计算机科学 ›› 2023, Vol. 50 ›› Issue (3): 360-370.doi: 10.11896/jsjkx.220600265
杨昕1, 李挥1,2, 阙建明1, 马震太1, 李更新1, 姚尧1, 王滨1, 蒋傅礼1,2
YANG Xin1, LI Hui1,2, QUE Jianming1, MA Zhentai1, LI Gengxin1, YAO Yao1, WANG Bin1, JIANG Fuli1,2
摘要: 传统互联网提供了端到端的传输服务,在过去的半个世纪得到了蓬勃发展。然而,近年来基于该体系的网络攻击已经引起了严重的安全问题。顺应下一代内生安全性网络的发展趋势,以未来多标识场景为研究背景,文中提出了层次化的安全高效防护架构,从网络层到应用层提供全面的保护。该安全架构在网络层提出了内嵌身份认证和包签名的多标识路由寻址方案,保障入网实体可信、数据防篡改且可追溯;在应用层,该架构设计了结合加权中心性算法的拟态防护方案,选择网络核心组件进行重点保护,以尽可能低的防护开销提升服务的鲁棒性,抵御潜在攻击。对于所提方案,同时进行了理论分析和多种场景下的原型实验。实验结果证明,该方案以较低的防守代价,提供了良好的传输性能,使得基于TCP/IP的攻击方法论失效,对传统网络体系下的各种攻击手段免疫,证明了所提安全防护架构的有效性。
中图分类号:
[1]LEI C,ZHANG H Q,TAN J L,et al.Moving target defensetechniques:A survey[J].Security and Communication Networks,2018,2018(25):163-177. [2]LI H,WU J X,XING K,et al.Prototype and testing report of a multi-identifier system for reconfigurable network architecture under co-governing[J].SCIENTIA SINICA Information,2019,49(9):1186-1204. [3]LI H,WU J X,YANG X,et al.MIN:Co-governing multi-identifier network architecture and its prototype on operator's network[J].IEEE ACCESS,2020,8:36569-36581. [4]LI H,YANG X.Co-governed Sovereignty Network:Legal Basis and Its Prototype & Applications with MIN Architecture[M].Germany:Springer Publisher,2021:61-181. [5]WANG Y M,LI H,HUANG T,et al.Scalable identifier system for industrial internet based on multi-identifier network architecture[J/OL].https://ieeexplore.ieee.org/document/9659825/. [6]AURA T.Cryptographically generated addresses(CGA)[C]//Proceedings of International Conference on Information Security.Berlin:Springer,2003:29-43. [7]SCHRIDDE C,SMITH M,FREISLEBEN B.Trueip:prevention of ip spoofing attacks using identity-based cryptography[C]//Proceedings of the 2nd International Conference on Security of Information and Networks.New York:ACM,2009:128-137. [8]FARINACCI D,FULLER V,MEYER D,et al.Locator/ID separation protocol(lisp) [R].America:Cisco Systems,2013. [9]MOSKOWITZ R,NIKANDER P,JOKELA P,et al.Host identity protocol[S].RFC 5201,America:Ericsson Research NomadicLab,2008. [10]SESKAR I,NAGARAJA K,NELSON S.Mobilityfirst futureinternet architecture project[C]//Proceedings of the 7th Asian Internet Engineering Conference.New York:ACM,2011:1-3. [11]ANDERSEN D J,BALAKRISHNAN H,FEAMSTER N,et al.Accountable internet protocol(AIP)[C]//Proceedings of the ACM SIGCOMM Conference on Data Communication.New York:ACM,2008:339-350. [12]HAN D S,ANAND A,DOGAR F,et al.XIA:Efficient support for evolvable internetworking [C]//Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).America:USENIX,2012:309-322. [13]BAI Y J,ZHI Y,LI H,et al.On parallel mechanism of consortium blockchain:Take pov as an example [C]//Proceedings of the 3rd International Conference on Blockchain Technology.America:IEEE,2021:147-154. [14]LI K J,LI H,HOU H,et al.Proof of vote:A high-performance consensus protocol based on vote mechanism & consortium blockchain [C]//Proceedings of International Conference on High Performance Computing and Communications(HPCC).America:IEEE,2018:466-473. [15]MATTHEW O J.Social and Economic Networks [M].USA:Princeton University Press,2008:39-80. [16]HONG J B,KIM D S.Assessing the effectiveness of moving target defenses using security models [J].IEEE Transactions on Dependable & Secure Computing,2016,13(2):163-177. [17]LI S Y R.A martingale approach to the study of occurrence of sequence patterns in repeated experiments [J].Annals of Probability,1980,8(6):1171-1176. [18]ROSS S M,KELLY J.Stochastic processes [M].New York:Wiley,1983:104-105. [19]YANG X,LI H,WU J X,et al.A two-dimension security assessing model for CMDs combined with Generalized Stochastic Petri Net[J].Science China Information Sciences,2020,50(12):1-17. [20]SHI J.Tunnel Ethernet Traffic Over NDN[EB/OL].https://named-data.net/2017/09/05/ tunnel-ethernet-traffic-ndn. |
