计算机科学 ›› 2023, Vol. 50 ›› Issue (3): 360-370.doi: 10.11896/jsjkx.220600265

• 信息安全 • 上一篇    下一篇

面向未来网络的安全高效防护架构

杨昕1, 李挥1,2, 阙建明1, 马震太1, 李更新1, 姚尧1, 王滨1, 蒋傅礼1,2   

  1. 1 北京大学深圳研究生院 广东 深圳 518055
    2 鹏城实验室 广东 深圳 518055
  • 收稿日期:2022-06-28 修回日期:2022-09-23 出版日期:2023-03-15 发布日期:2023-03-15
  • 通讯作者: 李挥(lih64@pkusz.edu.cn)
  • 作者简介:(yangxin2016@pku.edu.cn)
  • 基金资助:
    广东省重点领域研发计划(2019B010137001);国家重点研发计划(2017YFB0803204,2017YFB0803200);深圳市基础研究项目(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340)

Efficiently Secure Architecture for Future Network

YANG Xin1, LI Hui1,2, QUE Jianming1, MA Zhentai1, LI Gengxin1, YAO Yao1, WANG Bin1, JIANG Fuli1,2   

  1. 1 Peking University Shenzhen Graduate School,Shenzhen,Guangdong 518055,China
    2 Peng Cheng Laboratory,Shenzhen,Guangdong 518055,China
  • Received:2022-06-28 Revised:2022-09-23 Online:2023-03-15 Published:2023-03-15
  • About author:YANG Xin,born in 1994,Ph.D.Her main research interests include cyber security,future network architecture,and distributed storage system.
    LI Hui,born in 1964,Ph.D,professor,is a member of China Computer Federation.His main research interests include future network architecture,cyberspace security,distributed storage,and blockchain.
  • Supported by:
    Guangdong Province Research and Development Key Program(2019B010137001),National Key R & D Program of China(2017YFB0803204,2017YFB0803200) and Shenzhen Fundamental Research Programs(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340).

摘要: 传统互联网提供了端到端的传输服务,在过去的半个世纪得到了蓬勃发展。然而,近年来基于该体系的网络攻击已经引起了严重的安全问题。顺应下一代内生安全性网络的发展趋势,以未来多标识场景为研究背景,文中提出了层次化的安全高效防护架构,从网络层到应用层提供全面的保护。该安全架构在网络层提出了内嵌身份认证和包签名的多标识路由寻址方案,保障入网实体可信、数据防篡改且可追溯;在应用层,该架构设计了结合加权中心性算法的拟态防护方案,选择网络核心组件进行重点保护,以尽可能低的防护开销提升服务的鲁棒性,抵御潜在攻击。对于所提方案,同时进行了理论分析和多种场景下的原型实验。实验结果证明,该方案以较低的防守代价,提供了良好的传输性能,使得基于TCP/IP的攻击方法论失效,对传统网络体系下的各种攻击手段免疫,证明了所提安全防护架构的有效性。

关键词: 网络安全, 多标识网络, 未来网络, 拟态防御, 网络中心度算法

Abstract: Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Key words: Network security, Multi-identifier network, Future network, Mimic defense, Network centrality measures

中图分类号: 

