Background technology
The broadband wireless network that wireless mesh MESH network WMN (Wireless Mesh Network) is a kind of multi-hop, have self-organizing and self-healing characteristics.Each node in the Wireless MESH network is realized interconnecting in the wireless multi-hop mode by other adjacent network nodes.Node in this network is divided into two classes: a class is terminal node MC (Mesh Client), and another kind of is mesh router MR (Mesh Router).MC can be notebook computer, PDA, Wi-Fi mobile phone, RFID reader and wireless senser or controller etc., and MC can have higher mobility as the node among the Ad hoc.The position relative fixed of MR is responsible for connecting terminal node M C, realizes the network insertion of MC; Simultaneously, part MR also has gateway function, is responsible for connecting the Internet network.Therefore, as long as mesh router MR can be in any wide-area deployment, Wireless MESH network just can be realized large-scale covering.
When Wireless MESH network was used widely, the safety guarantee of Wireless MESH network also became and becomes more and more important.The strategy of existing guarding network invasion mainly contains intrusion detection and intrusion response technology.Intrusion Detection Technique is to determine the invader by the analysis node behavior, according to the detection technique of concrete application, can be divided into again two kinds of intrusion detections based on feature and anomaly-based.At the different attack meanses in the network (as attacks such as inundation, black hole, worm holes), adopt special Intrusion Detection Technique just can exactly the assailant be identified.But up to now, the research of Wireless MESH network safety mainly concentrates on Intrusion Detection Technique, and the technology that how to realize intrusion response under the Wireless MESH network environment yet there are no pertinent literature and delivers.
As everyone knows, Intrusion Detection Technique is passive defensive measure, and it can not eliminate the invador effectively.In Wireless MESH network, after invasion MC is successfully detected,, can avoid blocking of detection node by large-scale escape or transfer because of it possesses high dynamic, then, this invasion MC begins a new round to other node again and attacks.At this moment, can only re-execute new intrusion detection, both lose time, energy and financial resources, more can not guarantee network security.In order fundamentally to eliminate intrusion behavior, need in the network to introduce necessary intrusion response strategy, so that after detecting the invader, implement immediately necessary response mechanism, thereby avoid again carrying out the needs of new intrusion detection.
In wireless Ad hoc network, adopt blacklist the whole network broadcast mechanism to realize intrusion response usually; Promptly after detection node detects the invador, generate at once and the corresponding blacklist message of attack node, then, the whole network broadcasting by the blacklist message, the whole network node is obtained attack the existence and the identity information thereof of node, and then take to reject with the route and the data message (when attacking) of forwarding attack node or stop to send the responsive measures of various replies such as its all packets (at black hole attack time) as intermediate node at snowslide.This intrusion response strategy is so that remove all the other outer most of nodes of monitoring node and can both know in advance the invader and take corresponding defensive measure, avoided the expense that again detects and to the harm of network security, thereby eliminates invader's harm from root.
For high mobility and the wireless Ad hoc network that is limited in scope, the technical measures of above-mentioned this intrusion response are to satisfy the fail safe of intrusion response mechanism and the requirement of high efficiency.But, for large-scale Wireless MESH network, the realization of this technical measures not only can bring the huge unnecessary message and the expense of transmission thereof, and, under the situation that a plurality of invadors are taken place, also can bring adverse effect to normal network service traffic.Therefore unsatisfactory in the practical application in Wireless MESH network.Therefore, how above-mentioned intrusion response technology is carried out Improvement and perfection, just become the in the industry new focus of scientific and technical personnel's concern.
