一种基于AS安全联盟的域间路由系统拟态防护机制  被引量：1

作　　者：苗甫[1] 王振兴[1] 郭毅[1,2] 张连成[1] 

机构地区：[1]中国人民解放军信息工程大学,郑州450001 [2]清华大学网络科学与网络空间研究院,北京100084

出　　处：《计算机科学》2017年第9期148-155,共8页Computer Science

基　　金：国家自然科学基金(61402525;61402526;61472215;61502528);国家"863"高技术研究发展计划基金(2012AA012902)资助

摘　　要：针对域间路由系统的大规模低速率拒绝服务攻击(Low-rate DoS against BGP Session,BGP-LDoS)能够造成域间路由系统的整体瘫痪,而现有的检测方法和防护措施难以有效检测和防御此类攻击。BGP-LDoS攻击实施的前提是对域间路由系统的拓扑进行探测分析,获取关键链路的相关参数信息。网络拟态变换能够通过持续的动态变换来迷惑攻击者,增加攻击者对网络进行探测与分析的代价和复杂度,降低攻击成功的概率。借鉴拟态安全防御思想,提出了一种域间路由系统拓扑动态变换的防护方法,由系统中多个相邻自治系统(Autonomous System,AS)组成AS拟态联盟,在联盟内部进行拓扑等效变换。文中给出了实现的具体过程。对拓扑变换后的网络抗BGP-LDoS攻击的能力进行验证分析,实验结果表明,利用该方法可有效降低攻击者对网络拓扑分析的精确度,干扰其关键链路的选择过程,从而实现对BGP-LDoS攻击的防护。Large-scale low rate denial of service attack against BGP sessions can cause paralysis of the inter-domain rou- ting system as a whole. However,existing detection methods and protection measures are difficult to effectively detect and defense against such attacks. Detecting the topology of the inter-domain routing system and obtaining the key link parameters are fundamental steps to the BGP LDoS attack. Network＇s mimic transformation can provide continuous dy- namic transformation to puzzle the attacker,increase cost and complexity of the attacker＇s detection and analysis, reduce attack＇s success probability. From the view of mimic security defense, this paper presented an inter domain routing sys tern security alliance mechanism. The method uses neighboring autonomous systems form as an ally, and makes equi- valent topology transformation in the alliance. The realization of the specific process was given. The resilience of the BGP-LDoS attack after the mimicry transformation was checked and analyzed. Experimental results demonstrate that the method can effectively reduce the attacker＇s network topology analysis accuracy, and interference attacker＇s target link selection process. It can provide reliable protection for inter-domain system to against BGP-LDoS attack.

关 键 词：拟态变换 AS安全联盟 网络安全 域间路由 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]