  • TP393
[1]LEI C,ZHANG H Q,TAN J L,et al.Moving target defensetechniques:A survey[J].Security and Communication Networks,2018,2018(25):163-177.
[2]LI H,WU J X,XING K,et al.Prototype and testing report of a multi-identifier system for reconfigurable network architecture under co-governing[J].SCIENTIA SINICA Information,2019,49(9):1186-1204.
[3]LI H,WU J X,YANG X,et al.MIN:Co-governing multi-identifier network architecture and its prototype on operator's network[J].IEEE ACCESS,2020,8:36569-36581.
[4]LI H,YANG X.Co-governed Sovereignty Network:Legal Basis and Its Prototype & Applications with MIN Architecture[M].Germany:Springer Publisher,2021:61-181.
[5]WANG Y M,LI H,HUANG T,et al.Scalable identifier system for industrial internet based on multi-identifier network architecture[J/OL].https://ieeexplore.ieee.org/document/9659825/.
[6]AURA T.Cryptographically generated addresses(CGA)[C]//Proceedings of International Conference on Information Security.Berlin:Springer,2003:29-43.
[7]SCHRIDDE C,SMITH M,FREISLEBEN B.Trueip:prevention of ip spoofing attacks using identity-based cryptography[C]//Proceedings of the 2nd International Conference on Security of Information and Networks.New York:ACM,2009:128-137.
[8]FARINACCI D,FULLER V,MEYER D,et al.Locator/ID separation protocol(lisp) [R].America:Cisco Systems,2013.
[9]MOSKOWITZ R,NIKANDER P,JOKELA P,et al.Host identity protocol[S].RFC 5201,America:Ericsson Research NomadicLab,2008.
[10]SESKAR I,NAGARAJA K,NELSON S.Mobilityfirst futureinternet architecture project[C]//Proceedings of the 7th Asian Internet Engineering Conference.New York:ACM,2011:1-3.
[11]ANDERSEN D J,BALAKRISHNAN H,FEAMSTER N,et al.Accountable internet protocol(AIP)[C]//Proceedings of the ACM SIGCOMM Conference on Data Communication.New York:ACM,2008:339-350.
[12]HAN D S,ANAND A,DOGAR F,et al.XIA:Efficient support for evolvable internetworking [C]//Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).America:USENIX,2012:309-322.
[13]BAI Y J,ZHI Y,LI H,et al.On parallel mechanism of consortium blockchain:Take pov as an example [C]//Proceedings of the 3rd International Conference on Blockchain Technology.America:IEEE,2021:147-154.
[14]LI K J,LI H,HOU H,et al.Proof of vote:A high-performance consensus protocol based on vote mechanism & consortium blockchain [C]//Proceedings of International Conference on High Performance Computing and Communications(HPCC).America:IEEE,2018:466-473.
[15]MATTHEW O J.Social and Economic Networks [M].USA:Princeton University Press,2008:39-80.
[16]HONG J B,KIM D S.Assessing the effectiveness of moving target defenses using security models [J].IEEE Transactions on Dependable & Secure Computing,2016,13(2):163-177.
[17]LI S Y R.A martingale approach to the study of occurrence of sequence patterns in repeated experiments [J].Annals of Probability,1980,8(6):1171-1176.
[18]ROSS S M,KELLY J.Stochastic processes [M].New York:Wiley,1983:104-105.
[19]YANG X,LI H,WU J X,et al.A two-dimension security assessing model for CMDs combined with Generalized Stochastic Petri Net[J].Science China Information Sciences,2020,50(12):1-17.
[20]SHI J.Tunnel Ethernet Traffic Over NDN[EB/OL].https://named-data.net/2017/09/05/ tunnel-ethernet-traffic-ndn.
[1] 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠.
基于战术关联的网络安全风险评估框架
Network Security Risk Assessment Framework Based on Tactical Correlation
计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171
[2] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[3] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[4] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[5] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[6] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[7] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[8] 王珏, 芦斌, 祝跃飞.
对抗性网络流量的生成与应用综述
Generation and Application of Adversarial Network Traffic:A Survey
计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039
[9] 赵宏, 常有康, 王伟杰.
深度神经网络的对抗攻击及防御方法综述
Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks
计算机科学, 2022, 49(11A): 210900163-11. https://doi.org/10.11896/jsjkx.210900163
[10] 刘文贺, 贾洪勇, 潘云飞.
基于执行体防御能力的拟态防火墙执行体调度算法
Mimic Firewall Executor Scheduling Algorithm Based on Executor Defense Ability
计算机科学, 2022, 49(11A): 211200296-6. https://doi.org/10.11896/jsjkx.211200296
[11] 陆炫廷, 蔡瑞杰, 刘胜利.
基于流量分析发现未知UDP反射放大协议
Discovery of Unknown UDP Reflection Amplification Protocol Based on Traffic Analysis
计算机科学, 2022, 49(11A): 211000089-5. https://doi.org/10.11896/jsjkx.211000089
[12] 杨浩, 闫巧.
基于差分进化算法的字符对抗验证码生成方法
Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm
计算机科学, 2022, 49(11A): 211100074-5. https://doi.org/10.11896/jsjkx.211100074
[13] 王清旭, 董理君, 贾伟, 刘超, 杨光, 吴铁军.
开放式环境下基于向量表征与计算的动态访问控制
Vector Representation and Computation Based Dynamic Access Control in Open Environment
计算机科学, 2022, 49(11A): 210900217-7. https://doi.org/10.11896/jsjkx.210900217
[14] 吴吉胜, 洪征, 马甜甜, 林培鸿.
基于残差网络和循环神经网络混合模型的应用层协议识别方法
Application Layer Protocol Recognition Based on Residual Network and Recurrent Neural Network
计算机科学, 2022, 49(11): 293-301. https://doi.org/10.11896/jsjkx.210800252
[15] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!