Summary of the invention
In view of this, the objective of the invention is at above-mentioned the deficiencies in the prior art, a kind of active means of defence of invading based on the Wireless MESH network of acquisition of signal is provided, The present invention be directed at present that the most common backbone network MESH network configuration: MC is the access that realizes the Internet by MR, and at the invador be that node is attacked in the invasion of high mobility in the MESH network.Detection method of the present invention is carried out by MR, can not produce any influence and adjection to MC, after MR detects invasion attack node, utilize the sign of the signal strength signal intensity of invasion MC as invasion MC existence, and, along the mobile route of invasion MC, MR broadcasting blacklist message, make each MR can be informed the existence of invasion MC, and stop its access by early warning.Thereby around invasion MC, form mobile fire compartment wall together, with its encirclement and be isolated from network, thoroughly eliminate the network intrusions behavior.
In order to reach the foregoing invention purpose, the invention provides a kind of active protection method of invading based on the Wireless MESH network of acquisition of signal, it is characterized in that: after the mesh router MR employing Intrusion Detection Technique discovery invasion MC offensive attack of node M C access is attacked in invasion, this MR just enters corresponding detection responsive state: will invade the access that MC charges to the blacklist of oneself and blocks it, and outwards propagate this invasion MC information again; After MR on every side receives blacklist broadcasting, enter lasting listening state and take corresponding measure; When invasion MC escapes, be in the information that the part MR that continues listening state can continue outwards to propagate this invasion MC, thereby so that after in a single day the attack of this invasion MC be found, no matter how it escaped, the fire wall that all can be moved all the time surrounds; Thereby eliminate to greatest extent this invasion MC to the adverse effect of network, so that network can keep running well, simultaneously, greatly reduce the Internet resources that initiatively protect required consumption.
Described method comprises the steps: at least
(1) MR of invasion attack node M C access detects this invasion MC by Intrusion Detection Technique, just will invade the MC information recording/in the access of the blacklist of oneself and this invasion of blocking-up MC, so that the attack of this invasion MC obtains temporary transient prevention;
(2) described MR adopts one to jump the broadcasting blacklist, should invade MC information notification neighbours MR, and this MR enters lasting listening state simultaneously, in order to find that this invasion MC again during offensive attack, blocks and avoid expense and the time delay of secondary detection at once;
(3) after neighbours MR receives the blacklist of broadcasting, this is invaded the MC information recording/in the gray list of oneself, and enter lasting listening state, begin to monitor the signal strength signal intensity of this invasion MC, in order in advance the attack of this invasion MC is watched out for, and at its close rear execution Initiative Defense; At this moment, the MR around this invasion MC has been in lasting listening state, and namely each MR will invade MC and put into blacklist or the gray list of oneself, so that this invasion MC is surrounded by the fire wall around it, can't implement its attack.
Described method further comprises the steps: after invasion MC moves
(5) after described invasion MC moves into certain MR communication range that is in lasting listening state, when this MR monitors the signal of this invasion MC, just according to the requirement that continues listening state, change it over to oneself blacklist, and initiatively its attack is blocked;
(6) this MR one jumps the broadcast transmission blacklist, and this invasion MC information early warning is informed own neighbor router MR on every side;
(7) each neighbor router MR will invade MC and put into the gray list of oneself, and enter lasting listening state, thereby in advance this invasion MC be taked to watch out for measure, and at its close rear execution Initiative Defense; Like this, each MR around the invasion MC after mobile will invade MC and put into separately blacklist or gray list, and be in lasting listening state, thus outside this invasion MC that moves the mobile fire wall of formation.
Described method is carry out to be detected and corresponding measure by the router MR in the Wireless MESH network, has no requirement and does not produce any impact for terminal node MC; Each MR is responsible for safeguarding two malicious attack nodes lists: blacklist and gray list.
Described blacklist is used to write down detected all the invasion MC of MR, and these invasions MC comprises two classes: this MR oneself detects, or by the blacklist that receives other MR broadcasting know, its invasion signal confirms by self detecting again; Described gray list is used to write down MR and knows but the temporary transient invasion MC that does not detect its invasion signal to attack as yet by the blacklist broadcasting that receives other MR.
