摘要
在传统互联网体系结构中,IP地址的双重语义在互联网路由可扩展性、移动性和安全性等方面引发了严重问题。为此,将IP地址的双重语义分开,实现节点身份与位置分离的设计思想已经成为未来互联网理论与技术研究的热点之一。其中,映射机制作为身份与位置分离体系的关键技术,目前的研究主要集中在具体实现方式以及性能评估等方面,关于其安全性的研究,仍未广泛展开。因此,本文主要围绕映射安全相关的关键理论与技术展开研究。主要工作和创新点如下:
1.为了分析身份与位置分离映射对网络蠕虫传播的影响,提出了基于AAWP的语义分离传播模型和基于SIR的映射时延传播模型,基于此模型,对网络蠕虫在传统互联网和身份与位置分离体系的传播情况进行了数值分析与比较。结果表明:身份与位置分离体系下IP地址的双重语义分离和映射机制的映射时延能够有效减缓网络蠕虫的传播。
2.提出了一种基于映射请求流量的异常检测方法。其中采用了累积和算法实现异常流量报警,同时给出了接入路由器映射缓存超时的设计考虑,并设计了映射请求门限机制用以解耦映射请求流量和映射缓存。仿真实验与评估验证了该方法的预报警特性、检测的有效性以及映射请求门限机制的可行性;理论分析给出了异常的映射请求流量对映射服务器的影响以及该方法的误报和失报问题。
3.提出了一种基于双门限机制的映射缓存DoS攻击防御方法。首先设计了基于迭代思想的谜题机制降低映射缓存中映射信息条目的增加速率,然后提出了映射信息可信度算法判别和过滤映射缓存中恶意的映射信息条目,从而防止了映射缓存溢出。分析表明,该方法具有较好的有效性和优越性,并且基于迭代思想的谜题机制具有显著的安全优势。
4.提出了一种基于信任模型的映射欺骗防范方法。该方法在映射机制中构建了一种基于反馈评判的信任模型,并采用自证明标识代表接入路由器的身份信息,增强了映射信息的可信性,抵御了可能存在的映射欺骗攻击。理论分析表明了该方法具有良好的安全性和可部署性;数值分析和仿真实验验证了该方法在防范映射欺骗攻击的有效性。
5.设计了一种保障映射源真实性的身份认证机制,主要包括初始接入认证方案和可持续认证方案。通过使用身份标签将接入用户的数字证书与终端的身份标识绑定,保障了映射源在初始接入时身份的真实性以及在接入后的持久可信性。分析表明,该机制具有良好的安全性、较小的计算开销,能够长久有效地保障映射源身份的真实性。
In today's Internet, It is commonly recognized that the dual semantics of IP address has brought about serious problems, such as routing scalability, mobility, security, etc. To address these problems, there is an increasing consensus that identifier/locator separation is a promising solution in the research of future Internet architecture. As the key technology under identifier/locator separation architecture, the mapping service has been widely studied on the implementation method and performance evaluation. However, the researches on the mapping security are barely seen. Therefore, this dissertation focuses on the research on the key theories and technologies of mapping security. The main research points and innovations are outlined as follows:
1. In order to address the worm propagation problems affected by identifier/locator separation and mapping, the semantics separation worm propagation model based on AAWP and the mapping latency worm propagation model based on SIR are proposed. By means of the numerical analysis and quantitative comparison between today's Internet and identifier/locator separation architecture, the research results show that the semantics separation of IP address and the mapping latency of mapping service can be markedly conducive to alleviating worm propagation.
2. A novel anomaly detection approach based on mapping request traffic is proposed to identify and diagnose the aberrant network behaviors. This approach introduces the cumulative sum algorithm for change point detection, and gives the design consideration about the mapping cache timeout. Besides, a practical mapping request threshold algorithm is also proposed to decouple the mapping request traffic and the mapping cache. In particular, the simulation results show that, this approach has notable advantages including alarm in advance and detection efficiency, and the mapping request threshold algorithm is feasible. Also, this dissertation discusses the influences on the mapping servers by the abnormal mapping request traffic and the possible false positive and false negative problems.
3. An efficient defense approach based on double-threshold scheme is proposed to prevent the potential DoS attack against mapping cache. Aiming at resisting the mapping cache overflow, this approach not only presents a novel puzzle challenge mechanism based on iterative idea to decrease the growth rate of mapping entries, but also gives the trust value algorithm of mapping information to identify and filter out the malicious mapping entries. From the analytical results, we can see that this approach is efficient and feasible to prevent the DoS attack against mapping cache, and the puzzle challenge mechanism based on iterative idea has obvious advantages in security.
4. A new defense approach based on reputation model is proposed to prevent the mapping spoofing which may exist or happen in the mapping service. In order to increase the trustworthiness of the mapping information, this approach introduces the reputation model based on feedback evaluation into the mapping service and uses the self-certifying identifiers to represent the identity information of tunnel routers. Based on the theoretical analysis, this dissertation gives the distinct advantages of this approach's security and deployment.In addition, the numerical analysis and simulation results show this approach is effective to reduce the hazards of mapping spoofing.
5. An original identity authentication mechanism, mainly including the initial access authentication scheme and the sustainable authentication scheme, is proposed to assure the authenticity and creditability of the mapping sources. This mechanism introduces the identity tag to bind the user's digital certificate and the terminal's identifier, and accomplishes the real relationship between the user's identity and the terminal. From the analytical results, we can see that this mechanism has the improved security and the low computation cost, and can successfully guarantee the authenticity and sustained creditability of the mapping sources.
