CN112468449B - Method for optimizing and configuring backtracking security controlled network access channel resources - Google Patents

Abstract

The invention discloses a backtracking security controlled network access channel resource optimization configuration method, which comprehensively considers link types, transmission constraints and a queue model, establishes a mathematical model between transmission hop count and security level requirements, and can provide an access path recommended length meeting the security level requirements for a system. And on the basis, a minimum delay scheduling strategy meeting the requirement constraint of the user security level is provided, and finally, a delay optimization problem with the security level constraint is solved by adopting a piecewise linearization technology. According to different security level requirements of users, the lengths of the links and the access paths can be dynamically scheduled, the resource allocation algorithm can be used for optimizing the system time delay, ensuring the link resource load balance, meeting the security requirements of the users and finally realizing the hiding of user traces, namely backtracking. Experimental results show that the method can effectively distribute resources under the conditions of system resource shortage and sufficient resources, select a proper path to ensure the security level, minimize the transmission delay and improve the system performance.

Description

Method for optimizing and configuring backtracking security controlled network access channel resources

Technical Field

The invention belongs to the technical field of domestic and overseas internet data directional covert acquisition of backtracking security internet surfing environment service, and mainly relates to a resource optimization configuration method of a backtracking security controlled network access channel.

Background

With the continuous development of the internet, the VPN as a virtual private network based on a public network realizes cross-country and cross-region internet interconnection. Because of the mixed node component information and the uneven performance in the public network, the security and reliability of the VPN have always been a very concern for enterprises and government departments.

To defend against DDos attacks, the industrial internet has been configured with traceable technologies. The traceability means is to reconstruct a user access path by collecting a routing log and analyzing a communication data packet so as to achieve the purpose of tracking the IP address of the user, which defends DDos attack to a certain extent, but more and more websites benefit by tracing the personal information of the user. The method tracks and traces the source by scanning the server and the router port, and obtains the device information such as IP address, MAC address and the like of the internet user network device by illegal means, so that the safety benefit of the user is damaged, and the personal privacy of the user is invaded.

The essence of backtracking is to hide information browsing and search intent through a traceback hiding technique. Therefore, based on the requirement of three-dimensional society for security and prevention and control, it is necessary to protect the personal privacy of the user through backtracking, especially for some government departments, they may often visit some sensitive websites, which may steal the personal information of the user, and the consequences of information leakage will be unimaginable at this time. In order to carry out covert and directional acquisition on data inside and outside a country, a backtracking safe controlled network access environment system is required to be built, and a safe, controlled and anti-IP tracking safe internet network access environment is provided, wherein the safe internet network access environment comprises a research backtracking safe controlled network access channel. The backtracking security controlled network access channel protects and hides the traces of the visitor, thereby ensuring the security of the visitor.

Compared with the backtracking technology, the research on the tracking attack technology is more and more. Unlike attacks aimed at destroying the network, such as trojans and viruses, the traceable attacks are generally used as a lead for network attacks. The main purpose of tracking the attack is to reconstruct the access path of the attack object and obtain the IP address of the user. Therefore, constructing attack paths that are difficult for an attacker to reconstruct would be one of the important means to defend against a tracing attack.

So far, the methods of tracing attacks mainly include link detection, logging technology, ICMP message and PPM (probabilistic packet mapping) strategy. The link detection and logging technique needs the support of network relay equipment, and the ICMP messages and the PPM need to insert specific information into the IP header for marking. The PPM algorithm is the most commonly used source-tracing attack algorithm because it does not depend on network relay equipment and has low space overhead.

In the research of the backtracking technology, much past work mainly focuses on the analysis of the backtracking algorithm and the design of the scheme, and deeply researches the behavior mode, the implementation mode and the specific performance of the backtracking, and certain achievements are obtained. Stefan analyzes the classic PPM algorithm and provides a backtracking algorithm based on the data packet marking. Shi analyzes network security based on SD-VPN networks and OpenFlow protocols. In order to improve the accuracy of the algorithm, an improved PPM algorithm is provided. Tracing through the route log is another research direction of the tracing scheme. Nikhil considers that route information is recorded by setting up a path-aware historian and tracing routes as necessary. On the basis, yang proposes a hybrid tracking scheme combining data packet marking and a route log.

Disclosure of Invention

Based on the requirements of three-dimensional society security, security and control, the invention aims to protect the personal privacy of users through a backtracking technology and provides a backtracking security controlled network access channel resource optimal configuration method.

In order to realize the task, the invention adopts the following technical solution:

a kind ofThe method is characterized in that a multi-hop VPN network G (S, L) is used for modeling for resource allocation of backtracking access, wherein S is a set of VPN servers and comprises domestic nodes and foreign nodes, and L is a set of edges between VPN nodes; for a session E ∈ E, is the source node s_eTo the target node d_eEach session has a specific security level requirement, and the method specifically comprises the following steps:

step 1: communication model

And obtaining single-in constraint and single-out constraint based on the number limit of the links activated by the node i at any time t, and assuming that the node is full duplex and the full duplex constraint of the number of the links is easy to obtain. And combining the single-input single-output constraint and the full-duplex constraint to obtain the communication constraint.

