PDF(1920 KB)
PDF(1920 KB)
PDF(1920 KB)
基于雾计算的信息中心网络防火墙技术研究
Fog Computing-Based Firewall in Information-Centric Networking
信息中心网络(ICN)通过提供面向信息本身的网络协议,包括以内容为中心的订阅机制和以语义主导的命名、路由 和缓存策略,在解决当前基于 IP 地址联网模式的攻击问题方面展现出极大的潜力。本文旨在为 ICN 提出一种智能防火墙模型, 构建基于语义推理的内容隔离防火墙,运用基于雾计算的 ICN 防火墙技术,感知来自 ICN 的内容威胁,并针对不同内容生 成定制的过滤策略。在分析 ICN 面临的攻击类型、梳理 ICN 中雾计算架构发展情况的基础上,从内容防御整体结构、面向 主机的单体防御雾模型、面向网络的区域防御雾模型三方面阐述了基于雾计算的 ICN 防火墙架构;同时为缓解兴趣洪泛攻击, 提出了一种面向ICN的检测及防御机制。搭建ndnSIM网络仿真平台,完成了对ICN的缓存命中率、网络通信时延的性能评估, 验证了基于雾计算的 ICN 防火墙技术及相关防御算法的可行性和高效性。
The information-centric network (ICN) provides network protocols oriented to information itself, including a content-centric subscription mechanism and semantic-led naming, routing, and caching strategies. It has shown great potential in solving attacks on current IP address based network. This paper aims to propose a smart firewall model for ICN, and to build a firewall based on a semantic inference algorithm to isolate content. The ICN firewall module uses the fog computing paradigm to sense content threats from ICN, and generates customized filtering strategies for different contents. On the basis of analyzing the types of ICN attacks and the development of the fog computing architecture in ICN, this article introduces the fog-based ICN firewall model from three aspects: the overall structure of content defense, the host-oriented defense fog model, and the network-oriented defense fog model. This article also proposes an ICN-oriented detection and defense mechanism in order to alleviate the interest flooding attacks. Finally, by building the ndnSIM network simulation platform, this article evaluates the ICN cache hit rate and network communication delay, and verifies the feasibility and efficiency of the proposed fog computing-based ICN firewall module and defense algorithm.
information-centric networking / fog computing / interest flooding attack / firewall
| [1] |
Arshad S, Azam M A, Rehmani M H, et al. Recent advances in information-centric networking-based Internet of things (ICN-IoT) [J]. IEEE Internet of Things Journal, 2018, 6(2): 2128-2158.
|
| [2] |
Varas C, Hirsch T. Self protection through collaboration using D-CAF: A distributed context-aware firewall [C]. Glyfada: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, 2009.
|
| [3] |
Kondo D, Silverston T, Tode H, et al. Name anomaly detection for ICN [C]. Rome: 2016 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN), 2016.
|
| [4] |
La Polla M, Martinelli F, Sgandurra D. A survey on security for mobile devices [J]. IEEE Communications Surveys & Tutorials, 2012, 15(1): 446-471.
|
| [5] |
Igure V M, Williams R D. Taxonomies of attacks and vulnerabilities in computer systems [J]. IEEE Communications Surveys & Tutorials, 2008, 10(1): 6-19.
|
| [6] |
AbdAllah E G, Hassanein H S, Zulkernine M. A survey of security attacks in information-centric networking [J]. IEEE Communications Surveys & Tutorials, 2015, 17(3): 1441-1454.
|
| [7] |
Dannewitz C, Golic J, Ohlman B, et al. Secure naming for a network of information [C]. San Diego: 2010 INFOCOM IEEE Conference on Computer Communications Workshops, 2010.
|
| [8] |
Zeng D Z, Gu L, Guo S, et al. Joint optimization of task scheduling and image placement in fog computing supported software-defined embedded system [J]. IEEE Transactions on Computers, 2016, 65(12): 3702-3712.
|
| [9] |
Aazam M, Huh E N. Fog computing: The cloud-IoT///IoE middleware paradigm [J]. IEEE Potentials, 2016, 35(3): 40-44.
|
/
| 〈 |
|
〉 |