引文
[1]Miniwatts Marketing Group. World Internet Usage and Population Statistics[EB/OL]. http://www.internetworldstats.com/stats.htm.
[2]中国互联网络信息中心.第29次中国互联网络发展状况统计报告[EB/OL].http://www.cnnic.net.cn/dtygg/dtgg/201201/W020120116337628870651.pdf.
[3]BGP Report[EB/OL]. http://bgp.potaroo.net/.
[4]D. J. Watts and S. H. Strogatz. Collective Dynamics of'small-world'Networks[J]. Nature. 1998,393(4):440-442.
[5]D. Clark, R. Braden, A. Falk, et al. FARA:Reorganizing the Addressing Architecture[A]. Proceedings of ACM SIGCOMM Workshop on Future Directions in Network Architecture (FDNA)[C]. Karlsruhe, Germany, Aug.2003, pp.313-321.
[6]J. Saltzer. On the Naming and Binding of Network Destinations[S]. IETF Internet Standard, RFC 1498, Aug.1993.
[7]GENI[EB/OL]. http://www.geni.net/.
[8]FIND[EB/OL]. http://www.nets-find.net/.
[9]FIA[EB/OL]. http://www.nets-fia.net/.
[10]FIRE[EB/OL]. http://cordis.europa.eu/fp7/ict/fire/.
[11]AKARI[EB/OL]. http://akari-project.nict.go.jp/eng/index2.htm.
[12]FIF[EB/OL]. http://fif.kr/home.php.
[13]张宏科,苏伟.新网络体系基础研究——一体化网络与普适服务[J].电子学报.2007,35(4):593-598.
[14]董平,秦雅娟,张宏科.支持普适服务的一体化网络研究[J].电子学报.2007,35(4):599-606.
[15]杨冬,周华春,张宏科.基于一体化网络的普适服务研究[J].电子学报.2007,35(4):607-613.
[16]关于发布国家重点基础研究发展计划2011年项目中报指南的通知[EB/OL].http://www.most.gov.cn/tztg/201101/t20110130_84601.htm.
[17]R. Moskowitz. Host Identity Protocol Architecture (HIP)[S]. Internet Draft, draft-ietf-hip-rfc4423-bis-03, Sep.2011.
[18]P. Nikander, J. Arkko and B. Ohlman. Host Identity Indirection Infrastructure[A]. Proceedings of the Second Swedish National Computer Networking Workshop 2004 (SNCNW 2004)[C]. Karlstad, Nov.2004, pp.1-4.
[19]E. Nordmark and M. Bagnulo. Shim6:Level 3 Multihoming Shim Protocol for IPv6[S]. IETF Internet Standard, RFC 5533, Jun.2009.
[20]F. Teraoka, M. Ishiyama and M. Kunishi. LIN6:A Solution to Mobility and Multi-Homing in IPv6[S]. Internet Draft, draft-teraoka-ipng-lin6-02, Jun.2003.
[21]A. Jonsson, M. Folke and B. Ahlgren. The Split Naming/Forwarding Network Architecture[A]. Proceedings of the First Swedish National Computer Networking Workshop 2003 (SNCNW 2003)[C]. Stockholm, Sweden, Sep.2003.
[22]R. Atkinson and S. Bhatti. An Introduction to the Identifier-Locator Network Protocol (ILNP)[A]. Proceedings of IEEE London Communications Symposium 2006 (LCS 2006)[C]. London, UK, Sep.2006.
[23]R. Atkinson. ILNP Concept of Operations[S]. Internet Draft, draft-rja-ilnp-intro-11, Jul. 2011.
[24]侯婕,刘亚萍,龚正虎.标识路由关键技术[J].软件学报.2010,21(6):1326-1340.
[25]H. B. Luo, Y. J. Qin and H. K. Zhang. A DHT-based Identifier-to-locator Mapping Approach for A Scalable Internet[J]. IEEE Transactions on Parallel and Distributed System. 2009,20(2):1790-1802.
[26]D. Farinacci, V. Fuller, D. Meyer, et al. Locator/ID Separation Protocol (LISP)[S]. Internet Draft, draft-ietf-lisp-23.txt, May 2012.
[27]R. Whittle. Ivip (Internet Vastly Improved Plumbing) Architecture[S]. Internet Draft, draft-whittle-ivip-arch-04, Mar.2010.
[28]J. J. Adan. Tunneled Inter-domain Routing (TIDR)[S]. Internet Draft, draft-adan-idr-tidr-01, Nov.2006.
[29]H. Yumiba, K. Imai and M. Yabusaki. IP-Based IMT Network Platform[J]. IEEE Personal Communications Magazine.2001,8(5):18-23.
[30]T. Okagawa, K. Nishida and A. Miura. A Proposed Routing Procedure in IP2[A]. Proceedings of Vehicular Technology Conference[C]. Orlando, USA, Oct.2003, pp.2083-2087.
[31]M. Crawford, A. Mankin, T. Narten, et al. Separating Identifiers and Locators in Addresses: An Analysis of the GSE Proposal for IPv6. Internet Draft, draft-ietf-ipngwg-esd-analysis-05.txt, Oct.1999.
