面向下一代互联网的轻量级多级Capabilities机制

本文提出了面向下一代互联网的轻量级的多级Capabilities机制(LMCM)来防御拒绝服务攻击。LMCM通过对用户的行为进行评估进而来区分合法用户与攻击者,采用轻量级的校验机制避免了核心网络进行复杂运算。LMCM采用多级Capabilities机制在不降低总体安全性的前提下提高了数据传输的效率,并能适应不同安全性需求。LMCM采用分级的队列管理机制来防御拒绝Capabilities攻击(DoC),保障网络资源的公平分享。此外,LMCM改进了TVA的流量控制机制,改进后的方案能够防御TVA所不能防御的某些复杂网络攻击,弥补了TVA在这方面的缺点和不足。为了得到可信的仿真实验结果,LMCM从CAIDA数据集中挑选实验所需要的有代表性的拓扑结构。不同场景下的仿真实验结果表明,与TVA相比,LMCM有利于提高数据传输的效率和增强防御体系的可扩展性。

A Lightweight Multi-Level Capabilities Mechanism for Next Generation Internet

An anti-DoS(Denial of Service) mechanism called LMCM(Lightweight Multi-level Capabilities Mechanism) for next generation Internet is proposed.The LMCM distinguishes the malicious users and the benign users through their behaviors and adopts lightweight validation mechanism to avoid heavyweight operations in the core network.It improves data transfer efficiency but not lowers the overall security,meeting different security requirements.In order to defend DoC(Denial-of-Capability) attacks caused by the capabilities and guarantee fairly sharing the network resources,the LMCM adopts a hierarchical queue management mechanism.Furthermore,the LMCM improves the flow control mechanism to defend other complicated attack which cannot be defended in TVA(Traffic Validation Architecture) and makes up for the shortcomings and inadequacies of the TVA.In order to get convincing comparative results,we choose some representative topologies in the dataset of the CAIDA(Cooperative Association for Internet Data) as our experiment topologies.Simulation results in dissimilar scenarios indicate that the LMCM is conducive to improving the data transfer efficiency and enhancing the scalability of defense system compared with the TVA.