CN103701597A - Control method of trust grouping verification - Google Patents
Control method of trust grouping verification Download PDFInfo
- Publication number
- CN103701597A CN103701597A CN201310637784.4A CN201310637784A CN103701597A CN 103701597 A CN103701597 A CN 103701597A CN 201310637784 A CN201310637784 A CN 201310637784A CN 103701597 A CN103701597 A CN 103701597A
- Authority
- CN
- China
- Prior art keywords
- grouping
- credible
- packet authentication
- router
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a control method of trust grouping verification. The method comprises the steps of introducing router trust verification ratio Ii, grouping credibility, grouping trust threshold and link attack introducing rate, so as to establish a transmission model for the practical network environment, and ensuring that a router has judgment ability for identifying grouping and identifies optional space by adding link control field on a frame structure, so as to realize a fine-grained multipolarity grouping verification control strategy. The method has the benefits that the flexible control of total network trust grouping verification is realized, and as the method adopts a fine-grained multipolarity grouping verification control strategy, the method meets creditability requirements of different users and different service types, can reduce the verification frequency as far as possible in the condition that the grouping creditability requirements are met, improves the verification efficiency of trust grouping, and effectively enhances the transmission performance of a trusted network.
Description
Technical field
The present invention relates to a kind of control method of credible packet authentication.
Background technology
Signature and the checking of grouping are generally used for the proprietary scenes such as network insertion, authentication, realize the integrity protection of grouping, prevent that packet is tampered.
Existing packet authentication generally adopts increases the signature that the mode of fixed field realizes point-to-point, and this mode belongs to the design of superposing type, isolated single in object, function, lacks flexibility, is difficult to provide support for the credible packet authentication of whole network.Along with new attack mode continues to bring out, the packet authentication mode of this fixed field is difficult to form the security protection ability of architecture, cannot adapt to the defense-in-depth demand of high secure communication.
Summary of the invention
In order to overcome the above-mentioned shortcoming of prior art, the invention provides a kind of control method of credible packet authentication, model, towards the transport model of real network environment, in this model, is introduced four mathematic parameters: router is credible checking rate I
i: expression router is effectively identified the ability of grouping; The confidence level W of grouping
t: represent to be grouped in network transmission process at t credibility constantly; Credible threshold value I divides into groups
defattack introducing rate a with link
i.Whether router verifies the confidence level W that grouping is current with grouping
t, router self credible checking rate I
iand the credible threshold value I of grouping regulation
defthere is close relationship, therefore need to judge and select according to the size of these parameters.Meanwhile, due to the introducing of these parameters, need on frame structure, increase corresponding field.By the interpolation of these fields, router possesses judgement and the optional space of identification that grouping is identified.
The actual demand transmitting according to credible grouping, determines the control strategy of credible packet authentication, instructs the realization with control algolithm of choosing of controlling parameter; Consider the factors such as trusted context of the performance requirement of grouping, credible demand and network reality, set up the data model of credible packet authentication, and the key parameter of extraction model and algorithm complete effective control of credible packet authentication, make, in the situation that meeting the credible demand of grouping, to reduce as much as possible checking number of times.The inventive method has solved credible transmission and the meticulous control of grouping, by fine-grained packet authentication, control and guaranteed that all groupings in network are all believable, and can effectively prevent the malicious sabotage to grouping in network transmission process, really ensure the credibility of Internet Transmission.The inventive method has been enriched the control device of network, has strengthened the Based Intelligent Control ability of network, for what ensure that Network transmits, crediblely has an important effect.
The technical solution adopted for the present invention to solve the technical problems is: a kind of control method of credible packet authentication, introduce the credible checking rate of router I
i, grouping confidence level W
t, credible threshold value I divides into groups
defattack introducing rate a with link
i, set up the transport model towards real network environment; By add link control field on frame structure, make router possess the judgement of identifying dividing into groups and identify optional space, realize fine-grained multipolarity packet authentication control strategy.
