多自治域BGP-LDoS阶段式协作防御问题研究

The attacking behavior concealment of BGP-LDoS as well the destruction degree towards inter domain system are increasing severely, which make the existing security technologies difficult to respond these attacks effectively. By studying the characteristics of periodical behavior of BGP-LDoS attack, this project aims at exploring the cooperative defense methods in virtue of the control plane and the network resource between multiple autonomous systems. Three issues are focused on including multi-domain proactive defense model before attack, BGP-LDoS attack detection model in attack, multi-domain fast recovery model after attack. In order to disrupt the botnets from spying and discriminating on key node and link, the real-time routing random mutation and precomputed multipath hopping are fused on demand, to implement dynamic route transformation based proactive defense; establish certain candidate models by extracting and analyzing the traffic characteristics and routing system state characteristic, then the best model is selected according to the projection matching degree of abnormal detection catastrophe shape, which could be used to sense the BGP-LDoS; in order to guarantee the forwarding of surviving autonomous domains in multi-node / multi-link failure scenarios, as well as to guard against the potential secondary attack, the coding construction and subtree cutting and splicing algorithms are studied to generate the degree constrained minimum spanning tree to realize the routing failure recovery. Through the research above, it is aimed to provide theoretical and technical support for the secure and reliable operation of inter domain routing systems.

面向域间路由系统的BGP-LDoS攻击，其攻击行为隐蔽性、对域间通信的破坏性不断增强，使得现有域间安全技术难以有效应对。本课题通过研究BGP-LDoS攻击的阶段式特征，探索相应的多自治域协作防御方法，重点研究：拟按需融合实时性路由随机跳变和预计算多路径跳变，实施基于路由动态变换的主动防御；提取和分析路由流量特征与路由系统状态特征，根据异常检测突变流形的投影匹配度建立基于突变理论的攻击检测模型；研究编码表构建和子树裁剪拼接，基于度约束最小生成树实现多自治域的应急恢复。通过上述问题的研究，争取实现针对攻击前僵尸网络窥测与辨析的扰乱、攻击过程中BGP-LDoS行为的感知、攻击后失效场景的恢复以及潜在二次攻击的抑制，为域间路由系统的安全、可靠运行提供理论和技术上的支持。

由于BGP-LDoS攻击隐蔽性和破坏性的不断增强，已有域间路由安全技术研究大多聚焦于单一节点或单一问题。本课题通过研究BGP-LDoS攻击的阶段式特征，设计多自治域协作防御方法，包括：针对攻击前的多域主动防御模型，针对攻击中的BGP-LDoS检测模型，针对攻击后的多域应急恢复模型。代表研究成果主要包含以下几个方面：1. 构建了多域主动防御模型，提出基于遗传算法的预计算多路径跳变机制，按需生成路由候选集并融合路由跳变；提出基于AS-Path混淆的域间路由隐蔽通信机制，对路由更新数据报AS-Path属性实施混淆；两种机制共同扰乱僵尸网络攻击前的窥测与辨析，降低关键路由节点与链路被发掘及被锁定概率。2. 构建了BGP-LDoS检测模型，提出基于云模型的域间路由流量异常检测机制，利用正向云和后向云算法判定目标流量的异常情况；提出基于突变平衡态理论的BGP-LDoS攻击检测机制，通过提取和分析路由流量特征与路由系统状态特征，计算异常检测突变流形的投影匹配度，感知隐秘BGP-LDoS攻击；3. 构建了多域应急恢复模型，提出一种基于度约束最小生成树的失效恢复算法，通过编码表构建和子树裁剪拼接，利用度约束最小生成树实现多自治域的快速恢复，保障多节点/多链路失效场景中存活域的路由转发并防范攻击者可能发起的二次攻击。上述模型，为互联网域间路由系统安全研究提供新的思路和方法。项目实施过程中，课题组在“Computers, Materials & Continua”，“Personal and Ubiquitous Computing”等国内外期刊和会议上发表论文7篇，授权发明专利6项。

内容获取失败，请点击重试