摘要
VPN技术能够有效保障通信流量的保密性和完整性,但是近年来出现的名为blind in/on-path的流量劫持攻击利用VPN协议规则,通过将伪造报文注入加密隧道的方式来实施攻击,严重威胁了VPN技术的安全性。针对此类威胁,提出了基于拟态防御的VPN流量劫持防御技术,并设计了拟态VPN架构(Mimic VPN,M-VPN)。该架构由选调器和包含多个异构的VPN加解密节点的节点池组成。首先选调器根据节点的可信度动态地选取若干加解密节点,来并行处理加密流量;然后对各加解密节点的处理结果进行综合裁决;最后将裁决结果作为响应报文以及更新可信度的依据。通过对来自不同节点的同一响应进行裁决,有效阻止了攻击者注入伪造报文。实验仿真结果表明,相比传统的VPN架构,M-VPN可以降低blind in/on-path攻击成功率约12个数量级。
VPN technology can effectively guarantee the confidentiality and integrity of communication traffic.However,the traffic hijacking attack named blind in/on-path emerged in recent years,uses VPN protocol rules to implement attacks by injecting forged messages into encrypted tunnels,which seriously threatens the security of VPN technology.Aiming at such threats,this paper proposes a VPN traffic hijacking prevention technology based on pseudo defense,and designs a pseudo VPN architecture(Mimic VPN,M-VPN).The architecture consists of a tuner and a node pool containing multiple heterogeneous VPN encryption and decryption nodes.Firstly,the tuner dynamically selects several encryption and decryption nodes to process the encryption traffic in parallel according to the node's credibility.Then the processing results of each encryption and decryption node are comprehensively judged.The decision result will be used as the basis for the response message and the updated credibility.By judging the same response from different nodes,the attacker is effectively prevented from injecting forged packets.TExperimental simulation shows that compared with the traditional VPN architecture,M-VPN can reduce the success rate of blind in/on-path attacks by about 12 orders of magnitude.
作者
高振
陈福才
王亚文
何威振
GAO Zhen;CHEN Fucai;WANG Yawen;HE Weizhen(People’s Liberation Army Strategic Support Force Information Engineering University,Zhengzhou 450001,China)
出处
《计算机科学》
CSCD
北大核心
2023年第11期340-347,共8页
Computer Science
基金
国家重点研发计划(2021YFB1006200,2021YFB1006201)
国家自然科学基金(62072467,62002383)。