Compared with prior art; good effect of the present invention is: packet authentication can be protected the integrality of data; but seldom have packet authentication and trustable network to carry out integrated design, the present invention has made up this blank, realized the flexible control of the credible packet authentication of the whole network.And the present invention adopts fine-grained multipolarity packet authentication control strategy, met the credible demand of different user and different service types, make in the situation that meeting the credible demand of grouping, reduce as much as possible checking number of times, improve the verification efficiency of credible grouping, effectively promoted the conveying function of trustable network.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the transmitted in packets Mathematical Modeling of network-oriented actual environment;
Fig. 2 is the data frame format that trustable network is controlled;
Fig. 3 is the packet identification judgement flow process of router i;
Fig. 4 is under given parameters, and the credible threshold value of dividing into groups and checking are related to schematic diagram between number of times.
Embodiment
(1) control strategy of credible packet authentication
This method adopts fine-grained multipolarity packet authentication control strategy, to meet the credible demand of different user and different service types, specifically comprises:
1) hop-by-hop packet authentication strategy: be applicable to the extra high Network of security requirement.
2) every formula packet authentication strategy: according to application demand, optimize some network equipments of selecting in transmission path and do not carry out signature verification, directly forward grouping, thereby improve transmission speed.This strategy is applicable to network transmission performance, requirement of real-time very high, and the Network that fail safe can be compromised and be considered, as real-time Speech Communication etc.
3) territory is every formula packet authentication strategy: the security postures current according to network divides territory, and the region that fine or fail safe is enough to meet the credible demand of business at some security postures do not verify, and with the equally direct forwarding of traditional communication transmission.
4) interlayer type packet authentication strategy: according to the credible demand of business and network environment, can select to adopt end-to-end or point-to-point Validation Mode.End-to-end pattern only verifies at access procedure, and point-to-point mode is hop-by-hop packet authentication strategy.
(2) the control parameter of credible packet authentication
In order to realize fine-grained credible transfer control strategy, this method model is towards the transport model of real network environment, and specifically as shown in Figure 1, model comprises routing node, link, user terminal etc.In this model, introduce four mathematic parameters:
1, the credible checking rate of router I
i: expression router is effectively identified the ability of grouping.This parameter has global sense, is the result through long-time statistics, in a certain particular moment, can be made as fixed value.For any grouping, after router authentication, the confidence level of its grouping rises to the horizontal I of checking rate of router at once
i.For the purpose of distinguishing, at outlet and the entrance of network, the credible checking rate of edge router Rer and Rec is respectively Ier and Iec.
2, the confidence level W of grouping
t: represent to be grouped in network transmission process at t credibility constantly.Because grouping is carried out, before network, not passing through any checking and identification, therefore now the confidence level of grouping is 0.After router identification and checking, the confidence level of grouping can change; In backbone network transmitting procedure, the threat that the confidence level of grouping can be under attack, thus the confidence level that causes dividing into groups declines.
3, the credible threshold value I that divides into groups
def: the grouping confidence level requirement due to transmit leg, is grouped in the credible threshold value I that transmitting terminal need to be set grouping
def.After Internet Transmission, the grouping confidence level of requirement arrival information receiving end B can not be lower than I
def.
4, link is attacked introducing rate a
i: due to the uncertainty of network link, be grouped in link transmission process and can exist and introduce the probability of attacking, the confidence level of network packet is declined.A
ithere is direct relation with network environment and the residing network area of network link i.In small-scale network, a of every link
ican think equal, according to the safe condition of current network, adjust adaptively a
ivalue, with the risk class that reflects that current network exists.In large-scale network, in some region, may have larger security risk, and the risk in other regions is less, now a of every link
idifferent.In a certain particular moment, link is attacked introducing rate a
ican regard as fixed value.