Whether described method is positioned at blacklist or the gray list of this MR according to MC, and MR takes respectively two kinds of defence methods for this MC: detect responsive state or lasting listening state;
Described detection responsive state is MR for the response after detecting the response behind the invasion MC and receiving the blacklist of broadcasting; When MR detects certain MC that is connected with it and has malicious attack, earlier this MC is charged to the blacklist of oneself and block its access, one jump the broadcast transmission blacklist then, with the neighbours MR around informing; When neighbours MR receives the blacklist of this broadcasting, with the gray list that the invasion MC of broadcasting report is recorded to oneself, if its gray list has been shown this MC, then do not do change and enter lasting listening state;
Described lasting listening state is MR for the monitoring of the invasion MC in own blacklist and/or the gray list and the response after detecting the invasion signal: MR real-time listening ambient signals, when finding that reception or the packet of monitoring are to be derived from the invasion MC that is arranged in blacklist and/or gray list, then do not give its access; And, if the source of this invasion MC is gray list, just change it over to blacklist, and a jumping broadcast transmission blacklist, to notify own neighbours MR on every side.
The present invention is based on the active protection method of the Wireless MESH network invasion of acquisition of signal, this method is after detecting the invasion node, only carry out the locally broadcast of blacklist, and broadcasting area is controlled in the jumping, so both avoided the great expense incurred of the whole network broadcasting, around the invasion node, formed again on together " fire wall ".And after the invasion node is escaped, utilize effect and the conversion of blacklist and gray list, so that each MR takes to broadcast blacklist along the mobile route continuation of invasion node locally, so that " fire wall " progressively enlarges, thereby form together " mobile fire wall ", to invade node and isolate from up hill and dale beyond the network, can't produce attack function.
Compared with prior art, the present invention has following beneficial effect: can find in real time and the initiatively attack of blocking-up invasion node, ensure safety and the normal operation of Wireless Mesh knitmesh network.The present invention comprehensively adopts intrusion detection and two kinds of technology of intrusion response, and, response expense localization, mobile fire compartment wall just forms around the invasion node, has saved the expense of blacklist broadcasting packet greatly and has alleviated its influence that network regular traffic flow is brought.Therefore, the present invention has good popularization and application prospect.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
The present invention is based on the active protection method of the Wireless MESH network invasion of acquisition of signal, after being invasion node M C offensive attack, after the mesh router MR that is inserted by this MC adopts Intrusion Detection Technique to find, this MR just enters corresponding detection responsive state: will invade the access that MC charges to the blacklist of oneself and blocks it, and outwards propagate this invasion MC information again; After MR on every side receives blacklist broadcasting, enter lasting listening state and take corresponding measure; When invasion MC escapes, be in the information that the part MR that continues listening state can continue outwards to propagate this invasion MC, thereby so that after in a single day the attack of this invasion MC be found, no matter how it escaped, the fire wall that all can be moved all the time surrounds; Thereby eliminate to greatest extent this invasion MC to the adverse effect of network, so that network can keep running well, simultaneously, greatly reduce the Internet resources that initiatively protect required consumption.
Referring to Fig. 1, introduce the operating procedure of the inventive method:
(1) MR of invasion attack node M C access detects this invasion MC by Intrusion Detection Technique, just will invade the MC information recording/in the access of the blacklist of oneself and this invasion of blocking-up MC, so that the attack of this invasion MC obtains temporary transient prevention.
(2) described MR adopts one to jump the broadcasting blacklist, should invade MC information notification neighbours MR, and this MR enters lasting listening state simultaneously, in order to find that this invasion MC again during offensive attack, blocks and avoid expense and the time delay of secondary detection at once.
(3) after neighbours MR receives the blacklist of broadcasting, this is invaded the MC information recording/in the gray list of oneself, and enter lasting listening state, begin to monitor the signal strength signal intensity of this invasion MC, in order in advance the attack of this invasion MC is watched out for, and at its close rear execution Initiative Defense; At this moment, the MR around this invasion MC has been in lasting listening state, and namely each MR will invade MC and put into blacklist or the gray list of oneself, so that this invasion MC is surrounded by the fire wall around it, can't implement its attack.
