支持多租户的网络测试床模拟流量标记和溯源模型

doi:10.3969/j.issn.0372-2112.2017.08.020

电子学报 ›› 2017, Vol. 45 ›› Issue (8): 1947-1956.DOI: 10.3969/j.issn.0372-2112.2017.08.020

支持多租户的网络测试床模拟流量标记和溯源模型

丁嘉宁^1,2, 张鹏^1,2, 杨嵘^1,2, 刘俊朋^1,2, 刘庆云^1,2, 熊刚^1,2

1. 中国科学院信息工程研究所信息内容安全技术国家工程实验室, 北京 100093;
2. 中国科学院大学网络空间安全学院, 北京 100049

收稿日期:2015-04-28 修回日期:2017-03-18 出版日期:2017-08-25
- 通讯作者:
- 张鹏
- 作者简介:
- 丁嘉宁,男,1991年出生,现为中国科学院信息工程研究所研究实习员.主要从事网络数据分析、信息安全等相关领域研究.E-mail:dingjianing@iie.ac.cn;杨嵘,男,1978年出生,高级工程师,CCF会员,主要研究领域为信息安全、云计算.E-mail:yangrong@iie.ac.cn;刘俊朋,男,1987年出生,硕士,CCF会员,主要研究领域为信息安全、云计算、网络流处理.E-mail:liujunpeng@iie.ac.cn;刘庆云,男,1980年出生,博士,高级工程师,CCF会员,主要研究领域为信息安全,云计算.E-mail:liuqingyun@iie.ac.cn;熊刚,男,1977年出生,博士,高级工程师,博士生导师,主要研究领域为网络测量,网络攻防与信息对抗,信息安全.E-mail:xionggang@iie.ac.cn
- 基金资助:
- 国家自然科学基金 (No.61402464）; 国家重点研发计划项目 (No.2016YFB0801304）

Multi-tenant Network Testbed Flow Watermarking and Provenance Tracing Model

DING Jia-ning^1,2, ZHANG Peng^1,2, YANG Rong^1,2, LIU Jun-peng^1,2, LIU Qing-yun^1,2, XIONG Gang^1,2

1. National Engineering Laboratory for Information Security Technologies, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China

Received:2015-04-28 Revised:2017-03-18 Online:2017-08-25 Published:2017-08-25
- Supported by:
- National Natural Science Foundation of China (No.61402464); Program of National Key Research and Development Program of China (No.2016YFB0801304)

摘要/Abstract

摘要： 为了在支持多租户的网络测试床中对模拟流量进行标记和溯源，提出了一种基于时间间隔的网络流水印模型，当生成模拟流量时，该模型首先把水印内容转换成0~1比特序列，然后将0~1比特序列转换成流中数据包发送的时间间隔从而实现对模拟流量的标记.当接收模拟流量时，该模型通过将流中数据包的时间间隔转换成0~1比特序列，进而获取对应的水印内容，从而实现模拟流量的溯源.理论分析表明，该模型能够抵御多种攻击手段，同时大量实验证明了该模型在不丢包情况和丢包情况下对模拟流量进行溯源的有效性.

关键词: 网络测试床, 云计算, 水印, 溯源, 模拟流量

Abstract: In order to label and trace the provenance of any simulated flow in multi-tenant network testbed,an interval-based flow watermarking and provenance tracing model was proposed.When a simulation flow was generated,this model first transformed the user's watermarking content into 0-1 bit sequence and then sent packets of the flow at particular intervals according to the 0-1 bit sequence to label the flow.When the simulation flow was captured by the model,the time intervals between packets in the flow were transformed into the 0-1 bit sequence so that the watermarking content could be extracted to trace the provenance of this simulation flow.The resilience against various known attack techniques is illustrated through theoretical analysis.Moreover,a large number of experiments prove the validity of this model in tracing simulation flows under both normal and abnormal circumstance.

Key words: network testbed, cloud computing, watermarking, provenance tracing, simulated flow

中图分类号:

TP393

丁嘉宁, 张鹏, 杨嵘, 等. 支持多租户的网络测试床模拟流量标记和溯源模型[J]. 电子学报, 2017, 45(8): 1947-1956.