(3) control method of credible packet authentication
Credible packet authentication is that a label with self identity ability is enclosed in the grouping to sending on trustable network.This label can unique identification the networking component of signature, and be (or distort be can be found) that can not distort, be also correspondingly non-repudiation.In network packet transmitting procedure, network edge router and intermediate router need to carry out identification and completeness check to grouping.Once find the grouping that cannot authenticate, just this grouping abandoned.Meanwhile, if find the grouping harmful to network security, also can pass through its label, determine the sender of grouping, reach the object of reverse authentication.Therefore to choose rational frame structure by credible parameter and Tag Packaging in packet.
According to the credible packet authentication of choosing, control parameter known, whether router verifies the confidence level W that grouping is current with grouping
t, router self credible checking rate I
iand the credible threshold value I of grouping regulation
defthere is close relationship, therefore need to judge and select according to the size of these parameters.Meanwhile, due to the introducing of these parameters, need on frame structure, increase corresponding field.For this reason, we have improved basic link layer packaging form, utilize the filling field of frame head to increase link control field, as shown in Figure 2.
In Fig. 2, in link control field, the meaning of each several part is as follows:
1, digital signature: the digital signature that adopts the private key formation of a upper authentication;
2, W field: the current confidence level of dividing into groups, initial value W=0;
3, I
def: credible threshold value I divides into groups
defthe credible requirements such as the confidentiality of reflection packet, integrality
4, a upper authentication address: the router mac address of a upper checking grouping is 0 at its initial value of transmitting terminal.
By the interpolation of these fields, router possesses judgement and the optional space of identification that grouping is identified.Yet this multi-hop packet Validation Mode also can increase the complexity of router authentication to a certain extent, therefore when optimizing, need to consider many-sided impact, to reach a kind of balance of best cost effectiveness.As shown in Figure 3, this mechanism overcomes the impact of wooden barrel effect to judgment mechanism, can between the current confidence level of packet, the credible threshold value of dividing into groups and the credible attribute of router, be optimized decision-making.Concrete grammar is as follows:
The credible threshold value I of grouping regulation in addition,
defreflected the confidence level that transmitting terminal requires, its size not only depends on the maximum confidence that network can provide, and depends on the transmission path of grouping.Fig. 4 has provided under given parameters, different I
defthe number of times that needs router authentication, wherein the total number of router is 10, the maximum credible security ability in path is 0.96.As seen from Figure 4, when Route Selection, need to consider to attack introducing rate, credible threshold value I divides into groups
defetc. factor, to reach balance at aspects such as checking number of times, router hops.
Claims (4)
1. a control method for credible packet authentication, is characterized in that: introduce the credible checking rate of router I
i, grouping confidence level W
t, credible threshold value I divides into groups
defattack introducing rate a with link
i, set up the transport model towards real network environment; By add link control field on frame structure, make router possess the judgement of identifying dividing into groups and identify optional space, realize fine-grained multipolarity packet authentication control strategy.
2. the control method of a kind of credible packet authentication according to claim 1, is characterized in that: it is as follows that router identify to grouping the method judging:
Step 1, judge whether the grouping confidence level of current time is greater than I
def: if enter step 4; If not, enter step 2;
Step 2, judge whether the grouping confidence level of current time is greater than I
i: if enter step 4; If not, enter step 3;
Step 3, router carry out credible identification to grouping, by I
iassignment is given next grouping confidence level constantly, then enters step 5;
Step 4, the grouping confidence level of the grouping credit assignment of current time being given to next moment, then enter step 5;
Step 5, utilize the link of current time to attack introducing rate grouping confidence level is upgraded.
3. the control method of a kind of credible packet authentication according to claim 1, is characterized in that: described fine-grained multipolarity packet authentication control strategy comprises: hop-by-hop packet authentication strategy, point every formula packet authentication strategy, territory every formula packet authentication strategy and interlayer type packet authentication strategy.
