| 鲁宁,张俊伟,马建峰,程庆丰,张嘉伟,王尚广.联盟模式下高效单包溯源方法研究.软件学报,2020,31(12):3880-3908 |
| 联盟模式下高效单包溯源方法研究 |
| Efficient Single-packet Traceback Approach Based on Alliance Theory |
| 投稿时间:2019-02-17 修订日期:2019-06-14 |
| DOI:10.13328/j.cnki.jos.005882 |
| 中文关键词: 互联网 网络安全 IP匿名 单包溯源 可部署性 |
| 英文关键词:Internet network security IP anonymity single-packet traceback deployability |
| 基金项目:国家自然科学基金(62072092,62072093,61601107,U1708262,61872449);中国博士后科学基金(2019M653568);河北省自然科学基金(F2015501122,F2020501013);中央高校基本科研业务费(N2023020) |
|
| 摘要点击次数: 413 |
| 全文下载次数: 588 |
| 中文摘要: |
| IP协议的“无状态”特征引发了许多网络安全管理问题.为此,人们提出了单包溯源技术.然而,已有方法因激励性能低、无法增量部署、维护成本高等问题,一直未被大规模推广.基于此,提出一种联盟模式下高效单包溯源方法,简称TIST.该方法首先在大规模网络上构建溯源联盟体系结构,通过剪除搭便车自治域来提高部署激励性;然后,通过融合IP流标记和对等过滤技术,设计一种面向溯源联盟的链路指纹建立策略,它能弱化自治域之间的溯源耦合性,实现增量部署;最后,定义一种新的面向网络前缀的计数布鲁姆过滤器,并通过优化其参数,使溯源路由器能够快速识别溯源分组,进而实现链路指纹的选择性建立,降低维护成本.通过理论分析和基于大规模真实和人工互联网拓扑的仿真实验,结果表明:相对于以往方案,TIST在可部署性方面确实有了很大的改善. |
| 英文摘要: |
| Single-packet traceback, as a key technology to solve the network security management issues caused by the "statelessness" of IP protocol, has drawn significant attentions in recent years. However, the prior work has not been widely used due to the following disadvantages: 1) inability to deploy incrementally; 2) lack of deployment incentives, i.e., none deployer can gain free riding; 3) high maintenance costs. This study proposes an efficient single-packet traceback approach based on alliance theory termed as TIST. It firstly establishes the traceability alliance on the large scale networks, so as to remove free-rider ASes and improve the deployment incentives. Secondly, it designs link fingerprint establishment strategy towards traceability alliance through combining IP stream labeling and peer-to-peer filtering technics, which can weaken the traceability coupling between autonomous domains and achieve incremental deployment. Finally, it defines a novel counting Bloom Filter towards network prefixes. By optimizes its parameters, the traceable routers can quickly identify the traceable packets, and achieve the selective establishment of link fingerprints. Extensive mathematical analysis and simulations are performed to evaluate the proposed approach. The results show that the proposed approach significantly out performs the prior approaches in terms of the deploy ability. |
|
HTML 下载PDF全文 查看/发表评论 下载PDF阅读器 |