DING Jia-ning, ZHANG Peng, YANG Rong, et al. Multi-tenant Network Testbed Flow Watermarking and Provenance Tracing Model[J]. Acta Electronica Sinica, 2017, 45(8): 1947-1956.

参考文献

[1] CHUN B,CULLER D,ROSCOE T,et al.Planetlab:an overlay testbed for broad-coverage services[J].ACM SIGCOMM Computer Communication Review,2003,33(3):3-12.
[2] SHEN Z,SUBBIAH S,GU X,ET AL.CloudScale:Elastic resource scaling for multi-tenant cloud systems[A].Proceedings of the 2^nd ACM symposium on cloud computing[C].Cascais,Portugal:ACM,2011,5
[3] BERMAN M,CHASE J S,LANDWEBER L,et al.Geni:A federated testbed for innovative network experiments[J].Computer Networks,2014,61:5-23.
[4] CHANG X.Network simulations with OPNET[A].Proceedings of the 31st conference on winter simulation:Simulation-a bridge to the future-Volume 1[C].Phoenix,AZ,U.S.A:ACM,1999:307-314.
[5] BHATIA S,MOTIWALA M,MUHLBAUER W,et al.Trellis:A platform for building flexible,fast virtual networks on commodity hardware[A].Proceedings of the 2008 ACM CoNEXT Conference[C].Madrid,Spain:ACM,2008,72.
[6] BAJAJ S,BRESLAU L,ESIN D,et al.Improving simulation for network research[J].Technical Report 99-702b,USC Computer Science Department,1999.
[7] WANG X,CHEN S,JAJODIA S.Network flow watermarking attack on low-latency anonymous communication systems[A].2007 IEEE Symposium on Security and Privacy (SP '07)[C].San Jose,California,USA:IEEE,2007,116-130.
[8] WANG X,REEVES D S.Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays[A].Proceedings of the 10th ACM conference on Computer and communications security[C].Washington D.C.,USA:ACM,2003:20-29.
[9] PYUN Y J,PARK Y H,WANG X,et al.Tracing traffic through intermediate hosts that repacketize flows[A].INFOCOM 2007.26th IEEE International Conference on Computer Communications.IEEE[C].Anchorage,Alaska,USA:IEEE,2007:634-642.
[10] HOUMANSADR A,KIYAVASH N,BORISOV N.RAINBOW:A Robust and Invisible Non-Blind Watermark for Network Flows[A].16^th Annual Network & Distributed System Security Symposium[C].San Diego,CA:Internet Society,2009.
[11] Sultana S,Shehab M,Bertino E.Secure provenance transmission for streaming data[J].IEEE Transactions on Knowledge and Data Engineering,2013,25(8):1890-1903.
[12] HOUMANSADR A,BORISOV N.SWIRL:A scalable watermark to detect correlated network flows[A].18^th Annual Network & Distributed System Security Symposium[C].San Diego,CA:Internet Society,2011.
[13] KIYAVASH N,HOUMANSADR A,BORISOV N.Multi-flow attacks against network flow watermarking schemes[A].USENIX Security Symposium[C].San Jose,California,USA:2008.307-320.
[14] ZHANG Y,PAXSON V.Detecting stepping stones[A].USENIX Security Symposium[C].Berkeley,California,USA:2000,171:184.
[15] Reed M G,Syverson P F,Goldschlag D M.Anonymous connections and onion routing[J].IEEE Journal on Selected areas in Communications,1998,16(4):482-494.
[16] LUO X,ZHOU P,ZHANG J,et al.Exposing invisible timing-based traffic watermarks with BACKLIT[A].Proceedings of the 27^th Annual Computer Security Applications Conference[C].Orlando,Florida,USA:ACM,2011:197-206.
[17] ROOSTA T G.Attacks and Defenses of Ubiquitous Sensor Networks[M].Saarbrucken,Germany:VDM Verlag Dr.Muller Aktiengesellschaft & Co.,2008.
[18] Houmansadr A,Kiyavash N,Borisov N.Multi-flow attack resistant watermarks for network flows[A].2009 IEEE International Conference on Acoustics,Speech and Signal Processing[C].Taiwan:IEEE,2009:1497-1500.
[19] 林海略,韩燕波.多租户应用的性能管理关键问题研究[J].计算机学报,2010,33(10):1881-1895.
[20] Olver,Frank W J,Lozier,Daniel M,Boisvert,Ronald F,Clark,Charles W.NIST Handbook of Mathematical Functions[M].Cambridge,United Kingdom:Cambridge University Press,2010.
[21] KADLECSIK J,WELTE H,MORRIS J,et al.The netfilter/iptables Project[EB/OL].http://www.netfilter.org,2015.
[22] Peng P,Ning P,Reeves D S.On the secrecy of timing-based active watermarking trace-back techniques[A].2006 IEEE Symposium on Security and Privacy (SP'06)[C].San Jose,California,USA:IEEE,2006.15-349.