The concrete implementation steps are as follows:

step S10: the edge from node i to node j can be represented as l (i, j), j ∈ N_i，N_iIs a set of neighbor nodes of node i. The minimum time for successful transmission of a packet on the link is set to one slot, assuming that all sessions are generated at time 0 and all packets are transmitted at time T. By using

Indicating the activation state of link l (i, j) at time t. If the link is activated by session e within time t,

otherwise

Step S11: easy single-entry constraint from step S10

The number of all links activated by the node i at any time t is less than or equal to 1, and the constraint can be obtained by the same method

Step S12: assuming that each session is unicast, each node is full duplex, which means that node i can receive and transmit data at any time, but the number of simultaneously active links cannot exceed two. Thereby obtaining full duplex constraints

Step S13: combining the single-input single-output constraint and the full-duplex constraint obtained in step S11 and step S12 to obtain the communication constraint of the node

Step 2: link activation model

Defining variables

Indicating that the session e is at (0, T)]The frequency of intra-active links l (i, j),

f_l(i,j)indicating the frequency of activating link l (i, j) in all sessions. Defining a binary variable

Indicating the activation status of the link l (i, j) in the session e, if the number of times the link is activated

Otherwise

Further expanding the activation state of the link l (i, j) in all the sessions to be

And 3, step 3: throughput analysis

And calculating the minimum throughput and the maximum throughput of the link to obtain throughput constraint.

The method comprises the following concrete steps:

step S31: assume that session e generates a data packet of size D each time. Assume that only one packet is transmitted at a time when the link is activated. Therefore, we can get the minimum throughput of link l (i, j) to be

Step S32: the link l (i, j) is at (0, T)]The maximum throughput within is then calculated using the bandwidth,

wherein W_l(i,j)Representing the bandwidth of link l (i, j).

Step S33: combining the maximum throughput and the minimum throughput, a throughput constraint of

Wherein the throughput is mu_l(i,j)＝f_l(i,j)·W_l(i,j)。

And 4, step 4: time delay analysis

Firstly, the time delay in the single-hop network is analyzed, and in the single-hop network, the time delay equal to the sum of the waiting time delay and the transmission time delay is obtained. And respectively calculating the waiting time delay and the transmission time delay to obtain a time delay formula. And extends it to multi-hop wired networks.

Step S40: suppose node S_eIs the source node of session e and node j is the next hop node. Definition of

To represent the time of the system as such,

wherein the content of the first and second substances,

is a latency, equal to the time the packet is being sentThe queuing time of the queue is the time that the queue is,

is the transmission delay.

Step S41: known as a unicast system, this means that a transmitting node transmits data to only one receiving node at a time. Assuming that the data packets on all nodes satisfy a First Come First Served (FCFS) mode, each VPN generates and transmits data packets through one M/M/1 queue. The expected waiting time is

Wherein

Is link l (S)_eJ) load factor of the load. The transmission time of the data packet is

Step S42: source node S in a one-hop network is readily available by S41_eThe time delay to the next hop node j is

Step S43: a single-hop time delay formula is extended to a multi-hop network, and a session e is supposed to pass through h from a source node to a target receiving end^eHop, according to the above analysis, in combination with the S32 constraint, the system is in the light load phase, so the latency of session e is

Thus, the average delay of all sessions can be expressed as

And 5: problem formulation

In view of the developed system model and the above-mentioned limitations, it is desirable to achieve optimal resource allocation that minimizes the average delay while satisfying the security level guarantees of all links. Thus, the target problem can be expressed as:

OPT min d^ave

s.t. communication constraints, throughput constraints, hop count requirements

Wherein d is^aveIs the average time delay obtained in the foregoing, and the equivalent transformation is performed to obtain:

where ρ is_l(i,j)Represents the load factor, μ, of the link l (i, j)_l(i,j)Represents the actual transmission rate of link l (i, j); in-session packet generation rate λ^eBandwidth of the link W_l(i,j)And the size D of the data packet is constant, the link activation frequency and the access path hop number h^eDepending on the outcome of the link resource allocation. Clearly, this is a mixed integer nonlinear programming problem.

And 6: threat analysis

Threat analysis is carried out on a classical tracing algorithm PPM, the complexity of the PPM mainly depends on the network scale, and the reconstruction time is selected as a performance parameter of the algorithm. The reconstruction time is defined as the number of marker packets required by an attacker to reconstruct the access path.

Step S60: assuming that an attacker marks a data packet sent by the attacker with a probability P, the access path length from a target node to the attacker is h, and therefore, the probability that the target receives the marked packet can be expressed as P = P (1-P)^h-1

Step S61: based on step S60, the expected value of the number of the required marked packets for calculating the access path with the reconstruction path length h is set as

Where γ is a constant parameter related to the network size and β is a constant parameter related to the link quality.

Step S62: formula for obtaining reconstruction time based on the formula

The complexity of the easy-to-obtain algorithm is exponential to the length of the access path.

And 7: security analysis

The complexity of path reconstruction grows exponentially with increasing path length. And starting from the relationship between the reconstruction complexity and the path length, establishing a functional relationship between the user safety requirement and the path length.