[32]R. Whittle. Ivip Mapping Database Fast Push[S]. Internet Draft, draft-whittle-ivip-db-fast-push-04, Mar.2010.
[33]R. Whittle. DRTM-Distributed Real Time Mapping for Ivip and LISP[S]. Internet Draft, draft-whittle-ivip-drtm-01, Mar.2010.
[34]J. Mogul and S. Deering. Path MTU Discovery[S]. IETF Internet Standard, RFC 1191, Nov.1990.
[35]D. Farinacci, T. Li, S. Hanks, et al. Generic Routing Encapsulation (GRE)[S]. IETF Internet Standard, RFC 2748, Mar.2000.
[36]D. Jen, M. Meisel, D. Massey, et al. APT:A Practical Tunneling Architecture for Routing Scalability [EB/OL]. Technical Report 080004. UCLA, http://fmdb.cs.ucla.edu/Treports/080004.pdf,2008.
[37]E. Lear. NERD:A Not-so-novel EID to RLOC Database. IETF Internet Draft, draft-lear-lisp-nerd-08.txt, Mar.2010.
[38]L. Mathy and L. lannone. LISP-DHT:Towards a DHT to Map Identifiers onto Locators[A]. Proceedings of the 2008 ACM CoNEXT Conference[C]. Madrid, Spain, Dec.2008, pp.1-6.
[39]V. Fuller, D. Farinacci, D. Meyer, et al. LISP Alternative Topology (LISP+ALT)[S]. IETF Internet Draft, draft-ietf-lisp-alt-10.txt, Dec.2011.
[40]S. Brim, N. Chiappa, D. Farinacci, et al. LISP-CONS:A Content Distribution Overlay Network Service for LISP[S]. IETF Internet Draft, draft-meyer-lisp-cons-04.txt, Apr.2008.
[41]X. Xu. Routing Architecture for the Next Generation Internet (RANGI)[S]. IETF Internet Draft, draft-xu-rangi-04.txt, Aug.2010.
[42]L. Jakab, A. Cabellos-Aparicio, F. Coras, et al. LISP-TREE:a DNS Hierarchy to Support the LISP Mapping System[J]. IEEE Journal on Selected Areas in Communications.2010, 28(8):1332-1343.
[43]R. Fielding, J. Gettys, J. Mogul, et al. Hypertext Transfer Protocol-HTTP/1.1[S]. IETF Internet Standard, RFC 2616, Jun.1999.
[44]I. Stoica, R. Morris, D. Karger, et al. Chord:A Scalable Peer-to-peer Lookup Service for Internet Applications[A]. Proceedings of ACM SIGCOMM 2001 [C]. San Diego, USA, Aug.2001, pp.149-160.
[45]A. Brampton, A. MacQuire, I. A. Rai, et al. Stealth Distributed Hash Table:A Robust and Flexible Super-peered DHT[A]. Proceedings of the 2nd Conference on Future Networking Technologies (CoNEXT 2006)[C]. Lisbon, Portugal, Dec.2006.
[46]S. Ratnasamy, P. Francis, M. Handley, et al. A Scalable Content-Addressable Network[A]. Proceedings of ACM SIGCOMM 2001 [C]. San Diego, USA, Aug.2001, pp.161-172.
[47]H. B. Luo, H. K. Zhang and C. M. Qiao. Efficient Mobility Support by Indirect Mapping in Networks with Locator/identifier Separation [J]. IEEE Transactions on Vehicular Technology.2011,60(5):2265-2279.
[48]S. Brim, D. Farinacci, D. Meyer, et al. EID Mappings Multicast Across Cooperating Systems for LISP[S]. IETF Internet draft, draft-curran-lisp-emacs-00.txt, Nov.2007.
[49]H. B. Luo, H. K. Zhang and M. Zukerman. Decoupling the Design of Identifier-to-locator Mapping Services from Identifiers[J]. Computer Networks.2011,55(4):959-974.
[50]B. Carpenter. General Identifier-locator Mapping Consideration[S]. IETF Internet draft, draft-carpenter-idloc-map-cons-01.txt, Nov.2007.
[51]H. Zhang, M. Chen and Y. Zhu. Evaluating the Performance on ID/Loc Mapping[A]. Proceedings of IEEE GLOBECOM 2008[C]. New Orleans, USA, Nov.2008, pp.1-5.
[52]L. Lannone and O. Bonaventure. On the Cost of Caching locator/ID Mappings[A]. Proceedings of ACM CoNEXT 2007[C]. New York, USA, Dec.2007, pp.1-12.
[53]I. Stoica, D. Adkins, S. Zhuang, et al. Internet Indirection Infrastructure[J]. IEEE Transactions on Networking (TON).2004,12(2):205-218.
[54]V. P. Kafle and M. Inoue. Introducing Multi-ID and Multi-locator into Network Architecture[J]. IEEE Communications Magazine.2012,50(3):104-110.
[55]董平.基于身份与位置分离映射的可扩展路由体系研究[D].北京交通大学.2008.
[56]Y. Liu, M. Wan, H. K. Zhang, et al. Research on the Data Reconstruction Method Based on Identifier/Locator Separation Architecture[J]. Journal of Internet Technology.2011, 12(4):531-540.
