防御数据窃听攻击的路由交换范式体系

Paradigm-Based Routing &Switching System for Data Interception Attacks

近年来,利用路由交换设备漏洞窃听用户流量的攻击事件不断曝光,凸显了核心网络信息安全传输的重要性.由于用户和网络运营商不掌握设备漏洞控制权,导致此类攻击具有成本低、隐蔽、单向和顽固等特点,不易被识别和约束.文中通过分析嵌入漏洞的路由交换设备可能执行的异常服务行为,提出了一种静态路由交换范式体系.该体系对利用设备漏洞窃听用户流量攻击的安全完备性可论证,范式规则通用于TCP/IP网络,并基于该体系设计范式检测设备模型,该模型可设计实现,利用该设备可检测路由交换设备违反范式的输出分组.系统仿真实验结果显示,文中设计的范式设备可放行全部正常分组,同时可识别和约束99.92%以上的窃听分组,被检测路由交换设备吞吐率可达Gbps级.

In recent years, the network attacks that adversaries take advantage of router/switch vulnerabilities to perform data interception continue to be exposed, which highlights the importance of secure communication within core networks. As the most affected victims, users and Internet Service Providers have little control on router vulnerabilities, which results in such attacks always being performed in low cost, unidirectional, concealed mechanisms, and being difficult to be recognized let alone restrained. Researchers have proposed many solutions, and most of them are able to prevent or mitigate data interception attacks, however, it is our humble opinion that these solutions are either only fit for specific core networks and specific types of DIAs, or are difficult to implement. To the best of our knowledge, there are still no security complete, universal and easily implementable mechanisms for defending data interception attacks. Based on analyzing all possible abnormal behaviors that vulnerability routers and switches perform, this paper designs and implements a static routing and switching paradigm, a varadiem-based detection algorithmand detector model to recognize the paradigm-violation output-packets. It proves that the routing and switching paradigm is security complete to data interception attacks. Also all rules of the paradigm are universal applicable to TCP/IP networks, the detector is designable, and the paradigm violations are detectable. The detection algorithm is optimized to gain high performance. Based on simulations, we show that not only 100% of normal packets can pass through the optimized paradigm-based detector, hut also about 99.92% of intercepting ones would be caught. In addition, the throughout put of the detected routers/switches can reach Gbps level.