面向未来网络的安全高效防护架构

Efficiently Secure Architecture for Future Network

传统互联网提供了端到端的传输服务,在过去的半个世纪得到了蓬勃发展。然而,近年来基于该体系的网络攻击已经引起了严重的安全问题。顺应下一代内生安全性网络的发展趋势,以未来多标识场景为研究背景,文中提出了层次化的安全高效防护架构,从网络层到应用层提供全面的保护。该安全架构在网络层提出了内嵌身份认证和包签名的多标识路由寻址方案,保障入网实体可信、数据防篡改且可追溯;在应用层,该架构设计了结合加权中心性算法的拟态防护方案,选择网络核心组件进行重点保护,以尽可能低的防护开销提升服务的鲁棒性,抵御潜在攻击。对于所提方案,同时进行了理论分析和多种场景下的原型实验。实验结果证明,该方案以较低的防守代价,提供了良好的传输性能,使得基于TCP/IP的攻击方法论失效,对传统网络体系下的各种攻击手段免疫,证明了所提安全防护架构的有效性。

Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems)enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service’s robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism’s effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.