Research On Key Technologies Of Security Defense In Smart Collaborative Identifier Network

Recently,with the occurrence of network security events,such as PRISM plan,e-mail scandal,and Internet fraud,network security has received more and more attention by countries all over the world.Smart collaborative Identifier Network(SINET)is a novel network architecture,and its security is an important issue that must be considered.At present,the researches on the SINET mainly focus on intelligent service matching and resource dynamic adaptation.To the best of our knowledge,none so far has paid attention to the security issue.Therefore,this dissertation focuses on the research on the key theories and technologies related to the security defense in the SINET.The separation mechanisms,which are Identifier/Locator Separation(ILSep)and Control/Data Separation(CDSep),are used to decouple identifier and locator,as well as the control plane and data plane in the SINET.This dissertation analyzes the security of the both mechanisms comprehensively,focuses on the sniffing and worm propagation in the core network,DDoS(Distributed Denial of Service)attacks for the terminal and network,and the secure placement of the network control nodes,which improve the network security.This dissertation provides theoretical basis and technical support for the large-scale deployment of the SINET.The main research points and innovations are outlined as follows:1.A network security analysis model based on Petri Net is proposed to evaluate the separation mechanisms in the SINET.In this model,first,we simplify the network structure of the SINET and abstract the basic communication mode.Then,we build a Petri Net model for the communication of the SINET.Finally,we analyze the security of the SINET and provide the defense strategy against the potential threats based on the analysis of tokens in Petri Net.The comparison with other methods includes analysis object,state transition,logic analysis,reference models,and model graph.The result shows that the model in this paper has specific analysis process in all aspects,and it is more comprehensive and rigorous than others.2.An Overall-transparent Dynamic Identifier-mapping Mechanism(ODIM)is proposed to manage the identifier of network nodes to defend against scanning and worm.The selection constraint and allocation constraint are established based by Identifier/Locator separation mechanism.The selection algorithm and allocation algorithm are given to solve the constraints.The not-repeat probability and cover cycle are provided to evaluate the defense efficiency.We also propose the probability for routing identifiers and derive the defense efficiency of ODIM against worm propagation.Simulation results and theoretical analysis show that the proposed method effectively reduces the detection probability of routing identifiers and improves defense capabilities against worm propagation.3.An attack detection method facing to target node is provided to defense the DDoS attack on the terminal in the SINET.Considering the characteristics of the SINET and DDoS attack,the feature vectors based on the destination address is designed and regarded as the detection elements for DDoS attack.GHSOM algorithm is introduced to statistically analyze the sampled network data.The analysis of the feasibility indicates the significant difference of the feature vectors between the normal and attacked communications.Three attack modes are simulated and the results show that the proposed DDoS attack detection method has the higher detection efficiency and sensitivity than the traditional six-tuple method based on the flows under the different speed ratio of the attacking packet and the normal packet.4.An effective detection method used in the access network is proposed to defend the new DDoS attack with low traffic and large data,which disrupts the communication between access router node and mapping service node.This method can locate the port connected by the attacker.According to the size of the flows,the proposed method divides the flows into normal data flow and low-traffic data flow.After receiving the flow,the statistical tool sequential probability ratio test is used to determine whether the target port is fragile with the two kinds of wrong judgment,true negative and false positive.DARPA conflict detection data set is selected to evaluate this method.Simulation experiment and evaluation verify that the proposed method has better performance than the other three detection methods,i.e.,percentage-based detection,count-based detection,and entropy-based detection in terms of sensitivity,functional diversity and accuracy.5.Considering the Propagation Delay(PD)and Transmission Delay(TD),a delay-aware network control node placement for fast and secure response is proposed to improve the consistency in the SINET security management.TD is added to the existing delay models with only PD to update the average delay minimization model and the maximum time delay minimization model.Further,delay optimization model is deduced by Fuzzy Set Theory.Finally,according to whether or not considering TD,two placement algorithms,i.e.,Transmission and Propagation Algorithm(TPA)and Propagation Algorithm(PA),are presented.In order to measure the performance of the solutions,the Sndlib data source is utilized.The simulation result shows that TPA superiorities over PA in terms of response speed and network stability,the total delay of delay optimization model is less than the others’.