苗甫,王振兴,郭毅,张连成.一种基于AS安全联盟的域间路由系统拟态防护机制[J].计算机科学,2017,44(9):148-155
一种基于AS安全联盟的域间路由系统拟态防护机制
AS Security Alliance Mechanism for Inter-domain Routing System Based on Mimicry Protection
投稿时间:2016-08-25  修订日期:2016-12-06
DOI:10.11896/j.issn.1002-137X.2017.09.029
中文关键词:  拟态变换,AS安全联盟,网络安全,域间路由
英文关键词:Mimic transformation,AS alliance,Network security,Inter domain routing
基金项目:本文受国家自然科学基金(61402525,6,61472215,8),国家“863”高技术研究发展计划基金(2012AA012902)资助
作者单位E-mail
苗甫 中国人民解放军信息工程大学 郑州450001  
王振兴 中国人民解放军信息工程大学 郑州450001  
郭毅 中国人民解放军信息工程大学 郑州450001;清华大学网络科学与网络空间研究院 北京100084 nongfu@live.cn 
张连成 中国人民解放军信息工程大学 郑州450001  
摘要点击次数: 82
全文下载次数: 38
中文摘要:
      针对域间路由系统的大规模低速率拒绝服务攻击(Low-rate DoS against BGP Session,BGP-LDoS)能够造成域间路由系统的整体瘫痪,而现有的检测方法和防护措施难以有效检测和防御此类攻击。BGP-LDoS攻击实施的前提是对域间路由系统的拓扑进行探测分析,获取关键链路的相关参数信息。网络拟态变换能够通过持续的动态变换来迷惑攻击者,增加攻击者对网络进行探测与分析的代价和复杂度,降低攻击成功的概率。借鉴拟态安全防御思想,提出了一种域间路由系统拓扑动态变换的防护方法,由系统中多个相邻自治系统(Autonomous System,AS)组成AS拟态联盟,在联盟内部进行拓扑等效变换。文中给出了实现的具体过程。对拓扑变换后的网络抗BGP-LDoS攻击的能力进行验证分析,实验结果表明,利用该方法可有效降低攻击者对网络拓扑分析的精确度,干扰其关键链路的选择过程,从而实现对BGP-LDoS攻击的防护。
英文摘要:
      Large-scale low rate denial of service attack against BGP sessions can cause paralysis of the inter-domain routing system as a whole.However,existing detection methods and protection measures are difficult to effectively detect and defense against such attacks.Detecting the topology of the inter-domain routing system and obtaining the key link parameters are fundamental steps to the BGP-LDoS attack.Network’s mimic transformation can provide continuous dynamic transformation to puzzle the attacker,increase cost and complexity of the attacker’s detection and analysis,reduce attack’s success probability.From the view of mimic security defense,this paper presented an inter domain routing system security alliance mechanism.The method uses neighboring autonomous systems form as an ally,and makes equi-valent topology transformation in the alliance.The realization of the specific process was given.The resilience of the BGP-LDoS attack after the mimicry transformation was checked and analyzed.Experimental results demonstrate that the method can effectively reduce the attacker’s network topology analysis accuracy,and interference attacker’s target link selection process.It can provide reliable protection for inter-domain system to against BGP-LDoS attack.
查看全文  查看/发表评论  下载PDF阅读器