The security requirements of the user are quantified and correspond to the security level in an attempt to find a functional relationship between the security level and the access path length. Because there is an exponential relationship between the tracing difficulty and the path length, a logarithmic relationship is used to establish a functional relationship between the security level and the path length

Wherein h is^eLength of access path for session e, i.e. number of hops, g^eα is a parameter related to the network size, which is the security level of session e.

And 8: approximation algorithm

And (4) converting the nonlinear part of the optimization target into a linear part with controllable error by using an approximation algorithm.

The concrete implementation steps are as follows:

step S80: defining a function

Replacing the objective function with

From the foregoing f_l(i,j)≤T、

The left inequality of the transmission rate formula is scaled to obtain

From which f can be derived_l(i,j)In the range of

And (4) the following steps.

The easy-to-obtain m (x) is a convex function, so that the curve m (f) is approximated by a piecewise linearization technique_l(i,j)) Replacing the curve with a set of line segments and ensuring that the deviation of the line segments from the curve does not exceed a given error sigma, wherein

The end point values of the line segments on the X axis are shown, C represents the minimum number of the line segments required for replacing the curve, and the starting point is set

Terminal point

Step S81: from the starting point

Starting and calculating the slope of the first line segment

And ensuring that the error between the line segment and the original curve does not exceed sigma, knowing the starting point and the slope of the line segment, and easily obtaining the intersection point of the line segment and the original curve

And using the point as the starting point of the next line segment, repeating the process until the coverage f_l(i,j)All value ranges of (a).

Step S82: as shown in FIG. 2, assume that

Is the c-th line segment M^c(f_l(i,j)) Compared with the original curve

Maximum error point in, easy to obtain formula

Readily available slope

According to a point-inclined type

And slope formula

Easy to find the intersection point

Step S83: when in use

Then, it cannot be solved by the above method, then

Will be taken as the end point of the line segment and will

And (T, m (T)) connecting the two points as the last line segment.

Step S84: using linear optimisation of line functions

Replacement optimization goal d^aveThus, a new linear optimization problem is obtained to replace the original problem, which is expressed as:

s.t. communication constraints, throughput constraints, hop count requirements, approximation algorithm constraints.

And step 9: and (3) error analysis:

suppose OPT^*Is the question of originThe optimization solution of the problem has the result that

Due to OPT^*Satisfying all the constraints mentioned above, a feasible solution OPT-L can be constructed, of which f_l(i,j)And OPT^*The same is true. So that their solutions differ by

Order to

Easy obtaining of OPT-L-OPT^*≤ε。

Thus, for a given error, the linearity error can be computed to obtain a set of line segments instead of the original curve, converting the problem into a Mixed Integer Linear Programming (MILP) model, which can be solved using commercial solutions (e.g., CPLEX).

According to the method for optimizing and configuring the resources of the backtracking security controlled network access channel, a mathematical model between the hop count and the security level requirement is established on the basis of considering the link type, the transmission constraint and the queue model, and the recommended access path length can be provided for the security level requirement. And on the basis, a minimum delay scheduling strategy meeting the user security level requirement constraint is provided, and finally, a delay optimization problem with security level constraint is solved through a piecewise linearization technology.

The method can dynamically schedule the lengths of the links and the access paths according to different security level requirements of users, optimizes system time delay, ensures link resource load balance, meets the security requirements of the users, and finally realizes the hiding of user traces, namely anti-tracking.

Based on the traditional tracing algorithm, the invention provides a novel resource allocation method for reverse tracing hidden internet surfing, and time delay optimization is carried out on the premise of meeting the safety requirements of users. The method can effectively distribute resources under the two conditions of deficient system resources and sufficient resources, select a proper path to ensure the security level, minimize the transmission delay and improve the system performance.

Drawings

FIG. 1 is a flowchart of a method for optimizing and configuring resources of a backtracking security controlled network access channel according to the present invention;

FIG. 2 is a schematic diagram of a piecewise approximation algorithm;

FIG. 3 is a scheduling process of the OPT-L algorithm;

FIG. 4 is a simulated wired VPN network topology;

FIG. 5 is a graph of experimental results of the relationship between packet generation rate and average delay;

FIG. 6 is a diagram illustrating a scheduling result when link resources are scarce;

FIG. 7 is a diagram illustrating scheduling results when link resources are sufficient;

fig. 8 is a diagram illustrating a relationship between a session hop count and a minimum hop count constraint in simulation.

The present invention will be described in further detail with reference to the following drawings and examples.

Detailed Description

The traditional tracing aims to acquire the IP address and the physical position of a user through some technical means. The anti-tracing establishes a secure network link channel which makes the attacker difficult to trace through an information technology to achieve the purpose of hiding the equipment information of the user.

The traditional tracing aims to acquire the IP address and the physical position of a user through some technical means. The backtracking establishes a secure network link channel which makes an attacker difficult to trace through an informatization technology to achieve the purpose of hiding the equipment information of the user.

Inspired by the PPM strategy, the method for preventing an attacker from reconstructing the access path of the user in the VPN network is an effective backtracking method. For PPM and other tracing algorithms, the longer the access path, the higher the tracing difficulty. Accordingly, the longer the access path, the higher the latency. However, blindly increasing the length of the access path will cause the latency to grow indefinitely. Therefore, a tradeoff is needed between meeting user security level requirements and optimizing system latency.