支持多租户的网络测试床模拟流量标记和溯源模型

Multi-tenant Network Testbed Flow Watermarking and Provenance Tracing Model

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	赵开强, 康萍, 刘彬, 郭真, 冯朝胜, 卿昱. 支持云代理重加密的CP-ABE方案[J]. 电子学报, 2023, 51(3): 728-735.
[2]	罗智勇, 朱梓豪, 谢志强, 孙广路. 面向云计算的花朵差分授粉工作流多目标优化算法研究[J]. 电子学报, 2021, 49(3): 470-476.
[3]	王向阳, 牛盼盼, 田静, 杨红颖, 徐欢. 基于BKF矢量HMT的非下采样剪切波域数字水印检测算法[J]. 电子学报, 2021, 49(1): 40-49.
[4]	岳桢, 李子臣, 杨义先, 游福成, 刘福平. 直方图2Bin多进制图像数字水印算法的研究[J]. 电子学报, 2020, 48(3): 531-537.
[5]	李航, 冯朝胜, 刘帅南, 刘彬, 赵开强. 支持离线/在线加密及可验证外包解密的CP-WABE方案[J]. 电子学报, 2020, 48(11): 2146-2153.
[6]	章无用, 陈建华, 胡耀垓. 基于重同步的高容量鲁棒图像水印算法[J]. 电子学报, 2019, 47(4): 862-870.
[7]	王春东, 杨蕾, 万福金, 刘哲理, 朱立坤. 数据库水印模型及其算法综述[J]. 电子学报, 2019, 47(4): 946-954.
[8]	卢晶, 段勇, 刘海波. 基于z值的分布式密度峰值聚类算法[J]. 电子学报, 2018, 46(3): 730-738.
[9]	王于丁, 杨家海. DACPCC:一种包含访问权限的云计算数据访问控制方案[J]. 电子学报, 2018, 46(1): 236-244.
[10]	杜思军, 徐尚书, 刘俊南, 张俊伟, 马建峰. 云计算中抗共谋攻击的数据位置验证协议[J]. 电子学报, 2017, 45(6): 1321-1326.
[11]	陈振华, 李顺东, 王道顺, 黄琼, 张卫国. 集合成员关系的安全多方计算及其应用[J]. 电子学报, 2017, 45(5): 1109-1116.
[12]	鲁荣波, 陈留洋, 丁雷, 李建锋, 曾琳玲. 基于Contourlet域虚拟树结构和FOA-SVR的自适应鲁棒数字水印算法[J]. 电子学报, 2017, 45(3): 674-679.
[13]	李焱, 郑亚松, 李婧, 朱春鸽, 刘欣然. 云环境下面向跨域作业的调度方法[J]. 电子学报, 2017, 45(10): 2416-2424.
[14]	陶晓玲, 韦毅, 王勇. 一种基于分层多代理的云计算负载均衡方法[J]. 电子学报, 2016, 44(9): 2106-2113.
[15]	陈凯, 许海铭, 徐震, 林东岱, 刘勇. 适用于移动云计算的抗中间人攻击的SSP方案[J]. 电子学报, 2016, 44(8): 1806-1813.