[57]D. Jen, M. Meisel, H. Yan, et al. Towards A New Internet Routing Architecture:Arguments for Separating Edges from Transit Core[A]. Proceedings of the Seventh ACM Workshop on Hot Topics in Networks (HotNets-VII)[C]. Calgery, Canada, Oct.2008, pp.1-6.
[58]Y. Liu, D. Zhang, S. D. Zhang, et al. Research on Man-in-the-Middle Attack Based on Identifier/Locator Separation Architecture[A]. Proceedings of the 2nd Asia-Pacific Conference on Information Network and Digital Content security (APCD 2011)[C]. Zhuhai, China, Jul.2011, pp.102-105.
[59]董平,杨冬,秦雅娟等.新一代互联网移动管理机制研究[J].电子学报.2008, 36(10):1916-1922.
[60]M. Wan, Y. Liu, H. K. Zhang. Security Analysis of M-to-N Mapping against Eavesdropping in Identifier-based Universal Network[A]. Proceedings of 20114th IEEE International Conference on Broadband Network & Multimedia Technology (IC-BNMT 2011)[C]. Shenzhen, China, Oct.2011, pp.606-610.
[61]D. Saucez, L. Iannone and O. Bonaventure. LISP Threats Analysis[S]. IETF Internet draft, draft-ietf-lisp-threats-01.txt, Mar.2012.
[62]F. Maino, V. Ermagan, A. Cabellos, et al. LISP-Security (LISP-SEC)[S]. IETF Internet draft, draft-ietf-lisp-secs-02.txt, Mar.2012.
[63]M. Wan, Y. Liu, J. Q. Tang, et al. Locator/Identifier Separation:Comparison and Analysis on the Mitigation of Worm Propagation[J]. International Journal of Computational Intelligence Systems. Sep.2012,5(5):868-877.
[64]卢锡城,王怀民,王戟.虚拟计算环境iVCE:概念与体系结构[J].中国科学E辑.2006,36(10):1081-1099.
[65]Annual Worldwide Economic Damages from Malware Exceed$13 Billion[EB/OL]. http://www.computereconomics.com/article.cfm?id=1225, Jun.2007.
[66]国家互联网应急中心.2011年中国互联网网络安全报告[EB/OL].http://www.cert.org.cn/publish/main/8/2012/20120523085533341215471/2012052308553 3341215471.html.
[67]D. Moore, C. Shannon and J. Brown. Code-Red:a Case Study on the Spread and Victims of an Internet Worm [A]. Proceedings of the Second Internet Measurement Workshop (IMW 2002)[C]. Marseille, France, Nov.2002, pp.273-284.
[68]A. Mackie, J. Roculan, R. Russell, et al. Nimda Worm Analysis[EB/OL]. http://dpnm.postech.ac.kr/research/04/nsri/papers/010919-Analysis-Nimda.pdf, Sep.2001.
[69]D. Moore, V. Paxson, S. Savage, et al. Inside the Slammer Worm[J]. IEEE Security & Privacy.2003,1(4):33-39.
[70]eEye Digital Security. Blaster Worm Analysis[EB/OL]. http://www.eeye.com/html/Research/Advisories/AL20030811.html,2003.
[71]C. Shannon and D. Moore. the Spread of the Witty Worm[J]. IEEE Security & Privacy. 2004,2(4):46-50.
[72]P. Porras, H. Saidi and V. Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm[EB/OL]. Technical Report. Computer Science Laboratory, http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf, 2007.
[73]R. McMillan. Conficker Worm Sinks French Navy Network[EB/OL]. http://www.pcworld.com/article/159224/conficker_worm_sinks_french_navy_network.htm 1.
[74]S. Yang, H. Jin, X. Liao, et al. Modeling Modern Social-Network-Based Epidemics:A Case Study of Rose[J]. Autonomic and Trusted Computing.2008,5060:302-315.
[75]W. Yu, C. Boyer, S. Chellappan, et al. Peer-to-peer System-based Active Worm Attacks: Modeling and Analysis[A]. Proceedings of IEEE International Conference on Communications (ICC 2005)[C]. Seoul, Korea, May 2005, pp.295-300.
[76]C. C. Zou, D. Towsley, W. Gong, et al. Routing Worm:A Fast, Selective Attack Worm Based on IP Address Information[A]. Proceedings of Workshop on Principles of Advanced and Distributed Simulation (PADS 2005)[C]. CA., USA, Jun.2005, pp.199-206.
[77]S. Karnouskos. Stuxnet Worm Impact on Industrial Cyber-physical System Security[A]. Proceedings of the 37th Annual Conference on IEEE Industrial Electronics Society (IECON 2011)[C]. Karlsruhe, Germany, Nov.2011, pp.4490-4494.
[78]W. Yu, X. Wang, P. Calyam, et al. Modeling and Detection of Camouflaging Worm[J]. IEEE Transactions on Dependable and Secure Computing.2011,8(3):377-390.
[79]K. Wang, H. B. Luo, Y. J. Qin. Identifier/locator Separation:A Worm Detection and Prevention Perpective[A]. Proceedings of 2011 International Conference on Advanced Intelligence and Awareness Internet (AIAI 2011)[C]. Shenzhen, China, Oct.2011, pp.7-11.
[80]E. H. Spafford. The Internet Worm Program:An Analysis[J]. ACM SIGCOMM Computer Communication Review.1989,19(1):17-57.