The applicant has conducted systematic research on the backtracking technology to obtain the relationship between resource allocation and security level assurance. The method mainly establishes safe and stable network links by scientifically scheduling channel resources so as to perform resource allocation and link scheduling on the premise of meeting the safety requirements of users, solve the problems of load balancing, IP address hiding, user safety meeting, time delay optimization and the like, further improve the safety and stability of the public network, and provide a backtracking safe internet surfing environment for the public network. The applicant provides a new resource allocation algorithm for backtracking hidden internet surfing based on a traditional traceability algorithm, and establishes a mathematical model between hop count and security level requirements on the basis of considering link types, transmission constraints and a queue model. Under the condition of ensuring the security level, the minimum time delay is taken as the target to carry out resource allocation, and the established target function is converted into linear integer programming by utilizing the piecewise linearization technology.

The scheduling process of the OPT-L algorithm is shown in fig. 3. There are 4 nodes, 2 sessions, and 6 links. The links 1 and 2 belong to links between domestic servers, and the links 3,4,5 and 6 belong to international links. Assume that each session requires at least 2 hops to go through and transmit 2 packets. The source node of session 1 is a, the corresponding destination node is D, and the predetermined links are represented by solid arrows. The source node of session 2 is B and the corresponding target node is C, and the planned link is represented by a dashed arrow.

When t =0, node a and node B generate packets 1,2 and 3,4, respectively.

When t =1, the algorithm activates link 3 and link 4, transmitting packet 1 and packet 3 simultaneously. Links 5 and 6 will not be activated due to the requirement of a minimum number of hops. Despite the low latency of link 1, there are already two packets in the waiting queues of nodes a and B, and the resulting long latency causes node a to discard link 1. Similarly, node B also discards link 1.

When t =2, the algorithm activates links 1 and 2 and transmits packet 1 to node D, packet 2 to node B, packet 3 to node C and packet 4 to node a. Since the link satisfies full duplex, bidirectional transmission is allowed. Since the queue length of all nodes is 1, but the delay of links 1 and 2 is low, links 1 and 2 are activated. At this point, packets 1 and 3 arrive at the destination node and the 2 nd hop is completed.

When t =3, the algorithm activates link 3 and link 4, transmits packets 3 and 4 to nodes C and D, respectively, and successfully transmits all packets for session 1 and session 2.

The following are specific examples given by the applicant.

First, the technical scheme is

Referring to fig. 1, the embodiment provides a method for optimizing and configuring resources of a backtracking security controlled network access channel, which uses a multi-hop VPN network G (S, L) to perform modeling for resource allocation of backtracking access. Wherein S is a set of VPN servers, including domestic nodes and foreign nodes, and L is a set of edges between VPN nodes. For a session E ∈ E, is the source node s_eTo the target node d_eEach session has a specific security level requirement; the method comprises the following specific steps:

step 1: communication model

And obtaining single-in constraint and single-out constraint based on the number limit of the links activated by the node i at any time t, and assuming that the node is full duplex and the full duplex constraint of the number of the links is easy to obtain. And combining the single-input single-output constraint and the full-duplex constraint to obtain the communication constraint.

The method comprises the following concrete steps:

step S10: the edge from node i to node j can be represented as l (i, j), j ∈ N_i，N_iIs a set of neighbor nodes of node i. The minimum time for successful transmission of a data packet on the link is set as a time slot, it is assumed that all sessions are generated at time 0, and transmission of all data packets is completed at time T. By using

Indicating the activation state of link l (i, j) at time t. If the link is activated by session e within time t,

otherwise

Step S11: easy single entry constraint by step S10

The number of all links activated by the node i at any time t is less than or equal to 1, and the constraint can be obtained by the same method

Step S12: assuming that each session is unicast, each node is full duplex, which means that node i can receive and transmit data at any time, but the number of simultaneously active links cannot exceed two. Thereby obtaining full duplex constraints

Step S13: combining the single-input single-output constraint and the full-duplex constraint obtained in step S11 and step S12 to obtain the communication constraint of the node

And 2, step: link activation model

Defining variables

Indicating that the session e is at (0, T)]The frequency of intra-active links l (i, j),

f_l(i,j)indicating the frequency of activating link l (i, j) in all sessions. Defining a binary variable

Indicating the activation status of the link l (i, j) in the session e, if the number of times the link is activated

Otherwise

Further expanding the activation state of the link l (i, j) in all the sessions to be

And step 3: throughput analysis

And calculating the minimum throughput and the maximum throughput of the link to obtain throughput constraint.

The method comprises the following concrete steps:

step S31: assume that session e generates a data packet of size D each time. Assume that only one packet is transmitted at a time when the link is activated. Therefore, we can get the minimum throughput of link l (i, j) to be

Step S32: the link l (i, j) is at (0, T)]The maximum throughput within is then calculated using the bandwidth,

wherein W_l(i,j)Representing the bandwidth of the link l (i, j).