After invasion MC moved, the inventive method also comprised following operating procedure:
(5) after described invasion MC moves into certain MR communication range that is in lasting listening state, when this MR monitors the signal of this invasion MC, just according to the requirement that continues listening state, change it over to oneself blacklist, and initiatively its attack is blocked.
(6) this MR one jumps the broadcast transmission blacklist, and this invasion MC information early warning is informed own neighbor router MR on every side.
(7) each neighbor router MR will invade MC and put into the gray list of oneself, and enter lasting listening state, thereby in advance this invasion MC be taked to watch out for measure, and at its close rear execution Initiative Defense; Like this, each MR around the invasion MC after mobile will invade MC and put into separately blacklist or gray list, and be in lasting listening state, thus outside this invasion MC that moves the mobile fire wall of formation.
The present invention is each technical measures of being carried out intrusion detection and intrusion response by the router MR in the Wireless MESH network, has no requirement and does not produce any influence for terminal node MC; Each MR is responsible for safeguarding two malicious attack nodes lists: blacklist and gray list.Wherein blacklist is used to write down detected all the invasion MC of MR, and these invasions MC comprises two classes: this MR oneself detects, or by the blacklist that receives other MR broadcasting know, its invasion signal confirms by self detecting again.Gray list is used to write down MR and knows but the temporary transient invasion MC that does not detect its invasion signal to attack as yet by the blacklist broadcasting that receives other MR.
Whether be positioned at blacklist or the gray list of this MR according to MC, the MR in the inventive method takes respectively two kinds of defence methods for this MC: detect responsive state or lasting listening state.
Referring to Fig. 2, introduce to detect responsive state: this state is MR for the response after detecting the response behind the invasion MC and receiving the blacklist of broadcasting; When MR detects certain MC that is connected with it and has malicious attack, earlier this MC is charged to the blacklist of oneself and block its access, one jump the broadcast transmission blacklist then, with the neighbours MR around informing; When neighbours MR receives the blacklist of this broadcasting, with the gray list that the invasion MC of broadcasting report is recorded to oneself, if its gray list has been shown this MC, then do not do change and enter lasting listening state
Referring to Fig. 3, introduce and continue listening state: it is the response after MR monitors the invasion MC in own blacklist and/or the gray list and detects the invasion signal: MR real-time listening ambient signals, when finding that reception or the packet of monitoring are to be derived from the invasion MC that is arranged in blacklist and/or gray list, then do not give its access; And, if the source of this invasion MC is gray list, just change it over to blacklist, and a jumping broadcast transmission blacklist, to notify own neighbours MR on every side.。
In sum, because Wireless MESH network is intended to provide large-scale access to MC, so the design feature of Wireless MESH network is to have certain density, can guarantee that namely the communication range between any two adjacent MR can realize that zero-clearance connects.Thereby as long as invade MC in case by the discovery that MR detects that it inserted, so, in its moving process, the MR of close this invasion MC must be informed in advance, thereby not needed to re-start an intrusion detection.
For example, topological diagram referring to an application shown in Figure 4 Wireless MESH network embodiment of the present invention, in this Wireless MESH network, have 16 MR nodes, from MR1 to MR16, for more clearly explanation, in Fig. 4, only listed invasion MC (representing it with small circle among the figure), and omitted other MC node near MR10.
Whether the MR (referring to Fig. 2) that is in the detection responsive state detects its neighbor node on every side constantly unusual action.Each MR independently has basic intrusion detection feature, detects such as passing threshold voluntarily and finds the flood attack node.When MR detects certain MC that is connected with it and has malicious attack, at first this node will be charged in the own blacklist, and blocking-up gives its access.This MR sends a blacklist of jumping and broadcasts to notify own neighbours MR on every side then.Simultaneously, enter lasting listening state.Other MR that are in the detection responsive state need record the invador of this broadcasting report in the gray list of oneself after the blacklist broadcasting that receives from neighbours MR; Simultaneously, enter lasting listening state.