[81]D. M. Kienzle and M. C. Elder. Recent Worms:A Survey and Trends[A]. Proceedings of ACM CCS Workshop on Rapid Malcode (WORM 2003)[C]. Washington, USA, Oct.2003, pp.1-10.
[82]文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展[J].软件学报.2004,15(08):1208-1219.
[83]P. Li, M. Salour and X. Su. A Survey of Internet Worm Detection and Containment[J]. IEEE Communications Surveys & Tutorials.2008,10(1):20-35.
[84]周翰逊.网络蠕虫传播模型及检测技术研究[D].东北大学.2009.
[85]F. Castaneda, E. C. Sezer and J. Xu. WORM vs. WORM:Preliminary Study of an Active Counter-attack Mechanism[A]. Proceedings of ACM CCS Workshop on Rapid Malcode (WORM 2004)[C]. Washington, USA, Oct.2004, pp.83-93.
[86]J. C. Frauenthal. Mathematical Modeling in Epidemiology[M]. Springer-Verlag.1980.
[87]Y. Wang and C. Wang. Modeling the Effects of Timing Parameters on Virus Propagation[A]. Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003)[C]. Washington, USA, Oct.2003, pp.61-66.
[88]C. C. Zou, W. Gong and D. Towsley. Code Red Worm Propagation Modeling and Analysis[A]. Proceedings of the 9th ACM Symposium on Computer and Communication Security[C]. Washington, USA, Nov.2002, pp.138-147.
[89]Z. Chen, L. Gao and K. Kwiat. Modeling the Spread of Active Worms[A]. Proceedings of IEEE INFOCOM 2003[C]. San Francisco, USA, Mar.2003, pp.1890-1900.
[90]W. Yu, C. Boyer, S. Chellappan, et al. Peer-to-peer System-based Active Worm Attacks: Modeling and Analysis[A]. Proceedings of IEEE International Conference on Communications (ICC 2005)[C]. Seoul, Korea, May 2005, pp.295-299.
[91]卿斯汉,王超,何建波等.即时通信蠕虫研究与发展[J].软件学报.2006,17(10):2118-2130.
[92]李星,杨峰,段海新.网络蠕虫扩散中蠕虫和良性蠕虫交互过程建模与分析[J].中国科学E辑.2004,34(8):841-856.
[93]C. C. Zou, D. Towsley and W. B. Gong. Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm[J]. IEEE Transactions on Dependable and Secure Computing.2007,4(2):105-118.
[94]A. Kamra, H. Feng, V. Misra, et al. The Effect of DNS Delays on Worm Propagation in an IPv6 Internet[A]. Proceedings of IEEE INFOCOM 2005[C]. Miami, USA, Mar.2005, pp.2405-2414.
[95]M. Costa, J. Crowcroft, M. Castro, et al. Vigilante:End-to-End Containment of Internet Worms[A]. Proceedings of the 20th ACM Symposium on Operation Systems Principles (SOSP 2005)[C]. Brighton, United Kingdom, Oct.2005, pp.133-147.
[96]F.-T. Coras. CoreSim:A Simulator for Evaluating LISP Mapping Systems[EB/OL], Technical Report. Technical University of Cluj-Napoca, http://www.cba.upc.edu/lisp.
[97]M. Wan, H. K. Zhang, T. Y. Wu, et al. Anomaly Detection and Response Approach Based on Mapping Requests[J]. Cluster Computing Journal. (Submitted)
[98]Arbor Networks. Worldwide Infrastructure Security Report[EB/OL]. Arbor Networks, Volume VI, http://www.arbornetworks.com/report, Feb.2011.
[99]J. D. Brutlag. Aberrant Behavior Detection in Time Series for Network Monitoring[A]. Proceedings of the USENIX Fourteenth Systems Administration Conference (LISA)[C]. New Orleans, Dec.2000, pp.139-146.
[100]V. A. Siris and F. Papagalou. Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks[A]. Proceedings of 2004 IEEE Global Telecommunications Conference (GLOBECOM 2004)[C]. Dallas, USA, Nov.2004, pp.2050-2054.
[101]H. Wang, D. Zhang and K. G. Shin. Change-point Monitoring for the Detection of DoS attacks[J]. IEEE Transactions on Dependable and Secure Computing.2004,1(4):193-208.
[102]H. Wang, D. Zhang and K. G. Shin. Detecting SYN Flooding Attacks [A]. Proceedings of IEEE INFOCOM 2002[C]. New York, USA, Jun.2002, pp.1530-1539.
[103]P. Barford, J. Kline, D. Plonka, et al. A Signal Analysis of Network Traffic Anomalies[A]. Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement (IMW 2002)[C]. Marseille, France, Nov.2002, pp.71-82.
[104]Y. Gu, A. McCallum and D. Towsley. Detecting Anomalies in Network Traffic using Maximum Entropy Estimation[A]. Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement (IMC 2005)[C]. Berkeley, USA, Oct.2005, pp.345-350.
[105]K. Lu, D. Wu, J. Fan, et al. Robust and Efficient Detection of DDoS Attacks for Large-scale Internet[J]. Computer Networks:The International Journal of Computer and Telecommunications Networking.2007,51(18):5036-5056.
[106]H. Q. Liu and M. S. Kim. Real-time Detection of Stealthy DDoS Attacks Using Time-series Decomposition[A]. Proceedings of 2010 IEEE International Conference on Communications (ICC 2010)[C]. Cape Town, South Africa, May 2010, pp.6-11.