Step S33: combining the maximum throughput and the minimum throughput, a throughput constraint of

Wherein the throughput is mu_l(i,j)＝f_l(i,j)·W_l(i,j)。

And 4, step 4: time delay analysis

Firstly, the time delay in the single-hop network is analyzed, and in the single-hop network, the time delay equal to the sum of the waiting time delay and the transmission time delay is obtained. And respectively calculating the waiting time delay and the transmission time delay to obtain a time delay formula. And extends it to multi-hop wired networks.

Step S40: suppose node S_eIs the source node of session e and node j is the next hop node. Definition of

To represent the time of the system in terms of,

wherein, the first and the second end of the pipe are connected with each other,

is a latency, equal to the queuing time of the data packet in the transmit queue,

is the transmission delay.

Step S41: known as a unicast system, this means that a transmitting node transmits data to only one receiving node at a time. Assuming that the data packets on all nodes satisfy First Come First Serve (FCFS) mode, each VPN generates and transmits data packets through one M/M/1 queue. The expected waiting time is

Wherein

Is link l (S)_eJ) load factor of the load. The transmission time of the data packet is

Step S42: source node S in a one-hop network facilitated by S41_eA time delay to the next hop node j of

Step S43: a single-hop time delay formula is expanded into a multi-hop network, and a session e is assumed to pass through h from a source node to a target receiving end^eHop, according to the above analysis, in combination with the S32 constraint, the system is in a light load phase, so the delay of session e is

Thus, the average delay of all sessions can be expressed as

And 5: problem formulation

In view of the developed system model and the above-mentioned limitations, it is desirable to achieve optimal resource allocation that minimizes the average delay while satisfying the security level guarantees for all links. Thus, the target problem can be expressed as:

OPT min d^ave

s.t. communication constraints, throughput constraints, hop count requirements

Wherein, d^aveIs the average time delay obtained in the foregoing, and the equivalent transformation is performed to obtain:

where ρ is_l(i,j)Represents the load factor, μ, of the link l (i, j)_l(i,j)Represents the actual transmission rate of link l (i, j); in-session packet generation rate λ^eBandwidth of the link W_l(i,j)And the size D of the data packet is constant, the link activation frequency and the access path hop number h^eDepending on the outcome of the link resource allocation. Clearly, this is a mixed integer nonlinear programming problem.

Step 6: threat analysis

And (3) carrying out threat analysis on a classical tracing algorithm PPM, wherein the complexity of the PPM mainly depends on the network scale, and the reconstruction time is selected as a performance parameter of the algorithm. The reconstruction time is defined as the number of marker packets required by an attacker to reconstruct the access path.

Step S60: assuming that an attacker marks a data packet sent by the attacker with a probability P, the access path length from a target node to the attacker is h, and therefore, the probability that the target receives the marked packet can be expressed as P = P (1-P)^h-1

Step S61: based on step S60, to calculate the reconstruction path length hThe expected value of the number of packets required to be marked by the access path is

Where γ is a constant parameter related to the network size and β is a constant parameter related to the link quality.

Step S62: formula for obtaining reconstruction time based on the formula

The complexity of the easy-to-obtain algorithm is exponential to the length of the access path.

And 7: security assay

The complexity of path reconstruction grows exponentially with increasing path length. And starting from the relationship between the reconstruction complexity and the path length, establishing a functional relationship between the user safety requirement and the path length.

The security requirements of the user are quantified and correspond to the security level in an attempt to find a functional relationship between the security level and the access path length. Since there is an exponential relationship between the tracing difficulty and the path length, a logarithmic relationship is used to establish a functional relationship between the security level and the path length

Wherein h is^eLength of access path for session e, i.e. number of hops, g^eα is a parameter related to the network size, which is the security level of session e.

And step 8: approximation algorithm

And (4) converting the nonlinear part of the optimization target into a linear part with controllable error by using an approximation algorithm.

The method comprises the following concrete steps:

step S80: defining a function

Replacing the objective function with

From the foregoing f_l(i,j)≤T、

The left inequality of the transmission rate formula is scaled to obtain

From which f can be derived_l(i,j)In the range of

And (4) inside.

The easy-to-obtain m (x) is a convex function, so that the curve m (f) is approximated by using the piecewise linearization technique_l(i,j)) Replacing the curve with a set of line segments and ensuring that the deviation of the line segments from the curve does not exceed a given error sigma, wherein

The end point values of the line segments on the X axis are shown, C represents the minimum number of the line segments required for replacing the curve, and the starting point is set

Terminal point

Step S81: from the starting point

Starting and calculating the slope of the first line segment

And ensuring that the error between the line segment and the original curve does not exceed sigma, knowing the starting point and the slope of the line segment, and easily obtaining the intersection point of the line segment and the original curve

And using the point as the starting point of the next line segment, repeating the process until covering f_l(i,j)All value ranges of (a).

Step S82: as shown in FIG. 2, assume that

Is the c-th line segment M^c(f_l(i,j)) From the original curve

Maximum error point in, easily obtained formula

Readily available slope

According to a point-inclined type

And slope formula

Easy to find the intersection point

Step S83: when in use

Then, it cannot be solved by the above method, then

Will be taken as the line segment end point and will

And (T, m (T)) two points are connected as the last line segment.

Step S84: optimizing line segment functions using linearity

Replacement optimization goal d^aveThus, a new linear optimization problem is obtainedInstead of the original problem, it is expressed as:

s.t. communication constraints, throughput constraints, hop count requirements, approximation algorithm constraints.

