摘要
本文提出了面向下一代互联网的轻量级的多级Capabilities机制(LMCM)来防御拒绝服务攻击。LMCM通过对用户的行为进行评估进而来区分合法用户与攻击者,采用轻量级的校验机制避免了核心网络进行复杂运算。LMCM采用多级Capabilities机制在不降低总体安全性的前提下提高了数据传输的效率,并能适应不同安全性需求。LMCM采用分级的队列管理机制来防御拒绝Capabilities攻击(DoC),保障网络资源的公平分享。此外,LMCM改进了TVA的流量控制机制,改进后的方案能够防御TVA所不能防御的某些复杂网络攻击,弥补了TVA在这方面的缺点和不足。为了得到可信的仿真实验结果,LMCM从CAIDA数据集中挑选实验所需要的有代表性的拓扑结构。不同场景下的仿真实验结果表明,与TVA相比,LMCM有利于提高数据传输的效率和增强防御体系的可扩展性。
An anti-DoS (Denial of Service) mechanism called LMCM (Lightweight Multi-level Capa- bilities Mechanism) for next generation Internet is proposed. The LMCM distinguishes the malicious us- ers and the benign users through their behaviors and adopts lightweight validation mechanism to avoid heavyweight operations in the core network. It improves data transfer efficiency but not lowers the over- all security, meeting different security requirements. In order to defend DoC (Denial-of-Capability) at tacks caused by the capabilities and guarantee fairly sharing the network resources, the LMCM adopts a hierarchical queue management mechanism. Furthermore, the LMCM improves the flow control mecha- nism to defend other complicated attack which cannot be defended in TVA(Traffic Validation Architec- ture) and makes up for the shortcomings and inadequacies of the TVA. In order to get convincing com- parative results, we choose some representative topologies in the dataset of the CAIDA (Cooperative As sociation for Internet Data) as our experiment topologies. Simulation results in dissimilar scenarios indi- cate that the LMCM is conducive to improving the data transfer efficiency and enhancing the scalability of defense system compared with the TVA.
出处
《计算机工程与科学》
CSCD
北大核心
2012年第11期14-20,共7页
Computer Engineering & Science
基金
国家自然科学基金资助项目(61272450)
天津市科技支撑计划重点项目(08ZCKFGX00600)
天津市教委项目(SB20080054)
关键词
下一代互联网
网络安全
分布式拒绝服务
通信流校验体系
Key words:next generation Internet
network security
distributed denial of service
traffic validationarchitecture