[107]S. Jin and D. S. Yeung. A Covariance Analysis Model for DDoS Attack Detection[A]. Proceedings of 2004 IEEE International Conference on Communications (ICC 2004)[C]. Paris, France, Jun.2004, pp.1882-1886.
[108]A. Lakhina, M. Crovella and C. Diot. Mining Anomalies Using Traffic Feature Distributions[J]. Proceedings of ACM SIGCOMM 2005[C]. Pennsylvania, USA,2005, pp.217-228.
[109]Y. Kanda, K. Fukuda and T. Sugawara. Evaluation of Anomaly Detection Based on Sketch and PCA[A]. Proceedings of 2010 IEEE Global Telecommunications Conference[C]. Florida, USA, Dec.2010, pp.1-5.
[110]J. M. Estevez-Tapiador, P. Garcia-Teodoro and J. E. Diaz-Verdejo. Anomaly Detection Methods in Wired Networks:A Survey and Taxonomy[J]. Computer Communications. 2004,27(16):1569-1584.
[111]A. Patcha and J. Park. An Overview of Anomaly Detection Techniques:Existing Solutions and Latest Technological Trends[J]. Computer Networks.2007, 51(12):3448-3470.
[112]A. Lakhina, M. Crovella and C. Diot. Diagnosing Network-wide Traffic Anomalies[A]. Proceedings of ACM SIGCOMM 2004[C]. Portland, USA, Aug.2004, pp.219-230.
[113]J. Jung, B. Krishnamurthy and M. Rabinovich. Flash Crowds and Denial of Service Attacks:Characterization and Implications for CDNs and Web Sites[A]. Proceedings of the 11th International Conference on World Wide Web (WWW 2002)[C]. Hawaii, USA, May 2002, pp.293-304.
[114]I. Ari, B. Hong, E. L. Miller, et al. Managing Flash Crowds on the Internet[A]. Proceedings of the 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems (MASCOTS 2003)[C]. Florida, USA, Oct.2003, pp.246-249.
[115]任婧,王晟,许都等.一种在名址分离网络中对网络异常进行检测的方法[P].中国专利:CN101841442B,2011-11-16.
[116]1998 DARPA Intrusion Detection Evaluation Data Set[EB/OL]. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html.
[117]CAIDA "DDoS Attack 2007" Dataset[EB/OL]. https://data.caida.org/datasets/security/ddos-20070804/.
[118]J. Kim, L. Iannone and A. Feldmann. A Deep Dive into the LISP Cache and What ISPs Should Know about It[A]. Proceedings of the 10th International IPIF TC 6 Networking Conference (NETWORKING 2011)[C]. Valencia, Spain, May 2011, pp.267-278.
[119]S. Bu, R. Wang and H. Zhou. Anomaly Network Traffic Detection Based on Auto-adapted Parameters Method[A]. Proceedings of the fourth International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM 2008)[C]. Dalian, China, Oct.2008, pp.1-4.
[120]J. L. Hellerstein, F. Zhang and P. Shahabuddin. A Statistical Approach to Predictive Detection[J]. Computer Networks:The International Journal of Computer and Telecommunications Networking.2001,35(1):77-95.
[121]J. M. Lucas and M. S. Saccucci. Exponentially Weighted Moving Average Control Schemes:Properties and Enhancements[J]. Technometrics.1990,32(1):1-12.
[122]H. H. Takada and U. Hofmann. Application and Analyses of Cumulative Sum to Detect Highly Distributed Denial of Service Attacks using Different Attack Traffic Patterns[EB/OL]. http://www.ist-intermon.org/dissemination/newsletter7.pdf, Apr.2004.
[123]K. Ishibashi, T. Toyono, H. Matsuoka, et al. Measurement of DNS Traffic Caused by DDoS Attacks[A]. Proceedings of 2005 Symposium on Applications and the Internet Workshops (SAINT 2005 Workshops)[C]. Washington DC, USA, Jan.2005, pp.118-121.
[124]D. Dagon, C. Zou and W. Lee. Modeling Botnet Propagation Using Time Zones[A]. Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS 2006)[C]. San Diego, USA, Feb.2006.
[125]V. Pappas, D. Massey and L. Zhang. Enhancing DNS Resilience against Denial of Service Attacks[A]. Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2007)[C]. Edinburgh, UK, Jun.2007, pp.450-459.
[126]Lincoln Laboratory Scenario (DDoS) 2.0.2[EB/OL]. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_2.0.2.html.
[127]WorldCup98 Dataset[EB/OL]. http://ita.ee.lbl.gov/html/contrib/WorldCup.html.
[128]万明,刘颖,沈烁等.一体化标识网络映射缓存DoS攻击防范方法研究[J].电子学报.(已投)
[129]Radware[EB/OL]. http://www.radware.com/workarea/showcontent.aspx?ID= 1628921.
[130]R. K. C. Chang. Defending against Flooding-based Distributed Denial-of-Service Attacks: A Tutorial [J]. IEEE Communications Magazine.2002,40(10):42-51.
[131]C. Gong, T. Le, T. Korkmaz, et al. Single Packet IP Traceback in AS-level Partial Deployment Scenario[A]. Proceedings of IEEE GLOBECOM 2005[C]. St. Louis, USA, Nov.2005.