And step 9: and (3) error analysis:

suppose OPT^*Is an optimized solution of the original problem, and the result is

Due to OPT^*Satisfying all the constraints mentioned above, a feasible solution OPT-L can be constructed, of which f_l(i,j)And OPT^*The same is true. So that their solutions differ by

Order to

Easy obtaining of OPT-L-OPT^*≤ε。

Wherein the function m (-) is a non-linear continuous function; the function M (-) is a piecewise function composed of a group of linear functions connected end to end;

thus, for a given error, the linearity error can be computed to obtain a set of line segments instead of the original curve, converting the problem into a Mixed Integer Linear Programming (MILP) model, which can be solved using a commercial solution (e.g., CPLEX).

2. Performance analysis:

the method for optimizing and configuring resources of a backtracking security controlled network access channel provided by this embodiment implements simulation in a Matlab environment to evaluate the performance of the proposed resource allocation algorithm, and specifically, the results of the scheduling algorithm under different premises of link resource shortage and abundance are tested, and the results show that the algorithm can effectively allocate resources, balance loads and ensure security level.

The node set is composed of 3 domestic VPNs and 2 foreign VPNs, and as shown in fig. 4, a source node and a destination node of one session may be any nodes. In this set of simulations, the selected bandwidth is [5m,30m ], and the delay on a particular link is inversely proportional to the distance between nodes.

Experimental example 1: study the influence of packet generation rate on average delay

The experimental results are shown in fig. 5, and the influence of the packet generation rate on the average delay is first analyzed. Two cases of session numbers 2 and 3, respectively, are considered. In general, the delay of the simultaneous transmission of three sessions is larger than the delay of the simultaneous transmission of two sessions. We assume that the hop count requirement of all sessions is 2, and it is easy to get from the figure under the data packet generation rate λ of [1,10], when λ is less than or equal to 2, the delay of both cases rises slowly, and when λ is greater than 2, the average delay of the sessions increases almost linearly with the increase of λ. This is because under light load, there is enough idle links to transmit data, the waiting time is negligible, as the generation rate increases, the system starts to load, and part of the data packets need to wait, so when the transmission amount increases, the delay increases rapidly.

Experimental example 2: scheduling results when link resources are scarce

Assume that two sessions need to be provided simultaneously, with hop count requirements of 2 and 3, respectively. The packet generation rate for both sessions is 6 and there are 6 links available in the network, where link 1,4,5 is an inbound link and link 2,3,6 is an interinbound link.

The scheduling result under the resource shortage is shown in fig. 6, as shown in a diagram of fig. 6, session 1 co-activates the link 12 times, since the minimum hop count requirement is 2 and the packet generation rate is 6, the scheduling algorithm meets the minimum hop count requirement of session 1, and similarly, the diagram b of fig. 5 can also be used to draw the conclusion that the scheduling algorithm meets the minimum hop count of session 2. In conjunction with diagram a of fig. 6 and diagram b of fig. 6, it can be seen that the scheduling algorithm allocates the links activated for sessions 1 and 2, where session 1 uses links 1,4,5 and session 2 uses links 1,2,3,6. As can be seen from the c diagram of fig. 6, the number of activations of most links is uniform, but the number of activations of links 2,3,6 is significantly less than the other three links. This is because 2,3,6 are links both intra-and extra-link, and the cost of activating such links is higher than activating intra-links, which the scheduling algorithm chooses to activate in order to reduce latency. Link 1 is activated significantly more often than the other links because there are only three inlines in total, and the inlines in one node pool are scarce, and link 1 becomes the bottleneck link of the system scheduling and is overscheduled.

Experimental example 3: scheduling results when link resources are sufficient

Assume that two sessions need to be provided simultaneously, with hop count requirements of 2 and 3, respectively. The packet generation rate for both sessions is 8 and there are 10 links available in the network, where links 1,2,3,4,5,6 are inbound links and links 7,8,9, 10 are inter-inbound links.

As shown in fig. 7, we can obtain similar results, as shown in a diagram of fig. 7 and b diagram of fig. 7, session 1 co-activates link 17 times, session 2 co-activates link 24 times, and since the minimum hop count requirements are 2 and 3 respectively, and the packet generation rate is 8, they both satisfy the minimum hop count constraint of the link. As can be seen from fig. 7, the inbound links 1,2,3,4,5,6 are significantly more active than the outbound links 7,8,9 in order to reduce latency and save cost. As can be seen from the c diagram of fig. 7, the number of activations of the intra-link in experiment 3 is uniform, relative to the number of activations of the intra-link 1 in experiment 2 which is greater than the number of activations of the other intra-links. When the link resources are abundant, no link becomes a bottleneck link because the link resources can meet the transmission requirement. The number of schedules between intra-ambient links and between inter-ambient links is substantially the same.