4. the control method of a kind of credible packet authentication according to claim 1, is characterized in that: described link control field comprises: digital signature, W field, I
defwith a upper authentication address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310637784.4A CN103701597B (en) | 2013-11-29 | 2013-11-29 | A kind of control method of credible packet authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310637784.4A CN103701597B (en) | 2013-11-29 | 2013-11-29 | A kind of control method of credible packet authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103701597A true CN103701597A (en) | 2014-04-02 |
| CN103701597B CN103701597B (en) | 2016-11-16 |
Family
ID=50363003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310637784.4A Active CN103701597B (en) | 2013-11-29 | 2013-11-29 | A kind of control method of credible packet authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103701597B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2458914A1 (en) * | 2009-07-27 | 2012-05-30 | ZTE Corporation | Method for reselecting bearer binding and event report function |
| CN103118412A (en) * | 2013-02-27 | 2013-05-22 | 山东大学 | Trust-based on-demand multipath vector routing algorithm of Ad Hoc network |
| CN103167622A (en) * | 2011-12-15 | 2013-06-19 | 展讯通信(上海)有限公司 | Scheduling authorized method, device and network equipment |
| CN103369502A (en) * | 2012-04-11 | 2013-10-23 | 中兴通讯股份有限公司 | Processing method of strategy control conversation and network element |
-
2013
- 2013-11-29 CN CN201310637784.4A patent/CN103701597B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2458914A1 (en) * | 2009-07-27 | 2012-05-30 | ZTE Corporation | Method for reselecting bearer binding and event report function |
| CN103167622A (en) * | 2011-12-15 | 2013-06-19 | 展讯通信(上海)有限公司 | Scheduling authorized method, device and network equipment |
| CN103369502A (en) * | 2012-04-11 | 2013-10-23 | 中兴通讯股份有限公司 | Processing method of strategy control conversation and network element |
| CN103118412A (en) * | 2013-02-27 | 2013-05-22 | 山东大学 | Trust-based on-demand multipath vector routing algorithm of Ad Hoc network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103701597B (en) | 2016-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sultana et al. | A provenance based mechanism to identify malicious packet dropping adversaries in sensor networks | |
| Hu et al. | SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks | |
| CN102158864B (en) | Mobile AD Hoc network self-adapting secure routing method based on reliability | |
| Wadhaj et al. | Mitigation mechanisms against the DAO attack on the routing protocol for low power and lossy networks (RPL) | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| Khanna et al. | Adaptive selective verification: An efficient adaptive countermeasure to thwart dos attacks | |
| CN105262737B (en) | A method of based on defending against DDOS attack for jump channel pattern | |
| CN112616155B (en) | Wireless self-organizing network performance evaluation method | |
| Sekar et al. | Lightweight reliable and secure multicasting routing protocol based on cross‐layer for MANET | |
| Obaida et al. | AODV robust (AODVR): An analytic approach to shield ad-hoc networks from black holes | |
| Dhingra et al. | A study of RPL attacks and defense mechanisms in the internet of things network | |
| CN109150829A (en) | Software definition cloud network trust data distribution method, readable storage medium storing program for executing and terminal | |
| Falcao et al. | Performance evaluation of disruption tolerant networks on warships' tactical messages for secure transmissions | |
| CN107113278B (en) | The method, apparatus and system that neighbours establish | |
| CN109039841A (en) | The method, apparatus and girff of cascade network is added | |
| CN103701597A (en) | Control method of trust grouping verification | |
| CN115664740A (en) | Method and system for defending against data packet forwarding attack based on programmable data plane | |
| Li et al. | Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security | |
| CN109195160A (en) | Network equipment resource detects the anti-tamper storage system and its control method of information | |
| Ahmad et al. | On the secure optimized link state routing (SOLSR) protocol for MANETs | |
| CN109039612B (en) | Secure interaction method and system for software defined optical network | |
| Subha et al. | Message authentication and wormhole detection mechanism in wireless sensor network | |
| CN101702727B (en) | Method for defending against DDos in address disjunction mapping network | |
| AU2021106066A4 (en) | A method for achieving a secure wireless sensor network (wsn) by reviewing the vulnerabilities in the network | |
| Chandel et al. | Effect of rushing attack in AODV and its prevention technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |