,盡管許多域間源地址驗證方法被提出,其中一些還被實現(xiàn)在路由器中,,但是這些方法的部署應用仍不充分,其部署率已經(jīng)多年沒有改善,導致偽造攻擊愈演愈烈。為促進其部署應用,本文研究域間源地址驗證方法的可部署性問題。我們從部署者的利益訴求出發(fā),提出可部署性的評價指標、建立評價模型、對現(xiàn)有驗證方法進行評價、總結驗證方法的設計原則、設計高可部署的驗證方法并予以實現(xiàn)和現(xiàn)網(wǎng)部署。主要內容如下: 1.提出了域間源地址驗證方法的可部署性評價指標和評價模型。從部署者的角度出發(fā),定義部署收益、部署開銷和運維風險作為可部署性的三項指標,通過經(jīng)濟學理論證明了評價指標的合理性。建立了三項指標的量化評價模型,并對其正確性予以驗證。 2.完成了對現(xiàn)有域間源地址驗證方法的可部署性評價;谒岢龅脑u價模型,利用互聯(lián)網(wǎng)真實數(shù)據(jù),對現(xiàn)有主要驗證方法的部署收益、部署開銷和運維風險予以評價。結合對驗證方法的創(chuàng)新性分類,總結出各類方法的可部署性特征。 3.提出了域間源地址驗證方法的設計目標、可行解空間與設計原則。通過理論分析,將多目標優(yōu)化中的帕累托最優(yōu)驗證方法作為設計目標。結合實際需求,鎖定運維風險最低,將解空間降維,指出可行解空間,描述出帕累托最優(yōu)解的位置和特征。總結了驗證方法的設計原則,指導后文帕累托最優(yōu)驗證方法的設計。 4.設計了低風險、低開銷的互助式端過濾方法MIEF。MIEF基于路由器中已經(jīng)實現(xiàn)的端過濾技術,實現(xiàn)了低風險和低開銷,并通過部署者之間的互助式防御提高部署收益。設計了MIEF的控制系統(tǒng)、審計系統(tǒng)和數(shù)據(jù)平面優(yōu)化算法,評價了可部署性。 5.設計了低風險、高收益的域間協(xié)作防御系統(tǒng)ICS。ICS采用基于端和端到端的保護函數(shù),建立域間協(xié)作聯(lián)盟,實現(xiàn)了低風險和高收益,并通過按需防御降低開銷。設計了ICS的保護函數(shù)、控制系統(tǒng)和數(shù)據(jù)平面協(xié)議,評價了可部署性,實現(xiàn)了該系統(tǒng)并完成現(xiàn)網(wǎng)大規(guī)模部署。
[Abstract]:Nowadays, IP source address forgery is widely used in network attacks to hide the source of attack or achieve special attack effects, which greatly endangers network security, destroys network trustworthiness, disrupts network management and hinders network innovation and development. For more than ten years, although many inter-domain source address verification methods have been proposed and some of them have been implemented in routers, the deployment and application of these methods are still insufficient, and their deployment rate has not been improved for many years, resulting in the increasing forgery attacks. Deployability of inter-source address verification methods is a problem of deployability. Starting from the interests of deployers, we propose deployability evaluation indicators, establish evaluation models, evaluate existing verification methods, summarize the design principles of verification methods, design highly deployable verification methods and implement them and deploy them on the network.
1. The deployability evaluation index and evaluation model of inter-domain source address verification method are proposed. Deployment revenue, deployment cost and operational risk are defined as three deployability indexes from the point of view of deployer. The rationality of evaluation index is proved by economic theory. Verify the accuracy.
2. The deployability evaluation of the existing inter-domain source address verification methods is completed. Based on the proposed evaluation model, the deployment benefits, deployment costs and operational risks of the existing main verification methods are evaluated by using real data from the Internet.
3. The design objective, feasible solution space and design principle of inter-domain source address verification method are proposed. The Pareto optimal verification method in multi-objective optimization is taken as the design objective through theoretical analysis. Combining with practical requirements, the operation and maintenance risk is minimized, the solution space is reduced, the feasible solution space is pointed out, and the location and sum of Pareto optimal solutions are described. The design principles of the verification method are summarized, and the design of Pareto optimal verification method is guided.
4. A low-risk and low-overhead mutual end-filtering method MIEF.MIEF is designed, which is based on the end-filtering technology already implemented in routers. It achieves low-risk and low-overhead, and improves deployment benefits through mutual defense between deployers. The control system of MIEF, audit system and data plane optimization algorithm are designed to evaluate deployability.
5. A low-risk and high-yield inter-domain cooperative defense system ICS. ICS uses end-to-end protection function to establish inter-domain cooperative alliance, realizes low-risk and high-yield, and reduces overhead through on-demand defense. And complete the large-scale deployment of the existing network.
【學位授予單位】:清華大學
【學位級別】:博士
【學位授予年份】:2014
【分類號】:TP393.08
[Abstract]:Nowadays, IP source address forgery is widely used in network attacks to hide the source of attack or achieve special attack effects, which greatly endangers network security, destroys network trustworthiness, disrupts network management and hinders network innovation and development. For more than ten years, although many inter-domain source address verification methods have been proposed and some of them have been implemented in routers, the deployment and application of these methods are still insufficient, and their deployment rate has not been improved for many years, resulting in the increasing forgery attacks. Deployability of inter-source address verification methods is a problem of deployability. Starting from the interests of deployers, we propose deployability evaluation indicators, establish evaluation models, evaluate existing verification methods, summarize the design principles of verification methods, design highly deployable verification methods and implement them and deploy them on the network.
1. The deployability evaluation index and evaluation model of inter-domain source address verification method are proposed. Deployment revenue, deployment cost and operational risk are defined as three deployability indexes from the point of view of deployer. The rationality of evaluation index is proved by economic theory. Verify the accuracy.
2. The deployability evaluation of the existing inter-domain source address verification methods is completed. Based on the proposed evaluation model, the deployment benefits, deployment costs and operational risks of the existing main verification methods are evaluated by using real data from the Internet.
3. The design objective, feasible solution space and design principle of inter-domain source address verification method are proposed. The Pareto optimal verification method in multi-objective optimization is taken as the design objective through theoretical analysis. Combining with practical requirements, the operation and maintenance risk is minimized, the solution space is reduced, the feasible solution space is pointed out, and the location and sum of Pareto optimal solutions are described. The design principles of the verification method are summarized, and the design of Pareto optimal verification method is guided.
4. A low-risk and low-overhead mutual end-filtering method MIEF.MIEF is designed, which is based on the end-filtering technology already implemented in routers. It achieves low-risk and low-overhead, and improves deployment benefits through mutual defense between deployers. The control system of MIEF, audit system and data plane optimization algorithm are designed to evaluate deployability.
5. A low-risk and high-yield inter-domain cooperative defense system ICS. ICS uses end-to-end protection function to establish inter-domain cooperative alliance, realizes low-risk and high-yield, and reduces overhead through on-demand defense. And complete the large-scale deployment of the existing network.
【學位授予單位】:清華大學
【學位級別】:博士
【學位授予年份】:2014
【分類號】:TP393.08
【共引文獻】
相關期刊論文 前10條
1 石金龍;孫翼;;基于Libnids庫的Internet網(wǎng)絡協(xié)議還原系統(tǒng)研究[J];電子技術;2014年03期
2 胡曉艷;龔儉;;信息中心網(wǎng)絡中網(wǎng)絡緩存的角色探索[J];電信科學;2014年03期
3 石穎;孫瑩;;分布式拒絕服務攻擊防御技術綜述[J];計算機安全;2014年07期
4 LIU Ying;WU JianPing;ZHANG Zhou;XU Ke;;Research achievements on the new generation Internet architecture and protocols[J];Science China(Information Sciences);2013年11期
5 張明清;揣迎才;唐俊;孔紅山;;一種DRDoS協(xié)同防御模型研究[J];計算機科學;2013年09期
6 孔令晶;曾華q
本文編號:2196198
本文鏈接:http://www.sikaile.net/guanlilunwen/ydhl/2196198.html
最近更新
教材專著
