Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (3): 360-370.doi: 10.11896/jsjkx.220600265

• Information Security • Previous Articles     Next Articles

Efficiently Secure Architecture for Future Network

YANG Xin1, LI Hui1,2, QUE Jianming1, MA Zhentai1, LI Gengxin1, YAO Yao1, WANG Bin1, JIANG Fuli1,2   

  1. 1 Peking University Shenzhen Graduate School,Shenzhen,Guangdong 518055,China
    2 Peng Cheng Laboratory,Shenzhen,Guangdong 518055,China
  • Received:2022-06-28 Revised:2022-09-23 Online:2023-03-15 Published:2023-03-15
  • About author:YANG Xin,born in 1994,Ph.D.Her main research interests include cyber security,future network architecture,and distributed storage system.
    LI Hui,born in 1964,Ph.D,professor,is a member of China Computer Federation.His main research interests include future network architecture,cyberspace security,distributed storage,and blockchain.
  • Supported by:
    Guangdong Province Research and Development Key Program(2019B010137001),National Key R & D Program of China(2017YFB0803204,2017YFB0803200) and Shenzhen Fundamental Research Programs(GXWD20201231165807007-20200807164903001,JCYJ20190808155607340).

PDF (PC)

317

Abstract: Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Key words: Network security, Multi-identifier network, Future network, Mimic defense, Network centrality measures

CLC Number: 