As can be seen from the combination of experimental examples 2 and 3, the scheduling algorithm fulfills the security requirement of the user under the conditions of insufficient link resources and rich link resources, the link load is balanced when the link resources are rich, and although the link 1 is activated 10 times when the link resources are deficient, the link 1 is activated 10 and 12 times respectively from the comparison between the two node pools, which indicates that the scheduling algorithm offloads a part of the transmission burden to the node pool where the link is rich in the environment. When a low latency link is available, i.e., resources are sufficient, the method schedules the low latency link with high priority. Experiment results show that the backtracking security controlled network access channel resource optimization configuration method provided by the embodiment can effectively balance the load of the same type of link and improve the system performance.

Experimental example 4: comparison of minimum hop count constraint to actual hop count

A comparison of the minimum hop count constraint with the actual hop count is shown in fig. 8. As can be seen from fig. 8, the minimum hop count requirement increases as the security level requirement increases. It can be seen from the simulation results of the algorithm that both sessions satisfy the minimum hop count constraint. Furthermore, it can be seen from the figure that the actual number of hops experienced by the session is slightly higher than the minimum hop count requirement. The reason is that in order to achieve the optimization goal of minimum delay, the bottleneck link needs to be bypassed from time to time, so the actual hop count is higher than the required minimum hop count.

In summary, the backtracking security controlled network access channel resource optimization configuration method provided in this embodiment can dynamically schedule the link and the access path length according to different security level requirements of users. In addition, by calculating the number of activation times of the link, the length of the access path can be accurately calculated.

The method can provide recommended access path length for security level requirements, provides a minimum delay scheduling strategy on the basis, and solves optimization by using an approximate algorithm. Simulation experiments verify that the back-tracing safe controlled network access channel resource optimization configuration method provided by the embodiment can select a proper path to meet the requirement of the security level, minimize transmission delay, effectively allocate resources and balance load.

Claims (6)

1. A backtracking security controlled access network channel resource optimization configuration method is characterized in that the method uses a multi-hop VPN network G (S, L) to perform modeling for resource allocation of backtracking access, wherein S is a set of VPN servers and comprises domestic nodes and foreign nodes, and L is a set of edges between VPN nodes; for a session E ∈ E, is the source node s_eTo the target node d_eEach session has a specific security level requirement; comprises the following stepsThe method comprises the following steps:

the method comprises the following steps: communication model

Obtaining single-in constraint based on the limitation of the number of links activated by the node i at any time t, obtaining single-out constraint in the same way, and obtaining full duplex constraint of the number of links on the assumption that the node is full duplex; combining single-in and single-out constraints and full duplex constraints to obtain communication constraints;

step two: link activation model

Defining variables

Indicating that the session e is at (0, T)]The frequency of intra-active links l (i, j),

wherein f is_l(i,j)Indicating the frequency of activating links l (i, j) in all sessions;

defining binary variables

Indicating the activation status of link l (i, j) in session e, if the number of times the link is activated

Otherwise

Further expanding, the activation state of the link l (i, j) in all sessions can be obtained as follows:

step three: throughput analysis

Calculating the minimum throughput and the maximum throughput of the link to obtain throughput constraint;

step four: time delay analysis

Firstly, analyzing the time delay in a single-hop network, wherein the time delay is equal to the sum of waiting time delay and transmission time delay in the single-hop network, respectively calculating the waiting time delay and the transmission time delay, and solving a time delay formula; and extend it to multi-hop wired networks;

step five: problem formulation

In consideration of the developed system model and the above limitations, optimal resource allocation needs to be completed, and on the premise of satisfying the security level guarantee of all links, the average delay is minimized; thus, the target problem can be expressed as:

OPT min d^ave

s.t. communication constraints, throughput constraints, hop count requirements

Wherein, d^aveIs the average time delay obtained in the foregoing, and the equivalent transformation is performed to obtain:

where ρ is_l(i,j)Represents the load factor, μ, of the link l (i, j)_l(i,j)Represents the actual transmission rate of link l (i, j); data packet generation rate in session lambda^eBandwidth of the link W_l(i,j)And the size D of the data packet is constant, the link activation frequency and the access path hop number h^eDepending on the results of the link resource allocation, it is clear that this is a mixed integer non-linear programming problem;

step six: threat analysis

Threat analysis is carried out on a classical tracing algorithm PPM, the complexity of the PPM mainly depends on the network scale, reconstruction time is selected as a performance parameter of the algorithm, and the reconstruction time is defined as the number of marked packets required by an attacker for reconstructing an access path;

step seven: security analysis

The complexity of path reconstruction increases exponentially along with the increase of the path length, and a functional relation between the user safety requirement and the path length is established from the relation between the reconstruction complexity and the path length;

quantifying the security requirements of the user, corresponding the security requirements to the security level, and trying to find a functional relationship between the security level and the access path length; because an exponential relationship exists between the tracing difficulty and the path length, the function relationship between the security level and the path length is established by using a logarithmic relationship as follows:

wherein h is^eThe length of the access path for session e, i.e. the number of hops, g^eα is a parameter related to the network size, which is the security level of session e;

step eight: approximation algorithm

Converting the nonlinear part of the optimization target into a linear part with controllable error by using an approximation algorithm;

step nine: and (3) error analysis:

suppose OPT^*Is an optimized solution of the original problem, and the result is

Due to OPT^*Satisfying all the constraints mentioned above, one can construct a feasible solution OPT-L, of which f_l(i,j)And OPT^*The same; the difference in their solutions is therefore:

obtaining OPT-L-OPT^*≤ε；

Where the function m (-) is a non-linear continuous function; the function M (-) is a piecewise function composed of a group of linear functions connected end to end;

thus, for a given error, a linear error can be calculated, resulting in a set of line segments instead of the original curve, transforming the problem into a mixed integer linear programming MILP model, which can be solved using a commercial solution.

