互联网内生安全体系结构研究进展  被引量：25

作　　者：徐恪[1,2,3] 付松涛 李琦 刘冰洋 江伟玉[5] 吴波 冯学伟 XU Ke;FU Song-Tao;LI Qi;LIU Bing-Yang;JIANG Wei-Yu;WU Bo;FENG Xue-Wei(Department of Computer Science and Technology,Tsinghua University,Beijing 100084;Beijing National Research Center for Information Science and Technology,Beijing 100084;Peng Cheng Laboratory,Shenzhen 518000;Institute for Network Science and Cyberspace,Tsinghua University,Beijing 100084;2012 Labs,Huawei Technology Co.Ltd.,Beijing 100085)

机构地区：[1]清华大学计算机科学与技术系,北京100084 [2]北京信息科学与技术国家研究中心,北京100084 [3]鹏城实验室,深圳518000 [4]清华大学网络科学与网络空间研究院,北京100084 [5]华为技术有限公司2012实验室,北京100085

出　　处：《计算机学报》2021年第11期2149-2172,共24页Chinese Journal of Computers

基　　金：国家重点研发计划课题(2018YFB0803405);国家杰出青年科学基金(61825204);国家自然科学基金(61932016,61802222);北京高校卓越青年科学家计划项目(BJJWZYJH01201910003011);国家研究中心项目(BNR2019RC01011);鹏城实验室大湾区未来网络试验与应用环境项目(LZC0019);华为技术有限公司委托项目(HF2019015003)资助.

摘　　要：随着互联网不断发展,网络功能逐步走向万物互联下自动交互与控制,大数据、云计算、边缘计算等技术不断深入应用,传统网络面临的源地址欺骗、DDoS攻击、路由劫持等安全问题仍然存在,新的应用场景使用户面临更严重的安全问题,现有互联网体系结构面向性能的设计难以承担网络安全的需求.互联网安全问题的根源在于体系结构设计时没有考虑安全需求,缺乏用户与网络的信任根基,由于体系结构设计缺失带来的问题应该从体系结构设计本身寻找解决方案.设计自带安全属性和安全能力的体系结构,通过内生的方式提供网络安全,能够从根本上提升网络安全性能.本文深入研究和总结了近年来针对互联网安全问题提出的各类解决方案,对方案的安全特性进行了分析,在此基础上提出了构建互联网内生安全体系结构的思路.With the development of the Internet,the functionality of the network extends to the automatic interaction and control under the interconnection of things.The security problems of the traditional network such as Source Spoofing,DDoS attack,and Route Hijacking still exist.At the same time,the technology of Big Data,Cloud Computing,as well as Edge Computing is applied to the Internet,brings new security problems.Therefore,the user in the network faced more security problems.The traditional Internet architecture,which is designed towards performance and lacks the foundation of trust between the users and network,is not enough to meet the security requirements of the network.To improve network security performance,there have been many different ideas for constructing the future Internet architecture,which mainly including the following designs:(1)The way repaired the problems of the network for incremental deployment to the existing Internet architecture;(2)The clean-slate design which abandons the existing Internet architecture,redesigns the network in a revolutionary way;(3)The evolutionary way which aims to resolve the existing or emerging problems of the Internet,while keep the backward compatibility as well as the incremental deployment,and eventually towards a new Internet architecture.We believe that only through the repaired way can't solve the inherent problems of the existing Internet architecture,while the clean-slate design,which is difficult to achieve incremental deployment,at least so far,have not shown instances of new applications or services that can be directly or indirectly deployed in the current Internet.The evolutionary way,which change the Internet as an evolving ecosystem,could not only achieve a stable transition but also bring innovations to meet the evolving requirements.We maintain that the evolutionary way can be adopted by the current Internet architecture and bring positive impact on the ecosystem which many millions of people live,work,and communicate.To achieve the evolutionary way,w

关 键 词：互联网 内生安全 互联网体系结构 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]