[1] | 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠. 基于战术关联的网络安全风险评估框架 Network Security Risk Assessment Framework Based on Tactical Correlation 计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171 |
[2] | 王磊, 李晓宇. 基于随机洋葱路由的LBS移动隐私保护方案 LBS Mobile Privacy Protection Scheme Based on Random Onion Routing 计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077 |
[3] | 赵冬梅, 吴亚星, 张红斌. 基于IPSO-BiLSTM的网络安全态势预测 Network Security Situation Prediction Based on IPSO-BiLSTM 计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103 |
[4] | 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓. 一种可快速迁移的领域知识图谱构建方法 Fast and Transmissible Domain Knowledge Graph Construction Method 计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018 |
[5] | 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏. 基于网络媒体的非线性动力学信息传播模型 Nonlinear Dynamics Information Dissemination Model Based on Network Media 计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043 |
[6] | 陶礼靖, 邱菡, 朱俊虎, 李航天. 面向网络安全训练评估的受训者行为描述模型 Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment 计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048 |
[7] | 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳. 基于进化神经网络的电力信息网安全态势量化方法 Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network 计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151 |
[8] | 王珏, 芦斌, 祝跃飞. 对抗性网络流量的生成与应用综述 Generation and Application of Adversarial Network Traffic:A Survey 计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039 |
[9] | 赵宏, 常有康, 王伟杰. 深度神经网络的对抗攻击及防御方法综述 Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks 计算机科学, 2022, 49(11A): 210900163-11. https://doi.org/10.11896/jsjkx.210900163 |
[10] | 刘文贺, 贾洪勇, 潘云飞. 基于执行体防御能力的拟态防火墙执行体调度算法 Mimic Firewall Executor Scheduling Algorithm Based on Executor Defense Ability 计算机科学, 2022, 49(11A): 211200296-6. https://doi.org/10.11896/jsjkx.211200296 |
[11] | 陆炫廷, 蔡瑞杰, 刘胜利. 基于流量分析发现未知UDP反射放大协议 Discovery of Unknown UDP Reflection Amplification Protocol Based on Traffic Analysis 计算机科学, 2022, 49(11A): 211000089-5. https://doi.org/10.11896/jsjkx.211000089 |
[12] | 杨浩, 闫巧. 基于差分进化算法的字符对抗验证码生成方法 Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm 计算机科学, 2022, 49(11A): 211100074-5. https://doi.org/10.11896/jsjkx.211100074 |
[13] | 王清旭, 董理君, 贾伟, 刘超, 杨光, 吴铁军. 开放式环境下基于向量表征与计算的动态访问控制 Vector Representation and Computation Based Dynamic Access Control in Open Environment 计算机科学, 2022, 49(11A): 210900217-7. https://doi.org/10.11896/jsjkx.210900217 |
[14] | 吴吉胜, 洪征, 马甜甜, 林培鸿. 基于残差网络和循环神经网络混合模型的应用层协议识别方法 Application Layer Protocol Recognition Based on Residual Network and Recurrent Neural Network 计算机科学, 2022, 49(11): 293-301. https://doi.org/10.11896/jsjkx.210800252 |
[15] | 张师鹏, 李永忠. 基于降噪自编码器和三支决策的入侵检测方法 Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions 计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059 |
|