[132]B. AI-Duwairi and M. Govindarasu. Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback[J]. IEEE Transactions on Parallel and Distributed Systems. 2006,17(5):403-418.
[133]X. Yang, D. Wetherall and T. Anderson. TVA:A DoS-Limiting Network Architecture[J]. IEEE Transaction on Networking.2008,16(6):1267-1280.
[134]X. Liu, X. Yang and Y. Xia. NetFence:Preventing Internet Denial of Service from Inside Out[A]. Proceedings of ACM SIGCOMM 2010[C]. New Delhi, India, Aug.2010, pp.255-266.
[135]A. Mahimkar, J. Dange, V. Shmatikov, et al. dFence:Transparent Network-based Denial of Service Mitigation[A]. Proceedings of the 4th USENIX Conference on Networked System Design & Implementation (NSDI 2007)[C]. Cambridge, MA, Apr.2007, pp.327-340.
[136]A. Yaar, A. Perrig and D. Song. SIFF:A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks[A]. Proceedings of 2004 IEEE Symposium on Security and Privacy[C]. California, USA, May 2004, pp.130-143.
[137]Y. Gao, W. Susilo and Y. Mu, et al. Efficient Trapdoor Based Client Puzzle against DoS Attacks[M]. Book Chapter in Network Security. New York, Springer,2010:229-249.
[138]N. A. Fraser, D. J. Kelly, R. A. Raines, et al. Using Client Puzzle to Mitigate Distributed Denial of Service Attacks in the Tor Anonymous Routing Environment[A]. Proceedings of International Conference on Communications (ICC 2007)[C]. Glasgow, Scotland, Jun. 2007, pp.1197-1202.
[139]F. Tegeler and X. M. Fu. SybilConf:Computational Puzzles for Confining Sybil Attacks[A]. Proceedings of 2010 INFOCOM on Computer Communications Workshops[C]. San Diego, USA, Mar.2010, pp.1-2.
[140]A. K. Lenstra and J. Lenstra. Algorithms in Number Theory[M]. Handbook of Theoretical Computer Science. Amsterdam, MIT Press/Elsevier,1990:673-715.
[141]A. Jφsang, R. Ismail and C. Boyd. A Survey of Trust and Reputation Systems for Online Services Provision[J]. Decision Support Systems.2007,43(2):618-644.
[142]S. Tritilanunt, C. Boyd, E. Foo, et al. Toward Non-parallelizable Client Puzzles[A]. Proceedings of the 6th International Conference on Cryptology and Network Security (CANS 2007)[C]. Singapore, Jun.2007, pp.247-264.
[143]R. C. C. Cheung, A. Brown, W. Luk, et al. A Scalable Hardware Architecture for Prime Number Validation[A]. Proceedings of 2004 IEEE International Conference on Field-programmable Technology[C]. Queensland, Australia, Dec.2004, pp.177-184.
[144]J. Buchmann and V. Muller. Algorithms for Factoring Integers[EB/OL]. http://www.cdc.informatik.tu-darmstadt.de/-buchmann/Lecture%20Notes/Algorithms%20f or%20factoring%20integers.pdf,2005.
[145]A. Juels and J. Brainard. Client Puzzles:A Cryptographic Countermeasure against Connection Depletion Attacks[A]. Proceedings of the network and Distributed System Security Symposium (NDSS 1999)[C]. San Diego, USA, Feb.1999, pp.151-165.
[146]W. Feng, E. Kaiser, W. Feng, et al. The Design and Implementation of Network Puzzles[A]. Proceedings of IEEE INFOCOM 2005[C]. Miami, USA, Mar.2005, pp.2372-2382.
[147]B. Groza and D. Petrica. On Chained Cryptographic Puzzles[A]. Proceedings of the third Romanian-Hungarian Joint Symposium on Applied Computational Intelligence (SACI 2006)[C]. Timisoara, Romania, May 2006, pp.182-191.
[148]B. Waters, A. Juels, A. Halderman, et al. New Client Puzzle Outsourcing Techniques for DoS Resistance[A]. Proceedings of the 11th ACM Conference on Computer and Communications Security[C]. Washington DC, USA, Oct.2004, pp.246-256.
[149]R. L. Rivest, A. Shamir and D. A. Wagner. Time-lock Puzzles and Timed-release Crypto[EB/OL]. Technical Report. Massachusetts Institute of Technology, http://people.csail.mit.edu/rivest/RivestShamirWagner-timelock.ps,1996.
[150]J. V. E. Molsa. Effectiveness of Rate-limiting in Mitigating Flooding DoS Attacks[A]. Proceedings of the Third IASTED International Conference on Communications, Internet, and Information Technology[C]. St. Thomas, USA, Nov.2004, pp.155-160.
[151]万明,刘颖,张宏科.位置与身份分离协议下一种基于信任度模型的新型映射机制[J].通信学报.2011,32(7):133-145.
[152]M. Khambatti, P. Dasgupta and K. D. Ryu. A Role-based Trust Model for Peer-to-peer Communities and Dynamic Coalitions[A]. Proceedings of the Second IEEE International Information Assurance Workshop 2004[C]. North Carolina, USA, Apr.2004, pp.141-154.
[153]T. Wolfl. Public-key-infrastructure Based on A Peer-to-peer Network[A]. Proceedings of the 38th Annual Hawaii International Conference on System Science 2005[C]. Hawaii, USA, Jan.2005, pp.200a.