In Fig. 4, be in the node that continues listening state and judge for the source of the packet of receiving or listening to, when the sender who finds packet is the invasion MC that comes from blacklist and/or the gray list, then it is abandoned.And, if this invasion MC derives from gray list, just it is transferred in the blacklist, send again one and jump the blacklist of broadcasting, to notify own neighbours MR on every side.
Referring to Fig. 4 and shown in Figure 5,
Expression MR will invade node A and charge in the blacklist,
Expression MR charges to node A in the gray list,
The expression broken link connects.In case when the invasion attack takes place in wireless Mesh netword (be illustrated as invasion MC and insert MR10, and the beginning offensive attack), the present invention can detect in time invasion MC and form fire wall one on every side at it, surrounds them.
Referring to Fig. 4, the embodiment operating procedure of introducing the inventive method is as follows:
(1) MR10 detects invasion MC by Intrusion Detection Technique, this invasion node A is recorded in the blacklist of oneself, and the access of blocking-up node A, so that invader's attack obtains temporary transient prevention.
(2) MR10 sends a jumping blacklist broadcasting and informs neighbours MR, and enters lasting listening state, and this state is blocked behind the discovery invader at once, has avoided the needs of secondary detection.
(3) each neighbor node MR{691114} is after receiving blacklist broadcasting, node A is recorded in the gray list of oneself, and enter lasting listening state, the signal strength signal intensity of beginning monitoring node A, thereby in advance the invador is watched out for, after it is close, carry out the active defence.
(4) the node A when being positioned at Fig. 4 is at the communication range of MR6 and MR9, they can monitor the signal strength signal intensity of node A by monitoring, according to the requirement that continues listening state, MR6 and MR9 transfer to node A in the blacklist of oneself, send one simultaneously and jump blacklist broadcasting, the neighbor node around the early warning oneself once more.
(5) each neighbor node MR{2,5,7,13} is after receiving blacklist broadcasting, and A puts into gray list with node, and begins to detect its signal strength signal intensity, thereby in advance the invador is watched out for, and carries out the active defence after it is close.
At this moment, the MR around the invasion node A has been in lasting listening state, promptly all node A has been put into blacklist or gray list.Invasion node A is enclosed among one fire wall at this moment.
In wireless Mesh netword, behind the invasion node attack and when mobile (invasion MC blocked by MR10 after, just begin to escape), the present invention can form together mobile fire wall around it, make it can't continue network is threatened.Referring to Fig. 5, introduce the inventive method to after invading node motion, the embodiment operating procedure of the Initiative Defense measure of taking:
(1) in the gray list of MR11, after node A was near MR11, MR11 monitored its signal to node A, according to lasting listening state requirement, it was changed in the blacklist of oneself, initiatively its attack was blocked.
(2) MR11 has sent one and has jumped blacklist broadcasting, the neighbor node around the early warning oneself.
(3) neighbor node of MR11 is put into gray list with node A, and enters lasting listening state, thereby watches out in advance this invasion node, and carries out Initiative Defense after it is close.
Therefore, the node around the invasion MC is recorded in it blacklist or gray list separately again, and namely mobile fire wall is extended.Because the formation of this road fire wall all is the movement that is accompanied by invasion MC with enlarging, thereby formed together mobile fire wall.
Above-mentioned analysis is as seen: behind the invasion node offensive attack, at first the MR by its access finds and outwards propagates the invasion nodal information by intrusion response, and MR on every side enters lasting listening state after receiving blacklist broadcasting.When the attempt of invasion node is escaped, be in the part router node that continues to monitor and continue outwards to propagate the invasion nodal information, thereby cause intrusion behavior after finding, in any case the invasion node is escaped, the capital is blocked by the MR of its access all the time, thereby eliminate its invasion impact fully, so that network recovery runs well.And whole process is carried out automatically, need not manual intervention, has realized real-time active IPS.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.