  • TP393
[1]LEI C,ZHANG H Q,TAN J L,et al.Moving target defensetechniques:A survey[J].Security and Communication Networks,2018,2018(25):163-177.
[2]LI H,WU J X,XING K,et al.Prototype and testing report of a multi-identifier system for reconfigurable network architecture under co-governing[J].SCIENTIA SINICA Information,2019,49(9):1186-1204.
[3]LI H,WU J X,YANG X,et al.MIN:Co-governing multi-identifier network architecture and its prototype on operator's network[J].IEEE ACCESS,2020,8:36569-36581.
[4]LI H,YANG X.Co-governed Sovereignty Network:Legal Basis and Its Prototype & Applications with MIN Architecture[M].Germany:Springer Publisher,2021:61-181.
[5]WANG Y M,LI H,HUANG T,et al.Scalable identifier system for industrial internet based on multi-identifier network architecture[J/OL].https://ieeexplore.ieee.org/document/9659825/.
[6]AURA T.Cryptographically generated addresses(CGA)[C]//Proceedings of International Conference on Information Security.Berlin:Springer,2003:29-43.
[7]SCHRIDDE C,SMITH M,FREISLEBEN B.Trueip:prevention of ip spoofing attacks using identity-based cryptography[C]//Proceedings of the 2nd International Conference on Security of Information and Networks.New York:ACM,2009:128-137.
[8]FARINACCI D,FULLER V,MEYER D,et al.Locator/ID separation protocol(lisp) [R].America:Cisco Systems,2013.
[9]MOSKOWITZ R,NIKANDER P,JOKELA P,et al.Host identity protocol[S].RFC 5201,America:Ericsson Research NomadicLab,2008.
[10]SESKAR I,NAGARAJA K,NELSON S.Mobilityfirst futureinternet architecture project[C]//Proceedings of the 7th Asian Internet Engineering Conference.New York:ACM,2011:1-3.
[11]ANDERSEN D J,BALAKRISHNAN H,FEAMSTER N,et al.Accountable internet protocol(AIP)[C]//Proceedings of the ACM SIGCOMM Conference on Data Communication.New York:ACM,2008:339-350.
[12]HAN D S,ANAND A,DOGAR F,et al.XIA:Efficient support for evolvable internetworking [C]//Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation(NSDI 12).America:USENIX,2012:309-322.
[13]BAI Y J,ZHI Y,LI H,et al.On parallel mechanism of consortium blockchain:Take pov as an example [C]//Proceedings of the 3rd International Conference on Blockchain Technology.America:IEEE,2021:147-154.
[14]LI K J,LI H,HOU H,et al.Proof of vote:A high-performance consensus protocol based on vote mechanism & consortium blockchain [C]//Proceedings of International Conference on High Performance Computing and Communications(HPCC).America:IEEE,2018:466-473.
[15]MATTHEW O J.Social and Economic Networks [M].USA:Princeton University Press,2008:39-80.
[16]HONG J B,KIM D S.Assessing the effectiveness of moving target defenses using security models [J].IEEE Transactions on Dependable & Secure Computing,2016,13(2):163-177.
[17]LI S Y R.A martingale approach to the study of occurrence of sequence patterns in repeated experiments [J].Annals of Probability,1980,8(6):1171-1176.
[18]ROSS S M,KELLY J.Stochastic processes [M].New York:Wiley,1983:104-105.
[19]YANG X,LI H,WU J X,et al.A two-dimension security assessing model for CMDs combined with Generalized Stochastic Petri Net[J].Science China Information Sciences,2020,50(12):1-17.
[20]SHI J.Tunnel Ethernet Traffic Over NDN[EB/OL].https://named-data.net/2017/09/05/ tunnel-ethernet-traffic-ndn.
[1] LIU Jie-ling, LING Xiao-bo, ZHANG Lei, WANG Bo, WANG Zhi-liang, LI Zi-mu, ZHANG Hui, YANG Jia-hai, WU Cheng-nan. Network Security Risk Assessment Framework Based on Tactical Correlation [J]. Computer Science, 2022, 49(9): 306-311.
[2] ZHAO Dong-mei, WU Ya-xing, ZHANG Hong-bin. Network Security Situation Prediction Based on IPSO-BiLSTM [J]. Computer Science, 2022, 49(7): 357-362.
[3] DU Hong-yi, YANG Hua, LIU Yan-hong, YANG Hong-peng. Nonlinear Dynamics Information Dissemination Model Based on Network Media [J]. Computer Science, 2022, 49(6A): 280-284.
[4] DENG Kai, YANG Pin, LI Yi-zhou, YANG Xing, ZENG Fan-rui, ZHANG Zhen-yu. Fast and Transmissible Domain Knowledge Graph Construction Method [J]. Computer Science, 2022, 49(6A): 100-108.
[5] LYU Peng-peng, WANG Shao-ying, ZHOU Wen-fang, LIAN Yang-yang, GAO Li-fang. Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network [J]. Computer Science, 2022, 49(6A): 588-593.
[6] ZHAO Hong, CHANG You-kang, WANG Wei-jie. Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks [J]. Computer Science, 2022, 49(11A): 210900163-11.
[7] LIU Wen-he, JIA Hong-yong, PAN Yun-fei. Mimic Firewall Executor Scheduling Algorithm Based on Executor Defense Ability [J]. Computer Science, 2022, 49(11A): 211200296-6.
[8] YANG Hao, YAN Qiao. Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm [J]. Computer Science, 2022, 49(11A): 211100074-5.
[9] WANG Qing-xu, DONG Li-jun, JIA Wei, LIU Chao, YANG Guang, WU Tie-jun. Vector Representation and Computation Based Dynamic Access Control in Open Environment [J]. Computer Science, 2022, 49(11A): 210900217-7.
[10] WU Ji-sheng, HONG Zheng, MA Tian-tian, LIN Pei-hong. Application Layer Protocol Recognition Based on Residual Network and Recurrent Neural Network [J]. Computer Science, 2022, 49(11): 293-301.
[11] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[12] YANG Lin, WANG Yong-jie, ZHANG Jun. FAWA:A Negative Feedback Dynamic Scheduling Algorithm for Heterogeneous Executor [J]. Computer Science, 2021, 48(8): 284-290.
[13] CHEN Hai-biao, HUANG Sheng-yong, CAI Jie-rui. Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid [J]. Computer Science, 2021, 48(6A): 491-497.
[14] WANG Jin-heng, SHAN Zhi-long, TAN Han-song, WANG Yu-lin. Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network [J]. Computer Science, 2021, 48(6): 338-342.
[15] ZHANG Kai, LIU Jing-ju. Attack Path Analysis Method Based on Absorbing Markov Chain [J]. Computer Science, 2021, 48(5): 294-300.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.