[154]S. Song, K. Hwang, R. Zhou, et al. Trusted P2P Transactions with Fuzzy Reputation Aggregation[J]. IEEE Internet Computing.2005,9(6):24-34.
[155]X. Li and L. Ling. PeerTrust:Supporting Reputation-Based Trust for Peer-to-Peer Electronic Communities[J]. IEEE Transactions on Knowledge and Data Engineering. Jul. 2004,16(7):843-857.
[156]D. Donato, M. Paniccia, M. Selis, et al. New Metrics for Reputation Management in P2P Networks[A]. Proceedings of the 3rd International Workshop on Adversarial Information Retrieval on the Web[C]. Banff, Canada, May 2007, pp.65-72
[157]鲍宇,曾国荪,曾连荪等.P2P网络中防止欺骗行为的一种信任度计算方法[J].通信学报.2008,29(10):215-222.
[158]D. Mazieres, M. Kaminsky, M. F. Kaashoek, et al. Separating Key Management from File System Security[J]. Operating Systems Review.1999,34(5):124-139.
[159]D. G. Andersen, H. Balakrishnan, N. Feamster, et al. Accountable Internet Protocol (AIP)[A]. Proceedings of ACM SIGCOMM 2008[C]. Seattle, WA, Aug.2008. pp.339-350.
[160]H. Ballani, P. Francis and X. Zhang. A Study of Prefix Hijacking and Interception in the Internet[A]. Proceedings of ACM SIGCOMM 2007[C]. Kyoto, Japan, Aug.2007, pp.265-276.
[161]S. Goldberg, M. Schapira, P. Hummon, et al. How Secure are Secure Interdomain Routing Protocols?[A]. Proceedings of ACM SIGCOMM 2010[C]. New Delhi, India, Aug. 2010, pp.87-98.
[162]R. Arends. Protocol Modifications for the DNS Security Extensions[S]. IETF Internet Standard, RFC 4035, Mar.2005.
[163]万明,周华春,刘颖等.基于身份标签的一体化网络接入认证方案[J].铁道学报.2012,34(8):70-81.
[164]M. Wan, J. Q. Tang, Y. Liu, et al. A Sustainable Authentication Scheme under Future Internet Architecture[A]. Proceedings of the 2nd International Symposium on Computer Network and Multimedia Technology (CNMT 2010)[C]. Wu Han, China, Dec.2010, pp.112-115.
[165]802.1X-Port Based Network Access Control, IEEE Std 802.1X[EB/OL]. http://www.ieee802.org/1/pages/802.1x.html,2004.
[166]L. Mamakos, K. Lidl, J. Evarts, et al. A Method for Transmitting PPP Over Ethernet (PPPoE)[S]. IETF Internet Standard, RFC2516, Feb.1999.
[167]C. Metz. Authentication, Authorization and Accounting for the Internet[J]. IEEE Internet Computing.1999,3(6):75-79.
[168]田野,张玉军,张翰文等.移动IPv6网络基于身份的层次化接入认证机制[J].计算机学报.2007,30(6):905-915.
[169]C. Kim, Y. S. Kim, E. N. Huh, et al. Performance Improvement in Mobile IPv6 Using AAA and Fast Handoff[A]. Proceedings of International Conference on Computational Science and It's Applications (ICCSA 2004)[C]. Assisi, Italy, May 2004, pp.738-745.
[170]周华春,张宏科,秦雅娟.一种代理移动IPv6认证协议[J].电子学报.2008,36(10):1873-1880.
[171]J. Arkkoa and H. Haverinen. Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)[S]. IETF Internet Standard, RFC4187, Jan.2006.
[172]D. Simon, B. Aboba and R. Hurst. The EAP-TLS Authentication Protocol[S]. IETF Internet Standard, RFC5216, Mar.2008.
[173]刘云,范科峰,张素兵等.改进的WLAN-3G融合网络认证协议[J].电子学报.2010,38(2):399-404.
[174]Varjonen. HIP and User Authentication[S]. Internet Draft, draft-varjonen-hip-eap-00, Jul. 2009.
[175]Varjonen. HIP Certificates[S]. Internet Draft, draft-varjonen-hip-cert-01, Jul.2008.
[176]T. Aura, A. Nagarajan and A. Gurtov. Analysis of the HIP Base Exchange Protocol[A]. Proceedings of the 10th Australasian Conference on Information Security and Privacy (ACISP 2005)[C]. Brisbane Australia, Jul.2005, pp.183-210.
[177]O. Hanka. How to Prevent Identity Fraud in Locator/Identifier-Split Architectures[A]. Proceedings of 2012 International Conference on Computing, Networking and Communications (ICNC 2012)[C]. Hawaii, USA, Jan.2012, pp.683-689.
[178]W. Fritz and O. Hanka. Smart Card Based Security in Locator/Identifier-Split Architectures[A]. Proceedings of the 9th International Conference on Networks (ICN 2010)[C]. Menuires, France, Apr.2010, pp.194-200.
[179]R. Housley, W. Ford, W. Polk, et al. Internet X.509 Public Key Infrastructure Certificate and CRL Profile[S]. IETF Internet Standard, RFC2459, Jan.1999.
[180]刘伟,杨林,戴浩等.一种新的网络接入控制方法及其认证会话性能分析[J].计算机学报.2007,30(10):1806-1812.