基于特征融合相似度的域间路由系统安全威胁感知方法

A threat perception method for inter-domain routing systems based on weighted similarity

针对域间路由系统的网络攻击技术日益复杂,尤其是近年出现的基于大规模LDo S(low-rate denial of service)的跨平面攻击,其造成的危害远大于传统网络攻击.已有域间路由系统安全技术主要研究如何解决BGP(border gateway protocol)协议缺乏路由真实性验证机制的问题,而针对域间路由系统的大规模LDo S攻击利用的是BGP协议自适应机制的特性,且用于LDo S攻击的流量与许多真实数据流的特征类似,使得现有很多方法难以有效应对.本文提出一种基于加权相似度的域间路由系统安全威胁感知方法,利用多个特征融合描述域间路由系统的安全状态,并结合网络流量的自相似特性,运用加权相似度计算方法量化实时特征值与正常态特征值的偏差,由此评估域间路由系统的安全状态.进一步,通过跟踪安全特征的实时变化情况,即可推断域间路由系统遭受攻击的类型.实验结果表明,该方法能够实现对域间路由系统安全状态的有效评估,在遭受控制平面攻击或数据平面攻击的初期阶段即能感知威胁,为网络管理员及时制定有效的应对策略提供可靠参考.

BGP（border gateway protocol） based inter-domain routing systems play an important role in the Internet. However, the BGP has certain design flaws, which result in many serious security problems for interdomain routing systems. Compared to traditional attacks, such as prefix hijacking, large-scale LDo S attacks against inter-domain routing systems are extremely hard to detect, which is reflected in its attack traffic and reactions appearing to be legal. The concealment of such attacks makes existing security solutions insufficient.In this paper, we first analyze the feasibility of utilizing similarity theory for assessing the security situations in inter-domain routing systems. We then propose a similarity-theory-based method for evaluating the security situations in inter-domain routing systems. It uses multiple characteristics to describe the system security situation collectively and evaluates the security situation by measuring the deviation degree of the security characteristics to their norms. Because the ability of each characteristic to represent different attacks is not the same, we make use of weighted similarity to assess the deviation of the fusion characteristics from their normal state at various times. Experimental results show that our method can perceive threats in their early stages, regardless of an inter-domain routing system suffering from control plan attacks or data plan attacks.