2. The method of claim 1, wherein the step one implementation step is as follows:

step S10: the edge from node i to node j can be represented as l (i, j), j ∈ N_i，N_iA set of neighbor nodes that are node i; setting the minimum time of successful transmission of a data packet on a link as a time slot, assuming that all sessions are generated at the time of 0, and completing the transmission of all data packets at the time of T; by using

Represents the activation state of the link l (i, j) at time t; if the link is activated by session e within time t,

otherwise

Step S11: easy single entry constraint by step S10

The number of all links activated by the node i at any time t is less than or equal to 1, and similarly, the constraint can be obtained singly

Step S12: assuming that each session is unicast and each node is full-duplex, this means that node i can receive and transmit data at any time, but the number of simultaneously active links cannot exceed two, thus yielding the full-duplex constraint:

step S13: combining the single-input single-output constraint and the full-duplex constraint obtained in the steps S11 and S12 to obtain the communication constraint of the node:

3. the method of claim 1, wherein step three implements the steps of:

step S31: assuming that session e generates a data packet of size D each time, assuming that only one data packet is transmitted at a time when the link is activated, the minimum throughput that can be obtained for link l (i, j) is:

step S32: the link l (i, j) is at (0, T)]The maximum throughput in the inner is calculated using the bandwidth,

wherein W_l(i,j)Represents the bandwidth of link l (i, j);

step S33: combining the maximum throughput and the minimum throughput, a throughput constraint can be obtained as:

wherein the throughput is mu_l(i,j)＝f_l(i,j)·W_l(i,j)。

4. The method of claim 1, wherein said step four is implemented as follows:

step S40: suppose node S_eIs the source node of session e, node j is the next hop node, define

To represent the time of the system as such,

wherein the content of the first and second substances,

is a latency, equal to the queuing time of the data packet in the transmit queue,

is the transmission delay;

step S41: a unicast system, meaning that a transmitting node transmits data to only one receiving node at the same time; assuming that the packets on all nodes satisfy First Come First Serve (FCFS) mode, each VPN generates and transmits packets through one M/1 queue, with expected latency:

wherein the content of the first and second substances,

is link l (S)_eJ) load factor;

the transmission time of the data packet is as follows:

step S42: available from S41, source node S in a one-hop network_eThe time delay to the next hop node j is:

step S43: a single-hop time delay formula is extended to a multi-hop network, and a session e is supposed to pass through h from a source node to a target receiving end^eAnd hopping, according to the analysis, in combination with the S32 constraint, the system is in a light load phase, so that the time delay of the session e is:

the average delay for all sessions can be expressed as:

5. the method of claim 1, wherein said step six implements the steps of:

step S60: assuming that an attacker marks a data packet sent by the attacker with a probability p, and the length of an access path from a target node to the attacker is h, the probability that the target receives the marked packet can be expressed as:

P＝p(1-p)^h-1

step S61: based on step S60, the expected value of the number of the required marked packets for calculating the access path with the reconstruction path length h is set as

Where γ is a constant parameter related to network size and β is a constant parameter related to link quality;

step S62: formula for obtaining reconstruction time based on the formula

The complexity of the available algorithms is exponential to the length of the access path.

6. The method of claim 1, wherein the step eight is implemented as follows:

step S80: defining a function

Replacing the objective function with

According to the above mentioned results f_l(i,j)≤T、

The left inequality of the transmission rate formula is scaled to obtain

From which f can be derived_l(i,j)In the range of

Inner;

the easy-to-obtain m (x) is a convex function, so that the curve m (f) is approximated by using the piecewise linearization technique_l(i,j)) Replacing the curve with a set of line segments and ensuring that the deviation of the line segments from the curve does not exceed a given error sigma, wherein

The end point values of the line segments on the X axis are shown, C represents the minimum number of the line segments required for replacing the curve, and the starting point is set

Terminal point

Step S81: from the starting point

Starting and calculating the slope of the first line segment

And ensuring that the error between the line segment and the original curve does not exceed sigma, knowing the starting point and the slope of the line segment, and easily obtaining the intersection point of the line segment and the original curve

And will beThis point serves as the starting point for the next line segment and the process is repeated until f is covered_l(i,j)All value ranges of (a);

step S82: suppose that

Is the c-th line segment M^c(f_l(i,j)) From the original curve

Maximum error point in, easily obtained formula

Obtaining the slope

According to a point-inclined type

And slope formula

Easy to find the intersection point

Step S83: when in use

Then, it cannot be solved by the above method, then

Will be taken as the end point of the line segment and will

And (T, m (T)) connecting the two points to be used as the last line segment;

step S84: using linear advantageFunction of line segment

Replacement optimization goal d^aveThus, a new linear optimization problem is obtained to replace the original problem, which is expressed as:

OPT-L

s.t. communication constraints, throughput constraints, hop count requirements, approximate algorithm constraints.

Images